Login

u/Kooky_Comparison3225

▲ 90 r/ArgoCD+1 crossposts

A read-only ArgoCD user can extract every Kubernetes Secret in your cluster.

That's the GHSA-3v3m-wc6v-x4x3, a CVSS 9.6 Critical vulnerability affecting ArgoCD versions 3.2.0 through 3.3.8 (GitHub Advisory, 2026). No admin access. No special tooling. One annotation and a diff request.

The vulnerability lives in ArgoCD's ServerSideDiff feature. When an Application has the IncludeMutationWebhook=true annotation, the diff endpoint returns raw Kubernetes API responses that include the full .data contents of Secrets.

The root cause is a single missing function call: hideSecretData() was wired into every other diff code path but was never added to the ServerSideDiff handler.

u/Kooky_Comparison3225 — 12 days ago
▲ 30 r/Traefik+1 crossposts

Two things are converging for Kubernetes ingress right now:

  1. Gateway API is SIG-Network's official successor to the Ingress spec. GA since 2023. The limitations it was designed to fix (no native traffic splitting, no cross-namespace routing, controller-specific annotation soup, no clean platform/app role separation) apply to any Ingress setup, not just nginx.
  2. Ingress-NGINX reached end-of-life on March 26, 2026. No more releases, bug fixes, or security patches. If you still run it for some reason.

If you're on ingress-nginx, migration is imminent. If you're on another controller, it's still worth learning where the ecosystem is heading before a new pressure comes.

I built a 12-lesson hands-on course for migrating to Gateway API with Traefik, using a real bookstore app on a local k3d cluster:

  • The resource model: GatewayClass → Gateway → HTTPRoute, and why the split matters for RBAC
  • TLS termination with mkcert locally and cert-manager + Let's Encrypt in production
  • Traffic splitting, path rewrites, header manipulation, rate limiting
  • Cross-namespace routing with ReferenceGrant
  • Production concerns: PDBs, HPA, JSON access logs
  • Migration pitfalls, including a file-upload bug where WSGI apps (uWSGI, Gunicorn) get zero-byte files after cutover because nginx buffers requests by default while Traefik streams them with chunked transfer encoding, which WSGI can't read
  • Extending Traefik with custom Go plugins via Yaegi

Around 6 to 8 hours, free and self-paced. Progress tracking and per-lesson challenges require a free account; the content itself is open.

https://devoriales.com/quiz/20/gateway-api-learning-lab-from-zero-to-hero

Happy to answer questions about the approach in the comments.

reddit.com
u/Kooky_Comparison3225 — 21 days ago