Telepresence change in 2.13.0 GPO setGlobalSearchList fallback handling

[peter-galcik]

Describe the bug
We are using telepresence on Windows with group policies enforced on our Windows machines. We also have admin accounts and daemon is leveraged to run in elevated prompt. We are facing issue in new release of telepresence 2.13.0 where handling of Windows GlobalSearchList injection for dns resolution to cluster namespace is added.
After starting daemon we are getting such errors when SearchLists are updated.

2023-04-26 08:03:02.2857 error   daemon/session/dns : goroutine "/daemon/session/dns" exited with error: failed to set DNS: Set-DnsClientGlobalSetting : Access to a CIM resource was not available to the client.
At line:1 char:1
+ Set-DnsClientGlobalSetting -SuffixSearchList @("xxx.net","xyz ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (MSFT_DNSClientG...nstanceID = ""):ROOT/StandardCi...ntGlobalSetting)  
   [Set-DnsClientGlobalSetting], CimException
    + FullyQualifiedErrorId : MI RESULT 2,Set-DnsClientGlobalSetting: exit status 1

This seems to be caused by GPO policy enforced (please see: https://serverfault.com/questions/988876/set-dnsclientglobalsetting-throwing-access-to-a-cim-resource-was-not-availabl)

We were bypassing it before version of 2.13.0 with manually altering respecitve entry in registry hive: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList

Seems setting it via powershell command respect enforced group policy...
cmd := proc.CommandContext(ctx, "powershell.exe", "-NoProfile", "-NonInteractive", "Set-DnsClientGlobalSetting", "-SuffixSearchList", psList(gss))

I want to ask, if this couldn't be updated as fallback option via direct update/write in registry?
For example retrieval is done via registry.OpenKey, but setting is done via powershell.

Also if updating of SearchList is not done, the outcomes shall not block daemon for routing DNS requests to the kubernetes dns resolver if we adapt the entries by hand (which seems to be not working right now)

To Reproduce
Group policy with enforced SearchList from Oranizational Unit or Site.
Connect with telepresence and intercept service.

Expected behavior
Try all possible options to update Windows DNSClient Searchlist

Versions (please complete the following information):
Host on 2.13.0
Cluster side 2.12.0

** Commit involved **
@thallgren
Use powershell Resolve-DnsName -Name to verify DNS on Windows.
Thomas Hallgren 3. 4. 2023 11:47
CommitID: ddd86cf

[thallgren]

I want to ask, if this couldn't be updated as fallback option via direct update/write in registry?
For example retrieval is done via registry.OpenKey, but setting is done via powershell.

Also if updating of SearchList is not done, the outcomes shall not block daemon for routing DNS requests to the kubernetes dns resolver if we adapt the entries by hand (which seems to be not working right now)

Seems reasonable. I'll look into this. I don't have access to a Windows box with enforced group policies though, so I'd appreciate if you can test the fix.

[peter-galcik]

Very gladly. Just ping me if test needs to be conducted. I would have tried to make change and open merge request, but not feeling confident in go language to make changes on my own. Thank you very much in advance.