• Home
  • Setup and configuration
  • Set up Dynatrace on container platforms
  • Kubernetes
  • Get started with Kubernetes/OpenShift monitoring
  • Dynatrace component permissions for Kubernetes/OpenShift

Dynatrace component permissions for Kubernetes/OpenShift

Kubernetes observability relies on components with different purposes, default configurations, and permissions.

Dynatrace Operator

Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.

Default configuration: 1-replica-per-cluster

Cluster-wide permissions: The following table shows the permissions needed for Dynatrace Operator.

Resources accessedAPIs usedResource names
NodesGet/List/Watch-
NamespacesGet/List/Watch-
SecretsCreate-
SecretsGet/Update/Deletedynatrace-dynakube-config
dynatrace-data-ingest-endpoint
dynatrace-activegate-internal-proxy
MutatingWebhookConfigurationsGet/Updatedynatrace-webhook
ValidatingWebhookConfigurationsGet/Updatedynatrace-webhook
EventsCreate/Patch-
CustomResourceDefinitionsGet/Updatedynakubes.dynatrace.com

OneAgent

Purposes:

  • Collects host metrics from Kubernetes nodes.
  • Detects new containers and injects OneAgent code modules into application pods using classic full-stack injection. optional

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

Policy settings: Allow HostNetwork, HostPID, to use any volume types.

PodSecurityPolicies

These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:

  • Dynatrace Operator version 0.2.2
  • LEGACY Dynatrace OneAgent Operator version 0.11.0
  • Corresponding Helm charts

Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:

  • k-rail
  • Kyverno
  • Gatekeeper

Note: If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.

Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE

Dynatrace CSI driver

Purpose:

  • For applicationMonitoring configurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node.
  • For hostMonitoring configurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used.
  • For cloudNativeFullStack, it provides both of the above.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

Cluster-wide permissions: The following table shows the permissions needed for Dynatrace CSI driver.

Resources accessedAPIs usedResource names
NamespacesGet/List/Watch-
EventsList/Watch/Create/Update/Patch-
NodesGet/List/Watch-
CsiNodesGet/List/Watch-
PodsGet/List/Watch-

Dynatrace webhook server

Purposes:

  • Modifies pod definitions to include Dynatrace code modules for application observability
  • Validates DynaKube custom resources
  • Handles the DynaKube conversion between versions

Default configuration: 1-replica-per-cluster, can be scaled

Cluster-wide permissions: The following table shows the permissions needed for the Dynatrace webhook server.

Resources accessedAPIs usedResource names
NamespacesGet/List/Watch/Update-
EventsCreate/Patch-
SecretsGet/List/Watch/Updatedynatrace-dynakube-config
dynatrace-data-ingest-endpoint
SecretsCreate-
ReplicationcontrollersGet-
ReplicasetsGet-
StatefulsetsGet-
DaemonsetsGet-
DeploymentsGet-
JobsGet-
CronjobsGet-
DeploymentconfigsGet-

Dynatrace Kubernetes Monitoring (ActiveGate)

Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.

Default configuration: 1-replica-per-cluster, can be scaled

Cluster-wide permissions: The following table shows the permissions needed for Dynatrace Kubernetes Monitoring.

Resources accessedAPIs usedResource names
NodesGet/List/Watch-
PodsGet/List/Watch-
NamespacesGet/List/Watch-
DeploymentsGet/List/Watch-
ReplicaSetsGet/List/Watch-
DeploymentConfigsGet/List/Watch-
ReplicationControllersGet/List/Watch-
JobsGet/List/Watch-
CronJobsGet/List/Watch-
StatefulSetsGet/List/Watch-
DaemonSetsGet/List/Watch-
EventsGet/List/Watch-
ResourceQuotasGet/List/Watch-
Pods/ProxyGet/List/Watch-
Nodes/ProxyGet/List/Watch-
ServicesGet/List/Watch-
ClusterVersionsGet/List/Watch-
/metricsGet-
/versionGet-
/readyzGet-
/livezGet-
Related topics
  • Kubernetes/OpenShift monitoring

    Monitor Kubernetes/OpenShift with Dynatrace.