Dynatrace component permissions for Kubernetes/OpenShift
Kubernetes observability relies on components with different purposes, default configurations, and permissions.
Dynatrace Operator
Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.
Default configuration: 1-replica-per-cluster
Cluster-wide permissions: The following table shows the permissions needed for Dynatrace Operator.
| Resources accessed | APIs used | Resource names |
|---|---|---|
Nodes | Get/List/Watch | - |
Namespaces | Get/List/Watch | - |
Secrets | Create | - |
Secrets | Get/Update/Delete | dynatrace-dynakube-config |
MutatingWebhookConfigurations | List/Watch | - |
MutatingWebhookConfigurations | Get/Update | dynatrace-webhook |
ValidatingWebhookConfigurations | List/Watch | - |
ValidatingWebhookConfigurations | Get/Update | dynatrace-webhook |
Events | Create/Patch | - |
CustomResourceDefinitions | List/Watch | - |
CustomResourceDefinitions | Get/Update | dynakubes.dynatrace.com |
OneAgent
Purposes:
- Collects host metrics from Kubernetes nodes.
- Detects new containers and injects OneAgent code modules into application pods using classic full-stack injection. optional
Default configuration: 1-replica-per-node (deployed via a DaemonSet)
Policy settings: Allow HostNetwork, HostPID, to use any volume types.
These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:
- Dynatrace Operator version 0.2.2
- LEGACY Dynatrace OneAgent Operator version 0.11.0
- Corresponding Helm charts
Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:
Note: If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.
Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE
Dynatrace CSI driver
Purpose:
- For
applicationMonitoringconfigurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node. - For
hostMonitoringconfigurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used. - For
cloudNativeFullStack, it provides both of the above.
Default configuration: 1-replica-per-node (deployed via a DaemonSet)
Cluster-wide permissions: The following table shows the permissions needed for Dynatrace CSI driver.
| Resources accessed | APIs used | Resource names |
|---|---|---|
Namespaces | Get/List/Watch | - |
Events | List/Watch/Create/Update/Patch | - |
Nodes | Get/List/Watch | - |
CsiNodes | Get/List/Watch | - |
Pods | Get/List/Watch | - |
Dynatrace webhook server
Purposes:
- Modifies pod definitions to include Dynatrace code modules for application observability
- Validates DynaKube custom resources
- Handles the DynaKube conversion between versions
Default configuration: 1-replica-per-cluster, can be scaled
Cluster-wide permissions: The following table shows the permissions needed for the Dynatrace webhook server.
| Resources accessed | APIs used | Resource names |
|---|---|---|
Namespaces | Get/List/Watch | - |
Events | Create/Patch | - |
Secrets | Get/List/Watch | dynatrace-dynakube-config |
Secrets | Create | - |
Dynatrace Kubernetes Monitoring (ActiveGate)
Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.
Default configuration: 1-replica-per-cluster, can be scaled
Cluster-wide permissions: The following table shows the permissions needed for Dynatrace Kubernetes Monitoring.
| Resources accessed | APIs used | Resource names |
|---|---|---|
Nodes | Get/List/Watch | - |
Pods | Get/List/Watch | - |
Namespaces | Get/List/Watch | - |
Deployments | Get/List/Watch | - |
ReplicaSets | Get/List/Watch | - |
DeploymentConfigs | Get/List/Watch | - |
ReplicationControllers | Get/List/Watch | - |
Jobs | Get/List/Watch | - |
CronJobs | Get/List/Watch | - |
StatefulSets | Get/List/Watch | - |
DaemonSets | Get/List/Watch | - |
Events | Get/List/Watch | - |
ResourceQuotas | Get/List/Watch | - |
Pods/Proxy | Get/List/Watch | - |
Nodes/Proxy | Get/List/Watch | - |
Services | Get/List/Watch | - |
ClusterVersions | Get/List/Watch | - |
/metrics | Get | - |
/version | Get | - |
/readyz | Get | - |
/healthz | Get | - |