#refarch (2024-07)

Describe the Feature

Argo versions 0.1.0 through 2.10.0-rc1, v2.9.3, v2.8.7, v2.7.15 are affected by CVE-2024-22424, a CSRF attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD.

Expected Behavior

Propose that we update the default values for Argo’s chart from:

argo/argo-cd 5.19.12 v2.5.9

to an unaffected version patched after 2.10-rc2, 2.9.4, 2.8.8, 2.7.16

Use Case

N/A

Describe Ideal Solution

Update default value for:

variable “chart_version” { type = string description = “Specify the exact chart version to install. If this is not specified, the latest version is installed.” default = “5.19.12” }

And validate it works as intended

Alternatives Considered

No response

Additional Context

No response

what and why

• Argo versions 0.1.0 through 2.10.0-rc1, v2.9.3, v2.8.7, v2.7.15 are affected by CVE-2024-22424, a CSRF attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. • Propose that we update the default values for Argo’s chart from:

argo/argo-cd 5.19.12 v2.5.9

to an unaffected version patched after 2.10-rc2, 2.9.4, 2.8.8, 2.7.16

notable changes

• Argo CD 2.10 upgraded kubectl from 1.24 to 1.26. This upgrade introduced a change where client-side-applied labels and annotations are no longer preserved when using a server-side kubectl apply • Note that bundled Helm version has been upgraded from 3.13.2 to 3.14.3 • Starting with Argo CD 2.10.11, the NetworkPolicy for the argocd-redis and argocd-redis-ha-haproxy dropped Egress restrictions. This change was made to allow access to the Kubernetes API to create a secret to secure Redis access

testing

• This version has been tested and verified to work with the existing component configuration

references

• Argo Upgrade Docs

Spinning my wheels a bit on this one so figured I’d ask.

In the baseline steps there is a note:
The IAM User for SuperAdmin will be granted access to Terraform State by principal ARN. This ARN is passed to the tfstate-backend stack catalog under allowed_principal_arns. Verify that this ARN is correct now. You may need to update the root account ID.

And possibly related:
With the addition of support for dynamic Terraform roles, our baseline cold start refarch layer now depends on/requires that we have aws-teams and aws-team-roles stacks configured. This is because account-map uses those stacks to determine which IAM role to assume when performing Terraform in the account, and almost every other component uses account-map (indirectly) to chose the role to assume.

However, none of the steps in the baseline seem to provision the roles for accessing the tfstate. Tracing through it looks like the -var=access_roles_enabled=false prevents these roles from being created in the baseline tfstate backend workflow. The full deploy/tfstate workflow isn’t run until later in the identity phase.

The result is that the atmos workflow deploy/accounts -f accounts workflow cannot run and does not create the account-map due to an error:

Error: error configuring S3 Backend: IAM Role (arn:aws:iam::1234567890:role/xxx-core-gbl-root-tfstate) cannot be assumed.

The role doesn’t exist so the error is clear, however, passing access_roles_enabled=true doesn’t work since the account-map needs to be created.

I have deployed a AWS x-ray daemonset on our cluster without any node selector or tolerations , but its deployed only on few nodes, not every node in the cluster , I also don’t see any pods in pending state if the resources are insufficient, Wanted to know thoughts regarding what can be the issue. screenshot

nodes
daemonset

FEATURE STATE: Kubernetes v1.14 [stable] Pods can have priority. Priority indicates the importance of a Pod relative to other Pods. If a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower priority Pods to make scheduling of the pending Pod possible. Warning:In a cluster where not all users are trusted, a malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled.