Provide scratch/distroless base image

[alexec]

Currently, Argo CD uses ubuntu:21.10 as a base image.

Should an attacker gain access to the container they'll have a shell to use. They'll also have access to the Kubernetes API. Currently, they would not be able to install any apps (because run-as-non-root), but they do have git. So they could clone a repository with the kubectl binary installed. At this point they would able to make API requests.

For the API server, I'm not clear why it would need git installed (or any other binary), but maybe I'm just missing something.

Using a scratch or distroless image would improve security posture.

[crenshaw-dev]

@jannfis is there any reason we couldn't have a different base for the repo-server vs. the API server besides complexity?

[alexec]

A breached Argo CD container is a serious issue. Once breached, a tiny amount of mis-configuration (OSWAP #5), means an attacker can very easily take down not just the cluster they're breached, but any cluster that Argo CD is configured to connect to. I struggle to see a more target rich environment.

This seems like a straight-forward fix to really improve the security posture.

[crenshaw-dev]

@alexec I strongly agree. I've added it to the agenda for the next security meeting, which is in 5 days. https://docs.google.com/document/d/1nl1adCRf4tD87Y01i3JcrLcHvtm1O5a7slqzNstct94/edit

[alexec]

Argo CD needs to have a high bar for security, after the Kuberenetes master, it's going to be the most attacked component.

[crenshaw-dev]

Adding this as a potential GHC bug. I think the argocd-application-controller version of this is pretty simple - create a new Dockerfile, build the controller without a distro, and then test it in a local deployment. Given enough time, the same change base image could be tested for the api-server.

[34fathombelow]

@crenshaw-dev Can you assign this to me? I currently have argocd-application-controller & argocd-applicationset-controller running distroless.

Do we want a separate image for each controller? Currently all the controllers, utils, and cli are compiled into one binary. It might make more sense to stick with one distroless image.

[crenshaw-dev]

@34fathombelow I think one distroless image is probably best.

[PeterBennink]

Any update on this?