ciandonovan
commented
1 month ago Would also like to see this. For security purposes, the actual absolute version number itself is not important, it's how far behind the current version it is, or if it indicates there's unpatched vulnerabilities.
Constantly updating the ACLs is cumbersome and potentially error-prone. Exposing the classification that Tailscale already does for versions in the dashboard to the posture system would be very welcome.
tinku-tailscale
What are you trying to do?
In the Tailscale UI you have an indicator if an update for a device is available, if I understood correctly there is one in grey that is not critical and just gives you a heads-up, then there is orange one for clients which version difference is > 7 minor versions and finally there is a red one for client versions that have a critical security vulnerability. We'd like to deny access for versions that have the orange or red indicator but without actively managing that on our side.
How should we solve this?
Maybe there should either be a new attribute like tsVersionStatus = ["green", "orange", "red"] or a pre-defined attribute value for tsVersion like ">= latest_none_critical_version".
What is the impact of not solving this?
We would need to either actively track the released Tailscale versions and discovered security vulns and adjust our ACL manually with the latest "non critical" version or do not care about the client version.
Anything else?
No response