The DC/OS Monitoring service is run on DC/OS clusters in either permissive
or strict
mode. DC/OS access controls must be used to restrict access to the DC/OS Monitoring service when running on strict mode clusters. Configure the DC/OS Monitoring service to authenticate itself using a certificate and to only grant permissions required by the service.
This page describes how to configure DC/OS access for DC/OS Monitoring Service. Depending on your security mode, DC/OS Monitoring Service requires service authentication for access to DC/OS.
Security mode | Service Account |
---|---|
Disabled | Not available |
Permissive | Optional |
Strict | Required |
If you install a service in permissive
mode and do not specify a service account, Metronome and Marathon will act as if requests from this service is made by an account with the superuser permission.
Prerequisites:
- DC/OS CLI installed and be logged in as a superuser.
- Enterprise DC/OS CLI 0.4.14 or later installed.
- If your security mode is
permissive
orstrict
, you must get the root cert before issuing the curl commands in this section.
Create a Key Pair
In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.
Create a public-private key pair and save each value into a separate file within the current directory.
Create a Service Account
From a terminal prompt, create a service account named dcos-monitoring-principal
and store its private certificate in a secret named dcos-monitoring/service-private-key
using the following CLI commands.
Assign service permissions
Grant dcos-monitoring-principal
the permissions required to run the DC/OS Monitoring service using the following commands.
Create a Configuration file
Create a custom options file that is used to install DC/OS Monitoring service and save the file as (options.json
).
Install DC/OS Monitoring service
Now, install DC/OS Monitoring service using the following command.