Enable AppArmor for enhanced security
As part of getting started with Kubernetes monitoring, you might want to enable AppArmor for enhanced security.
Enable AppArmor for Dynatrace Operator
You can make Dynatrace Operator more secure by enabling AppArmor. Depending on whether you set up monitoring using Manifest or Helm, select one of the options below.
-
Add the following annotation to your DynaKube to deploy ActiveGate with AppArmor profile enabled:
apiVersion: dynatrace.com/v1beta1 kind: DynaKube metadata: annotations: feature.dynatrace.com/activegate-apparmor: true
-
Add the following annotations to your YAML to deploy the webhook and Dynatrace Operator with AppArmor profile enabled:
kind: Deployment metadata: name: dynatrace-webhook spec: template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/webhook: runtime/default kind: Deployment metadata: name: dynatrace-operator spec: template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/dynatrace-operator: runtime/default
Add the following properties to the values.yaml
file to deploy ActiveGate and Dynatrace Operator with AppArmor profile enabled:
operator:
apparmor: true
webhook:
apparmor: true
activeGate:
apparmor: true
Enable a custom AppArmor profile for OneAgent
You can restrict the OneAgent access to a desired set of features. See below for how to enable a custom AppArmor profile and apply it to the OneAgent pods.
Create a custom OneAgent AppArmor profile
Install the profile on all worker nodes
Enforce the profile on all OneAgent pods
Create a custom OneAgent AppArmor profile
See Run OneAgent as a Docker container for details on how to create a custom AppArmor profile.
Install the profile on all worker nodes
OneAgent is deployed as a daemonset by default, which means pods that use the AppArmor profile will be used on every node. You therefore need to install the OneAgent AppArmor profile on all nodes.
Depending on the environment, this can be done in several ways, such as by using the kube-apparmor-manager or the security-profiles-operator. Please refer to the official documentation of these tools on how to apply them in your cluster.
Enforce the profile on all OneAgent pods
To enable AppArmor for all the OneAgent pods, add the container.apparmor.security.beta.kubernetes.io/dynatrace-oneagent: localhost/oneagent
annotation to one of the following fields, depending on your deployment:
oneAgent.classicFullStack.annotations
oneAgent.cloudNativeFullStack.annotations
oneAgent.hostMonitoring.annotations
Example for cloudNativeFullStack
deployment:
apiVersion: dynatrace.com/v1beta1
kind: DynaKube
metadata:
name: dynakube
namespace: dynatrace
spec:
apiUrl: https://ENVIRONMENTID.live.dynatrace.com/api
oneAgent:
cloudNativeFullStack:
annotations:
container.apparmor.security.beta.kubernetes.io/dynatrace-oneagent: localhost/oneagent