DC/OS Spinnaker Security

The DC/OS Spinnaker service supports transport encryption, authentication, and authorization mechanisms. The service provides automation and orchestration to simplify the use of these important features.

NOTE: These security features are only available on DC/OS Enterprise 1.10 and later.

Refer to the Couchbase documentation for more detail.

Transport Encryption

With transport encryption enabled, DC/OS Spinnaker will automatically deploy all nodes with the correct configuration to encrypt communication via SSL.

NOTE: The current exception is the connections to Redis, which does not support TLS. A code change is required in the other services in the way they use Redis.

The service uses the DC/OS CA to generate the SSL artifacts that it uses to secure the service. Any client that trusts the DC/OS CA will consider the service’s certificates valid.

Prerequisites

A DC/OS Service Account with a secret stored in the DC/OS Secret Store.
DC/OS Superuser permissions for modifying the permissions of the Service Account.

Configure Transport Encryption

Set up the service account

Grant the service account the correct permissions.

In DC/OS 1.10, the required permission is dcos:superuser full.
In DC/OS 1.11 and later, the required permissions are:

dcos:secrets:default:/<service name>/* full
dcos:secrets:list:default:/<service name> read
dcos:adminrouter:ops:ca:rw full
dcos:adminrouter:ops:ca:ro full

where <service name> is the name of the service to be installed.

Run the following DC/OS Enterprise CLI commands to set permissions for the service account on a strict cluster:

dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:task:app_id:<service/name> create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:reservation:principal:dev_hdfs create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:volume:principal:dev_hdfs create

Install the service

Install the DC/OS Spinnaker service including the following options in addition to your own:

{
    "service": {
        "service_account": "<your service account name>",
        "service_account_secret": "<full path of service secret>",
        "security": {
            "transport_encryption": {
                "enabled": true
            }
        }
    }
}

Service account and service account secret plus enabling TLS can also be configured when launching the via the DC/OS console.

Authentication

DC/OS Spinnaker supports OAuth2 authentication mechanisms using G Suite, Github, or Azure.

NOTE: Other authentication mechanisms, such as LDAP, are currently not supported.

Authorization

DC/OS Spinnaker service currently does not enable Fiat based authorization.

Security

Using Spinnaker security features