Platform engineers who use ArgoCD for the provisioning and management of Kubernetes resources for multiple tenants face challenges in enforcing isolation between the various tenants.

ArgoCD uses a single service account for managing resources across all tenants. The limited isolation provided by ArgoCD creates an opportunity for malicious tenants to escape its intended scope and can cause issues like secret leakage between tenants. The Argo community has been actively working on addressing these challenges and a new way of decoupling ArgoCD operations using separate service accounts for each tenant has been introduced. The per tenant service account can be configured with the security concept of principle of Least privilege.

This talk will introduce the newest feature built in ArgoCD. We will be demonstrating this feature and how it can be used to build robust tenant isolation between the tenants with a practical use case of managing secrets.