OneAgent privileges for container monitoring
Dynatrace supports Full-Stack Monitoring for container platforms, from the application down to the infrastructure layer. This requires elevated privileges to get container-level metrics and perform deep-code host monitoring, including OneAgent injection into processes.
However, if you don't want to grant elevated privileges to OneAgent, or you don't have access to the infrastructure layer, you can go with application-only monitoring.
For Kubernetes, Dynatrace Operator–based application-only monitoring still provides you with a good scope of data, such as node-level insights (basic metrics and alerting) based on data retrieved by the ActiveGate from Kubernetes API, or Prometheus metrics.
The OneAgent container and underlying host share selected Linux namespaces for OneAgent to be able to access data required for full-stack monitoring:
- Shared network namespace enables processes running inside the container to directly access host network interfaces.
- Shared PID namespace enables processes running inside the container to see and work with all the processes from the host process table.
- Mounted host's root filesystem is accessed by all OneAgent modules and allows for log files access, disk metrics, and other full-stack monitoring capabilities.
During monitoring, the scope of required permissions for each process is limited using specific Linux System Capabilities.
You can achieve full-stack injection using the following deployment modes:
- Dynatrace Operator on Kubernetes/OpenShift
- Docker outside a container platform
OneAgent on Docker host
Alternatively, you can also deploy OneAgent on the Docker host on Linux. In this scenario, OneAgent does not run in a container but directly on the host, so there is no Linux namespace isolation. For more information, see OneAgent on Linux.
OneAgent deployed in application-only mode doesn't run as a privileged container.
For more information, see: