Dynatrace Operator security
Kubernetes observability relies on components with different purposes, default configurations, and permissions. These different components need permissions to perform and maintain operational function of Dynatrace within your cluster.
Permission list
Dynatrace Operator
Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.
Default configuration: 1-replica-per-cluster
Cluster-wide permissions
| Resources accessed | API group | APIs used | Resource names |
|---|---|---|---|
Nodes | "" | Get/List/Watch | |
Namespaces | "" | Get/List/Watch/Update | |
Secrets | "" | Create | |
Secrets | "" | Get/Update/Delete/List | dynatrace-dynakube-configdynatrace-metadata-enrichment-endpointdynatrace-internal-proxy |
Events | "" | Create/Patch | |
MutatingWebhookConfigurations | admissionregistration.k8s.io | Get/Update | dynatrace-webhook |
ValidatingWebhookConfigurations | admissionregistration.k8s.io | Get/Update | dynatrace-webhook |
CustomResourceDefinitions | apiextensions.k8s.io | Get/Update | dynakubes.dynatrace.comedgeconnects.dynatrace.com |
SecurityContextConstraints | security.openshift.io | Use | privilegednonroot-v2 |
Namespace dynatrace permissions
| Resources accessed | API group | APIs used | Resource names |
|---|---|---|---|
Dynakubes | dynatrace.com | Get/List/Watch/Update/Create | |
EdgeConnects | dynatrace.com | Get/List/Watch/Update/Create | |
ActiveGates | dynatrace.com | Get/List/Watch/Update/Create | |
Dynakubes/Finalizers | dynatrace.com | Update | |
Dynakubes/Status | dynatrace.com | Update | |
EdgeConnects/Finalizers | dynatrace.com | Update | |
EdgeConnects/Status | dynatrace.com | Update | |
ActiveGates/Finalizers | dynatrace.com | Update | |
ActiveGates/Status | dynatrace.com | Update | |
StatefulSets | apps | Get/List/Watch/Create/Update/Delete | |
DaemonSets | apps | Get/List/Watch/Create/Update/Delete | |
ReplicaSets | apps | Get/List/Watch/Create/Update/Delete | |
Deployments | apps | Get/List/Watch/Create/Update/Delete | |
Deployments/Finalizers | apps | Update | |
ConfigMaps | "" | Get/List/Watch/Create/Update/Delete | |
Pods | "" | Get/List/Watch/Delete/Create | |
Secrets | "" | Get/List/Watch/Create/Update/Delete | |
Events | "" | List/Create | |
Services | "" | Create/Update/Delete/Get/List/Watch | |
Pods/Log | "" | Get | |
ServiceMonitors | monitoring.coreos.com | Get/Create | |
ServiceEntries | networking.istio.io | Get/List/Create/Update/Delete | |
VirtualServices | networking.istio.io | Get/List/Create/Update/Delete | |
Leases | coordination.k8s.io | Get/Update/Create |
OneAgent
Purposes:
Collects host metrics from Kubernetes nodes.
- Detects new containers and injects OneAgent code modules into application pods using classic full-stack injection. optional
Default configuration: 1-replica-per-node (deployed via a DaemonSet)
Policy settings: Allow HostNetwork, HostPID, to use any volume types.
Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE
| Resources accessed | API group | APIs used | Resource names |
|---|---|---|---|
SecurityContextConstraints | security.openshift.io | Use | privileged |
Dynatrace CSI driver
Purpose:
- For
applicationMonitoringconfigurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node. - For
hostMonitoringconfigurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used. - For
cloudNativeFullStack, it provides both of the above.
Default configuration: 1-replica-per-node (deployed via a DaemonSet)
Cluster-wide permission
| Resources accessed | API group | APIs used | Resource names |
|---|---|---|---|
Namespaces | "" | Get/List/Watch | |
Events | "" | List/Watch/Create/Update/Patch | |
CsiNodes | storage.k8s.io | Get/List/Watch | |
Nodes | "" | Get/List/Watch | |
Pods | "" | Get/List/Watch | |
SecurityContextConstraints | security.openshift.io | Use | privileged |
Namespace dynatrace permissions
| Resources accessed | API group | APIs used | Resource names |
|---|---|---|---|
EndPoints | "" | Get/Watch/List/Delete/Update/Create | |
Leases | coordination.k8s.io | Get/Watch/List/Delete/Update/Create | |
Dynakubes | dynatrace.com | Get/List/Watch | |
Secrets | "" | Get/List/Watch | |
ConfigMaps | "" | Get/List/Watch |
Dynatrace webhook server
Purposes:
Modifies pod definitions to include Dynatrace code modules for application observability
Validates DynaKube custom resources
Handles the DynaKube conversion between versions
Default configuration: 1-replica-per-cluster, can be scaled
Cluster-wide permissions
| Resources accessed | API group | APIs used | Resource names |
|---|---|---|---|
Namespaces | "" | Get/List/Watch/Update | |
Events | "" | Create/Patch | |
Secrets | "" | Create | |
Secrets | "" | Get/List/Watch/Update | dynatrace-dynakube-configdynatrace-metadata-enrichment-endpoint |
ReplicationControllers | "" | Get | |
ReplicaSets | apps | Get | |
StatefulSets | apps | Get | |
DaemonSets | apps | Get | |
Deployments | apps | Get | |
Jobs | batch | Get | |
CronJobs | batch | Get | |
DeploymentConfigs | apps.openshift.io | Get | |
SecurityContextConstraints | security.openshift.io | Use | privilegednonroot-v2 |
Namespace dynatrace permissions
| Resources accessed | API group | APIs used | Resource names |
|---|---|---|---|
Services | "" | Get/List/Watch/Create/Update | |
ConfigMaps | "" | Get/List/Watch/Create/Update | |
Secrets | "" | Get/List/Watch/Create/Update | |
Pods | "" | Get/List/Watch | |
Dynakubes | dynatrace.com | Get/List/Watch | |
Events | "" | List/Create | |
Leases | coordination.k8s.io | Get/Update/Create | |
DaemonSets | apps | List/Watch |
Dynatrace ActiveGate (Kubernetes Monitoring)
Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.
Default configuration: 1-replica-per-cluster, can be scaled
Cluster-wide permissions: The following table shows the permissions needed for Dynatrace Kubernetes Monitoring.
| Resources accessed | API group | APIs used | Resource names |
|---|---|---|---|
Nodes | "" | List/Watch/Get | |
Pods | "" | List/Watch/Get | |
Namespaces | "" | List/Watch/Get | |
ReplicationControllers | "" | List/Watch/Get | |
Events | "" | List/Watch/Get | |
ResourceQuotas | "" | List/Watch/Get | |
Pods/Proxy | "" | List/Watch/Get | |
Nodes/Proxy | "" | List/Watch/Get | |
Nodes/Metrics | "" | List/Watch/Get | |
Services | "" | List/Watch/Get | |
Jobs | batch | List/Watch/Get | |
CronJobs | batch | List/Watch/Get | |
Deployments | apps | List/Watch/Get | |
ReplicaSets | apps | List/Watch/Get | |
StatefulSets | apps | List/Watch/Get | |
DaemonSets | apps | List/Watch/Get | |
DeploymentConfigs | apps.openshift.io | List/Watch/Get | |
ClusterVersions | config.openshift.io | List/Watch/Get | |
Dynakubes | dynatrace.com | List/Watch/Get | |
SecurityContextConstraints | security.openshift.io | Use | privilegednonroot-v2 |
CIS Benchmark of Operator components
The page presents a detailed analysis of the security controls for Kubernetes components - Dynatrace Operator, Webhook, and CSI. This report is based on the CIS Benchmark, a globally recognized standard for securing Kubernetes deployments.
| Security Control | Operator | Webhook | CSI |
|---|---|---|---|
| Disallow privileged Containers | Satisfied | Satisfied | Works as designed |
| Disallow privilege escalation | Satisfied | Satisfied | Works as designed |
| Disallow containers running as root | Satisfied | Satisfied | Works as designed 3 |
| Disallow usage of too many or insecure capabilities | Satisfied | Satisfied | Satisfied |
| Disallow usage of hostPath volumes | Satisfied | Satisfied | Works as designed 4 |
| Disallow usage of HostPorts | Satisfied | Satisfied | Satisfied |
| Disallow access to host network | Satisfied | Satisfied | Satisfied |
| Disallow usage of Host PID and Host IPC | Satisfied | Satisfied | Satisfied |
| Require readOnlyRootFilesystem | Satisfied | Satisfied | Satisfied |
| Require Resource limits | Satisfied | Satisfied | Satisfied |
| Demand seccomp to be used (at least default/runtime) | Satisfied | Satisfied | Satisfied |
| Disallow Secrets mounted as env variable | Satisfied | Satisfied | Satisfied |
| Restrict sysctls | Satisfied | Satisfied | Satisfied |
| Restrict AppArmor | Satisfied | Satisfied | Satisfied |
| Disallow SELinux | Satisfied | Satisfied | Works as designed 5 |
| Restrict automounting of service account token | Works as designed 1 | Works as designed 1 | Works as designed 1 |
General:
component needs to communicate with the Kubernetes API
CSI:
The CSI driver communicates with kubelet using a socket on the host, to access this socket the CSI driver needs to run as root.
The CSI driver stores/caches the OneAgent binaries on the host's filesystem, in order to do that it needs a hostVolume mount.
The CSI driver needs seLinux level s0 for the application pods to see files from the volume created by the CSI driver.
Pod security policies
These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:
- Dynatrace Operator version 0.2.2
- LEGACY Dynatrace OneAgent Operator version 0.11.0
- Corresponding Helm charts
Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:
If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.
Dynatrace Operator security context constraints
Dynatrace Operator version 0.12.0+
Starting with Dynatrace Operator version 0.12.0, the built-in creation of custom security context constraints (SCCs) has been removed for Dynatrace Operator and Dynatrace Operator–managed components. This change was made to reduce complications caused by custom SCCs in unique OpenShift setups.
Despite this update, the components maintain the same permissions and security requirements as before.
The following tables show the SCCs used in different versions of Dynatrace Operator (DTO) and OpenShift.
| Resources accessed | Custom SCC used in DTO versions earlier than 0.12.0 | SCC in DTO version 0.12.0+ and OpenShift earlier than 4.11 |
|---|---|---|
| Dynatrace Operator | dynatrace-operator | privileged1 |
| Webhook | dynatrace-webhook | privileged1 |
| CSI Driver | dynatrace-oneagent-csi-driver | privileged1 |
| OneAgent | dynatrace-dynakube-oneagent-privilegeddynatrace-dynakube-oneagent-unprivileged | privileged1 |
| ActiveGate | dynatrace-activegate | privileged1 |
| Resources accessed | Custom SCC used in DTO versions earlier than 0.12.0 | SCC in DTO version 0.12.0+ and OpenShift 4.11+ |
|---|---|---|
| Dynatrace Operator | dynatrace-operator | nonroot-v2 |
| Webhook | dynatrace-webhook | nonroot-v2 |
| CSI Driver | dynatrace-oneagent-csi-driver | privileged1 |
| OneAgent | dynatrace-dynakube-oneagent-privilegeddynatrace-dynakube-oneagent-unprivileged | privileged1 |
| ActiveGate | dynatrace-activegate | nonroot-v2 |
1 This SCC is the only built-in OpenShift SCC that allows usage of seccomp, which our components have set by default, and also the usage of CSI volumes. |
It is still possible to create your own more permissive or restrictive SCCs that take your specific setup into consideration. You can safely remove the old SCCs that were created by a previous Dynatrace Operator version.
To remove the old SCCs, use the following command:
oc delete scc <scc-name>