Kubernetes API Monitoring
Dynatrace obtains information about Kubernetes entities and metadata by querying the Kubernetes API. This information is used for out-of-the-box alerting for Kubernetes and to provide all observability signals in a proper Kubernetes context within the Dynatrace platform, for example, by creating relationships among applications, (micro-)services, databases, and Kubernetes entities such as pods, namespaces, and nodes.
Dynatrace Operator manages the lifecycle of all Dynatrace components within a Kubernetes cluster and can be configured by deploying a DynaKube Custom Resource. Dynatrace ActiveGate—the Dynatrace component required to monitor the Kubernetes API—offers a capability for Kubernetes API Monitoring.
Follow the steps below to enable Kubernetes API monitoring.
Install Dynatrace Operator
Configure DynaKube
Connect ActiveGate with Kubernetes API
Install Dynatrace Operator
Install Dynatrace Operator in any deployment mode
Configure DynaKube
Configure the ActiveGate values of the DynaKube according to the list of parameters and add kubernetes-monitoring
to the ActiveGate capabilities.
...
activeGate:
capabilities:
- routing
- kubernetes-monitoring
...
Connect ActiveGate with Kubernetes API
You have two options:
- Connect the containerized ActiveGate to a local Kubernetes API endpoint
- Connect the containerized ActiveGate to the public Kubernetes API URL
See below for instructions for both options.
Connect to a local Kubernetes API endpoint
You can enable monitoring by connecting a containerized ActiveGate to a local Kubernetes API endpoint.
There are two ways to connect to the local Kubernetes API endpoint:
- recommended Let Dynatrace Operator automatically handle the connection
- Configure the connection manually
See below for details on both methods.
To connect automatically to the local Kubernetes API endpoint
-
Make sure to enable the Read entities, Read settings, and Write settings permissions (API v2) for your API token (see Access tokens and permissions).
-
Make sure that you have the
kubernetes-monitoring
capability enabled in your DynaKube custom resource. -
Add the following annotation (see example below).
apiVersion: dynatrace.com/v1beta1 kind: DynaKube metadata: name: dynakube namespace: dynatrace annotations: feature.dynatrace.com/automatic-kubernetes-api-monitoring: "true" spec: ... activeGate: capabilities: - kubernetes-monitoring
After adding this annotation, the name of the cluster displayed in Dynatrace will be the same as the DynaKube custom resource where the annotation is configured. You can change the cluster name displayed in Dynatrace by adding the
feature.dynatrace.com/automatic-kubernetes-api-monitoring-cluster-name: "custom-cluster-name"
annotation as well.Example with custom cluster name:
apiVersion: dynatrace.com/v1beta1 kind: DynaKube metadata: name: dynakube namespace: dynatrace annotations: feature.dynatrace.com/automatic-kubernetes-api-monitoring: "true" feature.dynatrace.com/automatic-kubernetes-api-monitoring-cluster-name: "custom-cluster-name" spec: ... activeGate: capabilities: - kubernetes-monitoring
-
Apply your configuration.
To disable the configuration, remove the annotation.
To connect to a local Kubernetes API endpoint manually, you only need to provide the unique Kubernetes cluster ID (the uuid of the kube-system namespace) in Dynatrace web UI. The containerized ActiveGate then identifies the unique cluster ID and sends it over to Dynatrace.
Get the Kubernetes cluster ID
Run the command below and grab the UID from the output.
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
oc get namespace kube-system -o jsonpath='{.metadata.uid}'
Provide the Kubernetes cluster ID in the Dynatrace web UI
-
In the Dynatrace menu, go to Kubernetes.
-
Select Connect manually.
-
On the Kubernetes cluster connection settings page, provide a Name, and then turn on Connect containerized ActiveGate to local Kubernetes API endpoint.
-
For Kubernetes cluster ID, enter the UID obtained earlier.
-
Select Save changes to save your configuration.
You can save your configuration even if the ActiveGate isn't ready to connect, and finish the configuration later. To verify if it's ready, select Test configuration.
Connect to the public Kubernetes API
To connect to the public Kubernetes API, follow the instructions that apply to your Kubernetes version:
Kubernetes version 1.24+
-
Get the Kubernetes API URL.
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
oc config view --minify -o jsonpath='{.clusters[0].cluster.server}'
If you set
enableIstio
totrue
in the DynaKube custom resource, use the command below to get the Kubernetes API URL:kubectl -n default get svc/kubernetes -o jsonpath='https://{.spec.clusterIP}'
oc -n default get svc/kubernetes -o jsonpath='https://{.spec.clusterIP}'
-
Create a file named
token-secret.yaml
with the following content:apiVersion: v1 kind: Secret metadata: name: dynatrace-kubernetes-monitoring annotations: kubernetes.io/service-account.name: "dynatrace-kubernetes-monitoring" type: kubernetes.io/service-account-token
-
Apply the file to create the
dynatrace-kubernetes-monitoring
secret.kubectl apply -n dynatrace -f token-secret.yaml
oc apply -n dynatrace -f token-secret.yaml
-
Get the bearer token.
kubectl get secret dynatrace-kubernetes-monitoring -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
oc get secret dynatrace-kubernetes-monitoring -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
-
In the Dynatrace menu, go to Kubernetes and select Connect manually.
-
On the Kubernetes cluster connection settings page, provide a Name, the Kubernetes API URL, and the Bearer token for the Kubernetes cluster.
-
Select Save changes.
Kubernetes version earlier than 1.24
-
Get the Kubernetes API URL.
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
oc config view --minify -o jsonpath='{.clusters[0].cluster.server}'
If you set
enableIstio
totrue
in the DynaKube custom resource, use the command below to get the Kubernetes API URL:kubectl -n default get svc/kubernetes -o jsonpath='https://{.spec.clusterIP}'
oc -n default get svc/kubernetes -o jsonpath='https://{.spec.clusterIP}'
-
Get the bearer token.
kubectl get secret $(kubectl get sa dynatrace-kubernetes-monitoring -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
oc get secret $(oc get sa dynatrace-kubernetes-monitoring -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
oc get secret $(oc get sa dynatrace-kubernetes-monitoring -o jsonpath='{.secrets[1].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
-
In the Dynatrace menu, go to Kubernetes and select Connect manually.
-
On the Kubernetes cluster connection settings page, provide a Name, the Kubernetes API URL, and the Bearer token for the Kubernetes cluster.
For Rancher distributions, you need the bearer token that was created in the Rancher web UI, as described in Special instructions for Rancher distributions to get the API URL and the bearer token above.
-
Select Save changes.
Other Options
- If you can't use Dynatrace Operator, you can deploy ActiveGate directly as a StatefulSet (not recommended).
- If you want to monitor several Kubernetes clusters with one ActiveGate and don't need to separate networks for administrative or operational traffic, you can install an ActiveGate on a virtual machine using a conventional installer.
Dynatrace recommends to use the containerized ActiveGate for Kubernetes API monitoring