Overview
GitOps relies on the assumption that the Git repository is the source of truth. Protecting this source and the delivery agents is paramount.
Key Security Pillars
- Git Repository Access: Implement least-privilege, require MFA, and use signed commits.
- GitOps Operator Permissions: Agents (ArgoCD/Flux) must run with minimal RBAC in the cluster.
- Secret Management: Never store secrets in Git. Use tools like Sealed Secrets or external secret managers (HashiCorp Vault).
Example: Using Sealed Secrets
Encrypted secrets in Git that can only be decrypted by the operator.
# Encrypt the secret using the operator's public key
echo -n "my-db-password" | kubeseal --format yaml > secret.yamlExpected Result:
A YAML file containing an encrypted SealedSecret object, safe to push to a public Git repository.
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: db-secret
spec:
encryptedData:
password: AgB...xyz...