From 9f8666e46a269e074b6f581f4d44beb685097069 Mon Sep 17 00:00:00 2001
From: Justen Mehl <justen.t.mehl.civ@us.navy.mil>
Date: Tue, 12 Dec 2023 16:59:02 +0000
Subject: [PATCH] Mitigate automountServiceAccountToken findings in Argo

---
 chart/templates/kyverno-policies/values.yaml | 29 ++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index 6e180ceaf8..58c920bb01 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -695,6 +695,7 @@ policies:
       - istio-system
       - istio-operator
       - twistlock
+      - argocd
       - logging
       - velero
       - kyverno
@@ -781,8 +782,32 @@ policies:
         - neuvector-updater-pod-*
         - neuvector-prometheus-exporter-pod-*
         - neuvector-registry-adapter-pod-*
-
-
+      - namespace: argocd
+        pods:
+        # application-controller pods interact with secrets, configmaps, events, and Argo CRDs 
+        # More details in argocd/chart/templates/argocd-application-controller/role.yaml
+        - argocd-argocd-application-controller-*
+        # dex pods interact with secrets and configmaps
+        # More details in argocd/chart/templates/dex/role.yaml
+        - argocd-argocd-dex-server-*
+        # argocd-upgrade-job interacts with CRDs
+        # More details in argocd/chart/templates/bigbang/upgrade-job.yaml
+        - argocd-upgrade-job
+        # argocd server pods interact with secrets, configmaps, events, and CRDs 
+        # More details in argocd/chart/templates/argocd-server/role.yaml
+        - argocd-argocd-server-*
+        # repo server pods require access to the K8s API if using RBAC
+        # Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
+        - argocd-argocd-repo-server-*
+        # The applicationSet controller pods interact with many API resources, including CRDs
+        # More details in argocd/chart/templates/argocd-applicationset/role.yaml
+        - argocd-argocd-applicationset-controller-*
+        # notifications controller pods interact with secrets, configmaps, and CRDs
+        # More details in argocd/chart/templates/argocd-notifications/role.yaml
+        # Additionally (this wildcard covers both)-
+        # notifications bot pods interact with secrets, configmaps, and CRDs
+        # More details in argocd/chart/templates/argocd-notifications/bots/slack/role.yaml
+        - argocd-argocd-notifications-controller-*
 istio:
   enabled: {{ .Values.istio.enabled }}
 
-- 
GitLab