From 6b690eb03374ab6ff86dd639680fbc5d530bb4ab Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 14 Apr 2026 13:07:52 -0700 Subject: [PATCH] Review CC sso-gated-admin-tools: scope to ArgoCD only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Removed Grafana from the control description — no Prowler finding references it. Tightened scope to match actual usage (ArgoCD wildcard RBAC mute). Added workflow-bot scoping note. Co-Authored-By: Claude Opus 4.6 (1M context) --- compensating-controls.yaml | 14 ++++++++------ .../+review-sso-gated-admin-tools.misc.md | 1 + 2 files changed, 9 insertions(+), 6 deletions(-) create mode 100644 docs/changelog.d/+review-sso-gated-admin-tools.misc.md diff --git a/compensating-controls.yaml b/compensating-controls.yaml index 459a991..b441341 100644 --- a/compensating-controls.yaml +++ b/compensating-controls.yaml @@ -59,14 +59,16 @@ controls: - id: sso-gated-admin-tools description: >- - ArgoCD and Grafana require SSO authentication via Authentik OIDC. - Wildcard RBAC in ArgoCD is mitigated by requiring authenticated - identity before any API access. + ArgoCD requires SSO authentication via Authentik OIDC. Wildcard + RBAC roles are mitigated by requiring authenticated identity + before any API access. created: 2026-03-30 - last-reviewed: 2026-03-30 + last-reviewed: 2026-04-14 notes: >- - Verify Authentik provider config and that anonymous access is - disabled. Check ArgoCD --auth-token isn't leaked. + Verify Authentik OIDC provider config for ArgoCD and that + anonymous access is disabled. Check ArgoCD --auth-token isn't + leaked. The workflow-bot API key account is scoped to sync/get + only. - id: operator-managed-pods description: >- diff --git a/docs/changelog.d/+review-sso-gated-admin-tools.misc.md b/docs/changelog.d/+review-sso-gated-admin-tools.misc.md new file mode 100644 index 0000000..7e337df --- /dev/null +++ b/docs/changelog.d/+review-sso-gated-admin-tools.misc.md @@ -0,0 +1 @@ +Review compensating control `sso-gated-admin-tools`: tightened scope to ArgoCD only, removed Grafana reference.