My Argo CD Privilege Escalations post describes some privilege escalation possibilities, if Argo CD projects are not configured securely. In this post I’ll show a complete walkthrough on abusing one of these possible misconfigurations.
Given an AppProject that forbids cluster resources entirely and namespace resources from rbac.authorization.k8s.io/v1 ruling out Role, RoleBinding etc.:
The goal is to get cluster-admin over the cluster.
Since Argo CD AppProject and Application objects are allowed, we will use those. First we will need an application that will deploy our yaml files:
The next files will be created in the https://github.com/my-team/my-team-apps repo under manifest/gotta-pwn-em-all-prepare/. Let’s make a super permissive AppProject here (the only restriction is that it will only deploy things from our team’s repo to prevent other’s abusing this):
We will also need an Application that uses this project. We can make it with the other Applications or in the same folder as the above AppProject:
(The app will only have non-namespace resources, so the namespace in destination doesn’t matter.) In the manifest/gotta-pwn-em-all-execute/ folder, let’s make the thing we actually want to be deployed:
So in the end you should have these files (assuming the files are named like the objects in them):