Advertise Domainless gMSA capability on Windows #3668
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
arun-annamalai
force-pushed
the
capability
branch
3 times, most recently
from
0dae86a to
06c88f7
Compare
arun-annamalai
requested review from
saikiranakula-amzn,
fierlion,
yinyic and
a team
and removed request for
a team
yinyic
reviewed
May 2, 2023
yinyic
previously approved these changes
May 2, 2023
singholt
approved these changes
May 3, 2023
yinyic
approved these changes
May 3, 2023
rawahars
reviewed
May 3, 2023
| @@ -114,3 +141,42 @@ var IsWindows2016 = func() (bool, error) { | |||
|
|
|||
| return isWS2016, nil | |||
| } | |||
|
|
|||
| var queryDomainlessGmsaPluginSubKeys = func() ([]string, error) { | |||
| k, err := registry.OpenKey(registry.LOCAL_MACHINE, `SYSTEM\CurrentControlSet\Control\CCG\COMClasses\`, registry.READ) | |||
There was a problem hiding this comment.
We should make the registry keys as constants.
There was a problem hiding this comment.
Can I do this as a followup in a future cleanup PR? Sai is blocked on this work presently
|
|
||
| // This function queries all gmsa plugin subkeys to check whether the Amazon ECS Plugin GUID is present. | ||
| func isDomainlessGmsaPluginInstalled() (bool, error) { | ||
| subKeys, err := fnQueryDomainlessGmsaPluginSubKeys() |
There was a problem hiding this comment.
Should we also check for the presence of GMSA binary?
There was a problem hiding this comment.
I had asked Justin about this, and he had only wanted to check for the presence of registry key (which would imply plugin is installed)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR is advertises the new domainless gmsa capability on the Windows ECS agent. The Linux agent will be coming in a followup PR.
Implementation details
The Windows agent will advertise the gmsa capability only under the following 3 conditions
Testing
This change was unit tested as well as tested on a Windows EC2 instance and describe-container-instance was called to ensure that the capability was correctly advertised. It was also run on an old Windows EC2 instance to ensure the capability was not advertised.
New tests cover the changes: yes
Description for the changelog
Advertise gmsa domainless capability on Windows Agent
Licensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.