Hardened Desktop and Admin Controls #15775
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for docsdocker ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
craig-osterhout
added
the
area/desktop
rodnymolina
reviewed
Oct 11, 2022
rodnymolina
reviewed
Oct 11, 2022
rodnymolina
reviewed
Oct 11, 2022
| Enhanced Container Isolation does not currently work when Docker Desktop runs on Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux Kernel. As a result, to use Enhanced Container Isolation on Windows, you must configure Docker Desktop to use Hyper-V. This can be enforced using Admin Controls. For more information, see [Admin Controls](../admin-controls/index.md). | ||
|
|
||
| #### Kubernetes pods and extension containers are not yet protected | ||
| When Enhanced Container Isolation is enabled, Kubernetes pods and extension containers are not yet protected. A malicious or privileged pod or extension container can compromise the Docker Desktop Linux VM and bypass security controls. |
There was a problem hiding this comment.
Dev-environments is another category not being protected (for now).
There was a problem hiding this comment.
I think @ctalledo is covering this in his doc additions
dvdksn
reviewed
Oct 12, 2022
There was a problem hiding this comment.
Awesome work @aevesdocker -- I only have minor comments/suggestions.
PS: I think the image at /desktop/images/admin-settings.PNG can be removed?
ctalledo
suggested changes
Oct 13, 2022
ctalledo
reviewed
Oct 13, 2022
ctalledo
reviewed
Oct 13, 2022
ebriney
reviewed
Oct 17, 2022
| - On an existing install, developers need to quit Docker Desktop through the Docker menu, and then relaunch Docker Desktop and sign in to receive the changed settings. | ||
| >**Important** | ||
| > | ||
| >Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop. |
There was a problem hiding this comment.
NB: this is a design choice, we can change this if we think UX is not intuitive.
But as far as changing admin settings must not interrupt the developer workflow, I think it's works fine like that. WDYT @ctalledo
ebriney
suggested changes
Oct 17, 2022
ebriney
suggested changes
Oct 18, 2022
MihaelaStoica
suggested changes
Oct 18, 2022
| Without Enhanced Container Isolation, Docker Desktop has Docker Engine run as root with full capabilities inside a container that shares almost all namespaces with the Linux VM’s root user. Whilst this provides strong isolation between containers and the underlying host machine, it gives the container access to all the VM’s kernel resources and does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers. This brings Docker Desktop users closer to gaining privileged access to the underlying host. | ||
|
|
||
| ### How is this different to rootless mode in Docker Engine? | ||
|
|
There was a problem hiding this comment.
I am assuming we will add something here, or remove the header?
There was a problem hiding this comment.
Yes. Waiting for Cesar's additions.
ebriney
previously approved these changes
Oct 19, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes merge issues in #15671