GitOps & Continuous Delivery

X-Forwarded-User / Argocd-User-Info

Zero-Day Shield

SSO + Zero-Day Protection for Argo CD

by CNCF (Argo Project)

Add SAML/OIDC SSO to Argo CD via Authenticated Proxy — Protect GitOps Deployments

Overview

Why Argo CD Needs an Authenticated Proxy

Argo CD is the leading GitOps continuous delivery tool for Kubernetes, automatically syncing application definitions from Git repositories to Kubernetes clusters. Argo CD manages the deployment of every application in your clusters — it knows your repository credentials, cluster connection details, secrets, and application configurations. A compromised Argo CD instance gives attackers the ability to deploy malicious applications, modify existing deployments, access Git and cluster credentials, and manipulate the entire software delivery pipeline. OnePAM adds enterprise SSO and zero-day protection by placing an authenticated reverse proxy in front of Argo CD. Users authenticate via your corporate IdP, and only verified, authorized users can access the GitOps deployment interface.

HTTP Header Authentication

X-Forwarded-User / Argocd-User-Info

Argo CD supports proxy authentication where a trusted reverse proxy provides the authenticated user identity via HTTP headers. OnePAM injects the user identity and group memberships that Argo CD trusts for session creation and RBAC.

Zero-Day Risk Profile

Argo CD Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Argo CD has had critical authentication bypass and path traversal vulnerabilities

Repository credentials for Git repos are stored in Argo CD

Cluster connection credentials provide admin access to Kubernetes clusters

Application sync operations deploy code directly to production clusters

The Challenge

Security Challenges with Argo CD

These are the risks organizations face when Argo CD is not behind an authenticated proxy.

Deployment Pipeline Control

Argo CD controls what runs in your Kubernetes clusters. Unauthorized sync operations deploy arbitrary applications to production.

Auth Bypass History

Argo CD has had critical authentication bypass CVEs. Without a proxy, these allow unauthenticated access to cluster management.

Credential Storage

Argo CD stores Git repository credentials and Kubernetes cluster connection secrets. Compromise exposes all managed environments.

Multi-Cluster Blast Radius

A single Argo CD instance often manages multiple clusters. One compromise affects every managed cluster.

Secret Management

Kubernetes secrets managed through Argo CD are visible in the UI and API, exposing application credentials.

Complex RBAC Setup

Argo CD's RBAC with OIDC/SAML requires complex configuration with dex or built-in SSO that can break on upgrades.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Argo CD

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Argo CD.

Deploy OnePAM as Argo CD's Proxy

Place OnePAM in front of the Argo CD server, intercepting all web and API traffic.

Argo CD is configured to accept connections only from OnePAM. Direct access to the Argo CD login page is blocked.

Configure Your IdP

Connect OnePAM to your SAML 2.0 or OIDC identity provider.

OnePAM handles authentication, MFA enforcement, and group membership retrieval. No Dex configuration needed.

Enable Proxy Authentication

Configure Argo CD to trust the user identity from OnePAM's HTTP headers.

OnePAM injects user identity and group memberships. Argo CD uses these for session creation and RBAC policy evaluation.

Map Deployment Access

IdP groups map to Argo CD RBAC policies controlling application, cluster, and project access.

Platform engineers sync to production, developers see staging, and security reviews applications — all from your IdP.

Audit Deployments

Every sync, rollback, and configuration change is logged with corporate identity.

Know who synced which application, to which cluster, when, and what changed — complete GitOps audit trail.

Business Impact

Benefits of Securing Argo CD with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Argo CD.

Block Auth Bypass CVEs

Argo CD authentication bypass vulnerabilities are blocked when OnePAM enforces identity verification.

Auth bypass CVEs neutralized

Protect Deployment Pipeline

Only authenticated users can sync applications, preventing unauthorized deployments to production.

Zero unauthorized deployments

SSO Without Dex

OnePAM replaces Argo CD's Dex-based SSO configuration with simpler proxy authentication.

Simpler SSO setup

Shield Cluster Credentials

Kubernetes cluster connection secrets are protected behind identity-verified access.

Cluster creds protected

MFA for Production Sync

Require MFA before syncing applications to production clusters.

MFA-gated deployments

Complete Deployment Audit

Every GitOps operation is logged with corporate identity for compliance.

Full deployment audit trail

SSO Features

Argo CD SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Argo CD.

SAML 2.0 & OIDC SSO for Argo CD via proxy authentication

Application and project access policies from IdP groups

Cluster-level sync authorization

Session recording for deployment operations

IP and geo-restriction for GitOps access

Device trust verification

API and CLI access policies

Sync and rollback authorization controls

Multi-cluster access management

Emergency break-glass access for incident response

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Argo CD from exploitation.

Argo CD isolated from direct network access

End-to-end TLS encryption

Request-level identity verification

Protection against Argo CD auth bypass CVEs

Repository and cluster credential isolation

Automatic session termination on IdP sign-out

Real-World Scenarios

Argo CD SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Argo CD.

Platform engineers managing GitOps deployments via corporate SSO with MFA

Developers viewing application status with read-only access

Security teams auditing deployment pipelines with session recording

Restricting production sync to senior engineers with step-up MFA

Protecting Argo CD from authentication bypass exploitation

Multi-cluster GitOps with centralized identity-based access control

Frequently Asked Questions

Argo CD SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Argo CD.

Does OnePAM replace Argo CD's Dex integration?

Yes. OnePAM provides SSO at the proxy layer, eliminating the need for Dex configuration. This simplifies the Argo CD deployment and removes Dex as an additional component to maintain.

Can the Argo CD CLI still work with OnePAM?

Yes. OnePAM supports multiple auth methods. The CLI can authenticate via SSO flow or API tokens while the web UI uses standard SSO.

Can we restrict who can sync to production clusters?

Yes. OnePAM passes IdP group memberships that map to Argo CD RBAC policies. Production sync can be restricted to specific groups with additional MFA requirements.

Does OnePAM protect Argo CD's webhook endpoints?

OnePAM supports path-based policies. Git webhook endpoints can be configured with different authentication requirements than the main UI.

What about Argo CD ApplicationSets and auto-sync?

OnePAM protects user-facing access. ApplicationSet controllers and auto-sync operate server-side within Argo CD and are unaffected.

Ready to Secure Argo CD with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Argo CD code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps