Argo CD Cluster secrets might be managed declaratively using Argo CD/kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. https://github.com/argoproj/argo-cd/pull/7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration` annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC access. *Note*: In many cases, cluster secrets do *not* contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive.
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.9 Via RHSA-2023:5029 https://access.redhat.com/errata/RHSA-2023:5029
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.8 Via RHSA-2023:5030 https://access.redhat.com/errata/RHSA-2023:5030
Although on most cases cluster secrets does not carry any sensitive information, on worst case scenarios when bearer-token authentication scenarios the secrete content may be very sensitive and grant the attacker privileged access to the ArgoCD cluster resulting on high impact for the CIA triad.