Skip to main content Link Menu Expand (external link) Document Search Copy Copied

ArgoCD Hardening for DevSecOps

Table of contents

  1. Disable anonymous access to the ArgoCD API server
  2. Enable HTTPS for ArgoCD server communication
  3. Use a strong password for ArgoCD administrative users
  4. Restrict access to ArgoCD API server by IP address
  5. Enable RBAC for fine-grained access control to ArgoCD resources
  6. Set secure cookie options for ArgoCD web UI
  7. Use least privilege principle for ArgoCD API access
  8. Regularly update ArgoCD to latest stable version
  9. Regularly audit ArgoCD logs and access control
  10. Implement backup and recovery plan for ArgoCD data

List of some best practices to harden ArgoCD for DevSecOps

Disable anonymous access to the ArgoCD API server

argocd-server --disable-auth

Enable HTTPS for ArgoCD server communication

argocd-server --tls-cert-file /path/to/tls.crt --tls-private-key-file /path/to/tls.key

Use a strong password for ArgoCD administrative users

argocd-server --admin-password <password>

Restrict access to ArgoCD API server by IP address

Modify argocd-server configuration file to specify --client-ca-file and --auth-mode cert options and create a certificate authority file and client certificate signed by the CA for each client host.

Enable RBAC for fine-grained access control to ArgoCD resources

argocd-server --rbac-policy-file /path/to/rbac.yaml
argocd-server --secure-cookie

Use least privilege principle for ArgoCD API access

Create a dedicated ArgoCD service account with minimal necessary permissions.

Regularly update ArgoCD to latest stable version

argocd version --client to check client version and argocd version --server to check server version. Use package manager or manual upgrade as needed.

Regularly audit ArgoCD logs and access control

argocd-server --loglevel debug to enable debug level logging. Use a log analyzer or SIEM tool to monitor logs for anomalies.

Implement backup and recovery plan for ArgoCD data

argocd-util export /path/to/export to export ArgoCD data and configuration. Store backups securely and test restoration procedure periodically.