Hardening Argo CD
It can deploy anything, anywhere.
Argo CD is one of the most privileged things in your platform — it holds credentials to every cluster it manages and applies arbitrary manifests from Git — so hardening spans its own components, its access model, and the Git trust chain. Its pieces (API server, repo-server, application-controller, Redis, Dex) should run with least-privilege service accounts, network policies restricting them, and the UI/API behind SSO with no anonymous access. Turn off or lock down the built-in admin account after bootstrap.
Git is now part of your security perimeter
Because Argo CD deploys whatever is in Git, write access to a synced repo is deploy access to your clusters — so the repo needs the protections of a production system: branch protection, required reviews, signed commits (Argo CD can verify commit signatures), and CODEOWNERS on sensitive paths. Combine that with scoped projects, least-privilege cluster credentials, SSO-backed RBAC, and audit logging of syncs. Defense in depth: even a trusted Git change should hit policy (OPA/Gatekeeper) at admission.