You bring up some valid points. This would be a great topic for a white paper. The first line of defense should be to apply inbound and outbound iptables rules. Only source IPs that have a direct need to interact with the cluster should be allowed to. The same is true with the web access. Only a range of source IP's should be allowed to access the web interfaces. You can do this through SSH tunneling.
Preventing exec commands can be handled with the security manager and the sandbox. I was thinking to only allow the execution of signed jars myself but I never implemented it.
