Back to all scenarios
Scenario #294
Security
Kubernetes v1.24, ArgoCD

ArgoCD Exploit via Unverified Helm Charts

ArgoCD deployed a malicious Helm chart that added privileged pods and container escape backdoors.

Find this helpful?
What Happened

A team added a new Helm repo that wasn’t verified. The chart had post-install hooks that ran containers with host access.

Diagnosis Steps
  • 1Found unusual pods using hostNetwork and hostPID.
  • 2Traced deployment to ArgoCD application with external chart.
  • 3Inspected chart source – found embedded malicious hooks.
Root Cause

Lack of chart verification or provenance checks.

Fix/Workaround
• Removed the chart and all related workloads.
• Enabled Helm OCI signatures and repo allow-lists.
Lessons Learned

Supply chain security is critical, even with GitOps.

How to Avoid
  • 1Only use verified or internal Helm repos.
  • 2Enable ArgoCD Helm signature verification.
Previous ScenarioNext Scenario