Our goal is to make it easy to:
Because we are working with different projects, the controls implemented in each component vary greatly.
Mantl is not currently suitable for running untrusted code or multi-tenant workloads.
The security model focuses on three areas:
The next sections will deal with each area.
SSH strict host key checking is turned off for now to make development against the project easier. When you set up a production instance of the project, you should change host_key_checking and record_host_keys in ansible.cfg
Provisioning security involves setting up a secure cloud environment, basic server security, and securing secrets on the provisioning systems. Ansible and Terraform are our primary provisioning tools.
The following security features are implemented or on the roadmap:
The following items are currently not on the roadmap:
This area deals with the securing communication and access on the underlying components like Consul and Mesos.
HTTP traffic to the management systems is managed via an nginx proxy that provides basic authentication and SSL termination. For example, Consul binds to localhost:8500, and Nginx will bind to port 8500 on the network interface and forward traffic to localhost.
The web credentials are stored in the Consul K/V, and Consul-template is used to modify the Nginx authentication file. The long term roadmap of the project is to move more configuration into Consul and Vault, and out of our provisioning systems.
Consul endpoints are secured with TLS certificates, and all incoming and outgoing connections are verified with TLS. Consul exec is disabled for security reasons. The default ACL policy is deny.
Consul Template is used to dynamically configure components based on Consul K/V pairs. Consul Template is used across the environment. Consul Template is configured with TLS, and verifies all connections.
The daemon is not exposed to TCP by default, but can be configured to do so, while verifying incoming requests with TLS.
Never expose the Docker daemon to network traffic without securing it with TLS.
Marathon supports both basic HTTP authentication and TLS. We place an authenticating proxy in front of the instance, using the same credentials as for the Mesos and Consul administrative accounts.
Marathon does not support Zookeeper authentication, so the Zookeeper znode must have world access. We expect this will change soon.
References: - `SSL and Basic Access
We currently support Mesos framework authorization, and will support SSL in the future (issue #1109).
Mesos Authorization allows control of the following actions: register_frameworks, shutdown_frameworks, run_tasks. Support for Mesos authorization is still being reviewed.
The following steps are taken to secure Mesos if security is enabled:
The main recommendation for securing Zookeeper is to use Kerberos, which is currently out of scope for the project.
Zookeeper supports ACLs on Znodes, but ACLs are not recursive.
We don’t store any restricted data within Zookeeper
Implement ACLs and Authentication on the /Mesos znode using user digest. (version 0.2)
Implement ACLs and Authentication on the /marathon znode using user digest. (version 0.3+, pending support for Marathon zk authentication))
Develop dynamic firewall using Consul Template on Zookeeper ports (version 0.3)
Update Marathon configuration to use zk user:password (future version)
Update Mesos configuration to use zk user:password (version 0.2)