https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rancher-desktop
a
This message was deleted.
w
you may be able to swing to deployment profiles instead of the file based ACLs if you use a management system
r
Yeah I saw those new deployment profiles but it seems like if a user changes the settings.json or settings in the GUI, those override the default profile. The locked profile seems to supersede the settings.json but as far as I can tell, you can only lock on setting down?
w
the default yeah, but shouldn’t overwrite the Locked items.
I would say HKLM and Locked would be the most common use case for governance controls.
and GPO to put things back if you have Admin users who can muck around in system root
r
And the only thing that can be locked is the allowed images/repositories?
w
nope? should be all settings though I have not tested them all
r
“The containerEngine.allowedImages settings are currently the only ones that can be locked”. That’s what the docs say so that’s why I was trying to do ACLs which used to work but now Rancher appears to need write permissions on the settings.json file
w
i don’t think they have a handy tool for windows yet, but you can use rdctl list-settings to dump everything
let me spin up windows and poke. proxy is my big need so RD has been on my back burner
r
Yeah I was trying this on Mac first with a simple chmod on the settings.json, removing write access since it appears that allowed images is the only lockable setting.
f
The locked profile is only implemented for the Allowed Images settings in 1.8.1; the rest is waiting for corresponding support in the Preferences dialog
👍 2
I don't think there is a way to prevent users from changing other settings until the full locked profile support is implemented.
I'm surprised that making 
settings.json
read-only would have worked in pre-1.8 releases. Even if the write failed, wouldn't the settings still change for the current session?
r
Yeah, it actually did. It would show like it was changed in the GUI but it wouldn’t change anything, and when Rancher would restart they would be reverted back. So essentially, it would show like it was changed but nothing did change and a restart of the app would remove the changes.
f
Interesting. But that was definitely no intentional behaviour, but a side-effect of how the write-failure was handled
I hope that we get the expanded lock profile support into 1.9, but I can't promise that
r
Yeah I figured it wasn’t an intention. We were just trying to upgrade to the version with the allowed images since a user found a backdoor issue with the conf.d docker settings within the VM. It can be changed to add proxies, etc and those settings persist when the user restarts the app, essentially going through any controls.
w
wouldn’t the upstream proxy catch any distro level proxy shenanigans?
f
Nothing we can do will really prevent a malicious user from changing things; but it should be obvious to the well-intentioned employee that they are circumventing policy when they disable these mechanisms.
👍 1
r
Yeah, understandable. We are trying to utilize the override.yaml in the meantime. We have policy around malicious actions but trying to lock down where ever possible.
I love the new deployment profiles and hope those can be expanded like you mentioned
f
I understand. It is like having a lock on the door. Nothing that can't be overcome with a bit of violence, but it will be obvious that you were not invited when you do that
🙌 1
r
We are just heavily regulated so the constant fight with our security folks is always a terrible time when we try to implement great products like Rancher
Their ideal world, is not always possible haha
w
come on lock the laptop in a safe and drop it to the bottom of the bay. super secure
🤣 1
f
Like how Windows NT4 got a C2 security certification (only valid for configurations without a network card)
👀 1
w
anything can be made secure with a bit of epoxy. usable… well you will adapt
🙌 1
r
Well thank you both @fast-garage-66093 and @wide-mechanic-33041! Appreciate the input and I look forward to the updates coming to Rancher!
f
Note that "Rancher" typically referes to "Rancher Manager", and this tool is called "Rancher Desktop". In hindsight this was an unfortunate naming decisions, but here we are...
r
Oh my apologies! just used to calling that from my day-to-day work. Will note that
5 Views
Open in Slack
PreviousNext
Powered by