Your cluster will become more secure as you move from permissive
to strict
security modes. However, there are a number of settings that you can modify independently of your security mode to increase the security of your cluster.
-
Ensure that the network is set up according to the information for securing your cluster.
-
Set the
auth_cookie_secure_flag
totrue
. -
Do not use the default ZooKeeper credentials. Instead, specify long, random values for the following:
zk_super_credentials
,zk_master_credentials
, andzk_agent_credentials
. -
Get the root certificate of your DC/OS CA and manually provision browsers, DC/OS CLI, curl, and other clients with it.
-
Provision services with service accounts even when optional.
-
Use secrets to store and pass sensitive information to services.
-
Tightly restrict the distribution of SSH keys. For debugging, consider using
dcos task exec
instead. -
Adhere to the principle of least privilege and give your users only the minimum permissions that they need. Avoid granting users or service accounts the
dcos:superuser
permission. -
If you configure an external LDAP directory, select either Use SSL/TLS for all connections or Attempt StartTLS, abort if it fails and provide the root CA certificate and any intermediate certificates of the LDAP directory server in the CA certificate chain (Optional) field.
-
Override the Linux user account of your services to use a less privileged account such as
nobody
.