• Home
  • Deploy Dynatrace
  • Set up Dynatrace on container platforms
  • Kubernetes
  • Legacy
  • Deploy OneAgent Operator on Kubernetes (deprecated)

Deploy OneAgent Operator on Kubernetes (deprecated)

This procedure is deprecated.

  • If you are making a fresh installation, you should set up Kubernetes monitoring using Dynatrace Operator.
  • If you already have OneAgent installed using OneAgent Operator, please see the instructions for migrating to Dynatrace Operator.

Installation

Find out below how to install and configure OneAgent.

Prerequisites
  • Generate an API token and a PaaS token in your Dynatrace environment.
    Note: Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.
  • Pods must allow egress to your Dynatrace environment or to your Environment ActiveGate in order for metric routing to work properly.
  • See Support lifecycle for supported Kubernetes versions.
  1. Create the necessary objects for OneAgent Operator.

    OneAgent Operator acts on its separate namespace dynatrace. It holds the operator deployment and all dependent objects like permissions, custom resources and the corresponding DaemonSet. You can also observe the logs of OneAgent Operator.

    bash
    kubectl create namespace dynatrace
    bash
    kubectl apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/kubernetes.yaml
    bash
    kubectl -n dynatrace logs -f deployment/dynatrace-oneagent-operator
  2. Create the secret holding API and PaaS tokens for authentication to the Dynatrace Cluster.

    The name of the secret is important in a later step when you configure the custom resource (.spec.tokens). In the following code-snippet the name is oneagent. Be sure to replace API_TOKEN and PAAS_TOKEN with the values explained in the prerequisites.

    bash
    kubectl -n dynatrace create secret generic oneagent --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"
  3. Save custom resource.

    The rollout of Dynatrace OneAgent is governed by a custom resource of type OneAgent. Retrieve the cr.yaml file from the GitHub repository.

    bash
    curl -o cr.yaml https://raw.githubusercontent.com/Dynatrace/dynatrace-oneagent-operator/master/deploy/cr.yaml
  4. Adapt the values of the custom resource as indicated below.

    If you want to revert an argument, you need to set it to empty instead of removing it from the custom resource.
    Example:

    plaintext
    args: - "--set-proxy="
    Parameters...
    ParameterDescriptionDefault value
    apiUrlrequired
    For Dynatrace SaaS, where OneAgent can connect to the internet, replace the Dynatrace ENVIRONMENTID in https://ENVIRONMENTID.live.dynatrace.com/api.
    For Environment ActiveGates (SaaS or Managed), use the following to download the OneAgent, as well as to communicate OneAgent traffic through the ActiveGate: https://YourActiveGateIP or FQDN:9999/e/<ENVIRONMENTID>/api.
    useUnprivilegedModeoptional Set to false if you want to mark the pod as privileged. Defaults to using Linux capabilities for the OneAgent podtrue
    tokensoptional Name of the secret that holds the API and PaaS tokens from above.Name of custom resource (.metadata.name) if unset
    useImmutableImageoptional Set to true if you want to pull a OneAgent Docker image from your Dynatrace environment. Use this parameter together with the agentVersion parameter to control the version of OneAgent.false
    agentVersionoptional Set this value to the OneAgent version using semantic versioning (major.minor.patch). Example: 1.203.0latest version
    argsoptional Parameters to be passed to the OneAgent installer. All the command line parameters of the installer are supported, with the exception of INSTALL_PATH.
    envoptional Environment variables for OneAgent container.
    skipCertCheckoptional Disable certificate validation checks for installer download and API communication. Set to true if you want to skip any certification validation checks.false
    nodeSelectoroptional Keep empty default value. If you want to roll out OneAgent to specific nodes only, provide the nodeSelectors here. Refer to Kubernetes docs for details.
    tolerationsoptional Keep default value to also roll out the OneAgent to primary nodes if possible. If you want to apply additional tolerations to OneAgent pods for tainted nodes, provide them here. Refer to Kubernetes docs for details.
    imageoptional Define the OneAgent image to be taken. Defaults to the publicly available OneAgent image on Docker Hub. In order to use the certified OneAgent image from Red Hat Container Catalog you need to set .spec.image to registry.connect.redhat.com/dynatrace/oneagent in the custom resource and provide image pull secrets as shown in the next step.docker.io/dynatrace/oneagent:latest if unset
    resourcesoptional Resource requests/limits for the OneAgent pods. These settings heavily depend on size of worker nodes and workloads. Please adjust to fit your needs.
    priorityClassNameoptional Priority class for OneAgent pod. Refer to Kubernetes docs.
    disableAgentUpdateoptional Disable the Operator's auto-update feature for OneAgent pods.false
    enableIstiooptional Enable management of Istio service entries and virtual services for Dynatrace endpoints to allow for OneAgent monitoring egress traffic to your Dynatrace environmentfalse
    trustedCAsoptional Adds the provided CA certficates to the Operator and the OneAgent; provide the name of the configmap which holds your PEM in a field called certs.If not set, the default embedded certificates on the images will be used.
    Configuration for Anthos, SUSE CaaS, GKE, IKS, and TKGI

    For Anthos, SUSE CaaS, Google Kubernetes Engine, and VMware Tanzu Kubernetes Grid Integrated Edition (formerly PKE), you must add the following additional parameters to the env section in the cr.yaml file:

    Anthos and GKE
    yaml
    env: - name: ONEAGENT_ENABLE_VOLUME_STORAGE value: "true"
    TKGI
    yaml
    env: - name: ONEAGENT_ENABLE_VOLUME_STORAGE value: "true" - name: ONEAGENT_CONTAINER_STORAGE_PATH value: /var/vcap/store
    IKS
    yaml
    env: - name: ONEAGENT_ENABLE_VOLUME_STORAGE value: "true" - name: ONEAGENT_CONTAINER_STORAGE_PATH value: /opt
    SUSE CaaS
    yaml
    env: - name: ONEAGENT_ENABLE_VOLUME_STORAGE value: "true"
  5. Create the custom resource.

    bash
    kubectl apply -f cr.yaml
  6. optional Configure proxy.

    • You can configure optional parameters like proxy settings in the cr.yaml file in order to
      • download the OneAgent installer
      • ensure the communication between the OneAgent and your Dynatrace environment
      • ensure the communication between the Dynatrace OneAgent Operator and the Dynatrace API.

    There are two ways to provide the proxy, depending on whether or not your proxy uses credentials.

    No credentials

    If you have a proxy that doesn't use credentials, enter your proxy URL directly in the value field for the proxy.

    Example

    plaintext
    apiVersion: dynatrace.com/v1alpha1 kind: OneAgent metadata: name: oneagent namespace: dynatrace spec: apiUrl: https://environmentid.dynatrace.com/api tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists args: [] enableIstio: true proxy: value: http://mysuperproxy
    With credentials

    If your proxy uses credentials

    1. Create a secret with a field called proxy which holds your encrypted proxy URL with the credentials.
      Example.

      plaintext
      kubectl -n dynatrace create secret generic myproxysecret --from-literal="proxy=http://<user>:<password>@<IP>:<PORT>"
    2. Provide the name of the secret in the valueFrom section.
      Example.

      plaintext
      apiVersion: dynatrace.com/v1alpha1 kind: OneAgent metadata: name: oneagent namespace: dynatrace spec: apiUrl: https://environmentid.dynatrace.com/api tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists args: [] enableIstio: true proxy: valueFrom: myproxysecret
  7. optional Configure network zones.

    You can configure network zones by setting the following argument:

    yaml
    args: - --set-network-zone=<your.network.zone>

    See network zones for more information.

Prerequisites
  • Generate an API token and a PaaS token in your Dynatrace environment.
    Note: Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.

  • Pods must allow egress to your Dynatrace environment or to your Environment ActiveGate in order for metric routing to work properly.

  • See Support lifecycle for supported Kubernetes versions.

  • Install Helm version 3.

  1. Add the Dynatrace OneAgent Helm repository.

    bash
    helm repo add dynatrace \ https://raw.githubusercontent.com/Dynatrace/helm-charts/master/repos/stable
  2. Create a Dynatrace namespace.

    The Dynatrace OneAgent Operator acts on its separate namespace called dynatrace, which holds the operator deployment and all dependent objects like permissions, custom resources, and corresponding DaemonSets.

    bash
    kubectl create namespace dynatrace
  3. Create the custom resource definitions.

bash
kubectl apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/dynatrace.com_oneagents.yaml kubectl apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/dynatrace.com_oneagentapms.yaml
  1. Create a values.yaml file with the following content.

    yaml
    platform: "kubernetes" operator: image: "" oneagent: name: "oneagent" apiUrl: "https://ENVIRONMENTID.live.dynatrace.com/api" image: "" args: {} env: {} nodeSelector: {} labels: {} skipCertCheck: false disableAgentUpdate: false enableIstio: false dnsPolicy: "" resources: {} waitReadySeconds: null priorityClassName: "" serviceAccountName: "" proxy: "" trustedCAs: "" secret: apiToken: "DYNATRACE_API_TOKEN" paasToken: "PLATFORM_AS_A_SERVICE_TOKEN"

    Note: The OneAgent proxy setting is used by both the Operator and the OneAgent containers when communicating to the Dynatrace environment.

    Configuration for Anthos, SUSE CaaS, GKE, IKS, and TKGI

    For Anthos, SUSE CaaS, Google Kubernetes Engine, and VMware Tanzu Kubernetes Grid Integrated Edition (formerly PKE), you must add the following additional parameters to the env section in the values.yaml file:

    Anthos, SUSE CaaS, and GKE
    yaml
    env: - name: ONEAGENT_ENABLE_VOLUME_STORAGE value: "true"
    TKGI
    yaml
    env: - name: ONEAGENT_ENABLE_VOLUME_STORAGE value: "true" - name: ONEAGENT_CONTAINER_STORAGE_PATH value: /var/vcap/store
    IKS
    yaml
    env: - name: ONEAGENT_ENABLE_VOLUME_STORAGE value: "true" - name: ONEAGENT_CONTAINER_STORAGE_PATH value: /opt
  2. optional Configure network zones.

    You can configure network zones by setting the following argument:

    yaml
    args: - --set-network-zone=<your.network.zone>

    See network zones for more information.

  3. To apply the YAML parameters, run the following command:

    plaintext
    helm install dynatrace-oneagent-operator \ dynatrace/dynatrace-oneagent-operator -n\ dynatrace --values values.yaml

Note: After deployment, you need to restart your pods so OneAgent can inject into them.

Cluster-wide permissions

The following table shows the permissions needed for OneAgent Operator.

Resources accessedAPIs usedResource names
NodesGet/List/Watch-
NamespacesGet/List/Watch-
SecretsCreate-
SecretsGet/Update/Deletedynatrace-oneagent-config, dynatrace-oneagent-pull-secret

Limitations

See Docker limitations for details.

Troubleshoot

Find out how to troubleshoot issues that you may encounter when deploying OneAgent on Kubernetes.

Deploy an ActiveGate and connect your Kubernetes API to Dynatrace

Now that you have OneAgent running on your Kubernetes nodes, you're able to monitor those nodes, and the applications running in Kubernetes. The next step is to deploy an ActiveGate and connect your Kubernetes API to Dynatrace in order to get native Kubernetes metrics, like request limits, and differences in pods requested vs. running pods.
For further instructions see Deploy ActiveGate in Kubernetes as a StatefulSet.

Update OneAgent Operator with kubectl

OneAgent Operator (for Kubernetes version 1.9+) automatically takes care of the lifecycle of the deployed OneAgents, so you don't need to update OneAgent pods yourself.

Review the release notes of the Operator for any breaking changes on the custom resource.

If the custom resource of the new version is compatible with the already deployed version, you can simply set the OneAgent Operator image to the new tagged version. Be sure to replace vX.Y.Z with the new version in the following command:

bash
kubectl -n dynatrace set image deployment \ dynatrace-oneagent-operator *=quay.io/dynatrace/\ dynatrace-oneagent-operator:vX.Y.Z

Note: The image version of the OneAgent Operator is independent from the OneAgent version. To check the available versions for the Operator, see the OneAgent Operator releases.

To update OneAgent Operator, run the following command:

bash
kubectl apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/kubernetes.yaml

Update OneAgent Operator with Helm

  1. Update your Helm repositories.

    bash
    helm repo update

    Another method of updating the Dynatrace OneAgent Helm repository is adding it again, which overwrites the older version.

  2. Update OneAgent to the latest version.

    Don't omit the --reuse-values flag in the command in order to keep your configuration.

    bash
    helm upgrade dynatrace-oneagent-operator dynatrace/\ dynatrace-oneagent-operator -n dynatrace --reuse-values

Uninstall OneAgent Operator

To uninstall OneAgent Operator from Kubernetes version 1.9+

  1. Remove OneAgent custom resources and clean up all remaining OneAgent Operator–specific objects.

    bash
    kubectl delete -n dynatrace oneagent --all kubectl delete -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/kubernetes.yaml
  2. optional After deleting OneAgent Operator, the OneAgent binary remains on the node in an inactive state. To uninstall it completely, run the uninstall.sh script and delete logs and configuration files.
    See Linux related information.

Remove OneAgent custom resources and clean up all remaining OneAgent Operator–specific objects:

bash
helm uninstall dynatrace-oneagent-operator -n dynatrace
Related topics
  • Kubernetes/OpenShift monitoring

    Monitor Kubernetes/OpenShift with Dynatrace.

  • Store Dynatrace images in private registries in Kubernetes/OpenShift

    Store Dynatrace containers in private registries in Kubernetes/OpenShift environments.

  • Migrate Dynatrace Operator to a new Dynatrace environment - Kubernetes/OpenShift

    Migrate monitoring to a new Dynatrace environment on Kubernetes/OpenShift clusters.