Enterprise DC/OS Updated: March 15, 2017

Enterprise DC/OS offers a range of features that allow you to secure your cluster and prevent breaches and other attacks. This section provides an overview of the security features and recommendations for hardening your cluster.

Security modes

You can install Enterprise DC/OS in one of three security modes: disabled, permissive, or strict. Disabled mode offers no security features. Permissive allows you to explore the se...


Requests from outside of the cluster always require an authentication token. In-cluster requests only require an authentication token in strict security mode. In permissive securit...


In addition to authenticating requests, Enterprise DC/OS also checks the permissions associated with the account to determine whether the requestor is authorized to access the requ...

TLS encryption

The encryption of DC/OS communications varies according to your security mode. In disabled security mode, communications are unencrypted. In permissive, encryption is enabled. In s...


Spaces allow you to restrict user access to services, jobs, and secrets. At a minimum, we recommend using spaces to restrict service access to secrets.


To secure sensitive values like private keys, API tokens, and database passwords, Enterprise DC/OS provides secure storage and transport, as well as fine-grained access controls.

Linux user accounts

The default Linux user for tasks and sandbox files varies according to your security mode and the type of container the task runs inside of. By default, all tasks will run inside o...


Your cluster will become more secure as you move from disabled to permissive to strict security modes. However, there are a number of settings that you can modify independent of yo...