ArgoCD Security Quiz
This quiz tests your understanding of ArgoCD security features and best practices.
- How does ArgoCD handle secrets in Git repositories by default?
- A) It encrypts them automatically
- B) It doesn't handle secrets specially - they're stored as plain text
- C) It uses Kubernetes Secrets API
- D) It requires a secrets manager
Show Answer
Answer: B) It doesn't handle secrets specially - they're stored as plain text
Explanation: ArgoCD itself doesn't provide secret encryption. Secrets in Git should be encrypted using tools like Sealed Secrets, SOPS, External Secrets Operator, or Vault before committing to Git.
- Which tool encrypts Kubernetes Secrets using a cluster-specific key?
- A) SOPS
- B) Sealed Secrets
- C) Vault
- D) KMS
Show Answer
Answer: B) Sealed Secrets
Explanation: Sealed Secrets uses a cluster-specific key pair to encrypt secrets. The encrypted SealedSecret can be safely stored in Git and is decrypted by the Sealed Secrets controller in the cluster.
- What is the purpose of ArgoCD's Dex component?
- A) Container image scanning
- B) OpenID Connect authentication and SSO
- C) Network policy enforcement
- D) Secret rotation
Show Answer
Answer: B) OpenID Connect authentication and SSO
Explanation: Dex is an identity service that provides OpenID Connect (OIDC) authentication. It enables ArgoCD to integrate with various identity providers (LDAP, SAML, GitHub, etc.) for single sign-on.
- How can you restrict which Kubernetes resources an Application can create?
- A) Using Kubernetes ResourceQuotas
- B) Using AppProject's namespaceResourceBlacklist or namespaceResourceWhitelist
- C) Using Pod Security Policies
- D) It's not possible in ArgoCD
Show Answer
Answer: B) Using AppProject's namespaceResourceBlacklist or namespaceResourceWhitelist
Explanation: AppProjects can define namespaceResourceBlacklist (deny specific resources) or namespaceResourceWhitelist (allow only specific resources) to control what types of Kubernetes resources Applications can manage.
- What is the recommended practice for ArgoCD API server exposure?
- A) Expose it publicly with basic auth
- B) Keep it internal and use an ingress with TLS and authentication
- C) Run it without any authentication
- D) Only access it via port-forwarding
Show Answer
Answer: B) Keep it internal and use an ingress with TLS and authentication
Explanation: The ArgoCD API server should be exposed through an ingress with TLS termination and proper authentication (SSO/OIDC). For sensitive environments, additional measures like VPN access or IP whitelisting are recommended.