• Home
  • Deploy
  • Kubernetes
  • Reference
  • Dynatrace Operator security

Dynatrace Operator security

Kubernetes observability relies on components with different purposes, default configurations, and permissions. These different components need permissions to perform and maintain operational function of Dynatrace within your cluster.

Permission list

Dynatrace Operator

Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.

Default configuration: 1-replica-per-cluster

Cluster-wide permissions

Resources accessedAPI groupAPIs used
Dynakubesdynatrace.comGet/List/Watch/Update/Create
Dynakubes/Finalizersdynatrace.comUpdate
Dynakubes/Statusdynatrace.comUpdate
StatefulSetsappsGet/List/Watch/Create/Update/Delete
DaemonSetsappsGet/List/Watch/Create/Update/Delete
ReplicaSetsappsGet/List/Watch
DeploymentsappsGet/List/Watch
Deployments/FinalizersappsUpdate
ConfigMapsGet/List/Watch/Create/Update/Delete
PodsGet/List/Watch/Delete/Create
SecretsGet/List/Watch/Create/Update/Delete
EventsList/Create
ServicesCreate/Update/Delete/Get/List/Watch
Pods/LogGet
ServiceMonitorsmonitoring.coreos.comGet/Create
ServiceEntriesnetworking.istio.ioGet/List/Create/Update/Delete
VirtualServicesnetworking.istio.ioGet/List/Create/Update/Delete
Leasescoordination.k8s.ioGet/Update/Create

Namespace dynatrace permissions

Resources accessedAPI groupAPIs usedResource names
Dynakubesdynatrace.comGet/List/Watch/Update/Create
Dynakubes/Finalizersdynatrace.comUpdate
Dynakubes/Statusdynatrace.comUpdate
StatefulSetsappsGet/List/Watch/Create/Update/Delete
DaemonSetsappsGet/List/Watch/Create/Update/Delete
ReplicaSetsappsGet/List/Watch
DeploymentsappsGet/List/Watch
Deployments/FinalizersappsUpdate
ConfigMapsGet/List/Watch/Create/Update/Delete
PodsGet/List/Watch/Delete/Create
SecretsGet/List/Watch/Create/Update/Delete
EventsList/Create
ServicesCreate/Update/Delete/Get/List/Watch
Pods/LogGet
ServiceMonitorsmonitoring.coreos.comGet/Create
ServiceEntriesnetworking.istio.ioGet/List/Create/Update/Delete
VirtualServicesnetworking.istio.ioGet/List/Create/Update/Delete
Leasescoordination.k8s.ioGet/Update/Create

OneAgent

Purposes:

  • Collects host metrics from Kubernetes nodes.
  • Detects new containers and injects OneAgent code modules into application pods using classic full-stack injection. optional

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

Policy settings: Allow HostNetwork, HostPID, to use any volume types.

Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE

Resources accessedAPI groupAPIs usedResource names
SecurityContextConstraintssecurity.openshift.ioUseprivileged

Dynatrace CSI driver

Purpose:

  • For applicationMonitoring configurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node.
  • For hostMonitoring configurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used.
  • For cloudNativeFullStack, it provides both of the above.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

Cluster-wide permission

Resources accessedAPI groupAPIs usedResource names
NamespacesGet/List/Watch
EventsList/Watch/Create/Update/Patch
NodesGet/List/Watch
PodsGet/List/Watch
SecurityContextConstraintssecurity.openshift.ioUseprivileged

Namespace dynatrace permissions

Resources accessedAPI groupAPIs usedResource names
EndPointsGet/Watch/List/Delete/Update/Create
Leasescoordination.k8s.ioGet/Watch/List/Delete/Update/Create
Dynakubesdynatrace.comGet/List/Watch
SecretsGet/List/Watch
ConfigMapsGet/List/Watch

Dynatrace webhook server

Purposes:

  • Modifies pod definitions to include Dynatrace code modules for application observability
  • Validates DynaKube custom resources
  • Handles the DynaKube conversion between versions

Default configuration: 1-replica-per-cluster, can be scaled

Cluster-wide permissions

Resources accessedAPI groupAPIs usedResource names
NamespacesGet/List/Watch/Update
EventsCreate/Patch
SecretsCreate
SecretsGet/List/Watch/Updatedynatrace-dynakube-config
dynatrace-data-ingest-endpoint
ReplicationControllersGet
ReplicaSetsappsGet
StatefulSetsappsGet
DaemonSetsappsGet
DeploymentsappsGet
JobsbatchGet
CronJobsbatchGet
DeploymentConfigsapps.openshift.ioGet
SecurityContextConstraintssecurity.openshift.ioUseprivileged
nonroot-v2

Namespace dynatrace permissions

Resources accessedAPI groupAPIs usedResource names
ServicesGet/List/Watch/Create/Update
ConfigMapsGet/List/Watch/Create/Update
SecretsGet/List/Watch/Create/Update
PodsGet/List/Watch
Dynakubesdynatrace.comGet/List/Watch
EventsList/Create
Leasescoordination.k8s.ioGet/Update/Create
DaemonSetsappsList/Watch

Dynatrace Kubernetes monitoring (ActiveGate)

Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.

Default configuration: 1-replica-per-cluster, can be scaled

Cluster-wide permissions: The following table shows the permissions needed for Dynatrace Kubernetes Monitoring.

Resources accessedAPI groupAPIs usedResource names
SecurityContextConstraintssecurity.openshift.ioUseprivileged
nonroot-v2
NodesList/Watch/Get
PodsList/Watch/Get
NamespacesList/Watch/Get
ReplicationControllersList/Watch/Get
EventsList/Watch/Get
ResourceQuotasList/Watch/Get
Pods/ProxyList/Watch/Get
Nodes/ProxyList/Watch/Get
Nodes/MetricsList/Watch/Get
ServicesList/Watch/Get
JobsbatchList/Watch/Get
CronJobsbatchList/Watch/Get
DeploymentsappsList/Watch/Get
ReplicaSetsappsList/Watch/Get
StatefulSetsappsList/Watch/Get
DaemonSetsappsList/Watch/Get
DeploymentConfigsapps.openshift.ioList/Watch/Get
ClusterVersionsconfig.openshift.ioList/Watch/Get
SecurityContextConstraintssecurity.openshift.ioUseprivileged
nonroot-v2

CIS Benchmark of Operator components

The page presents a detailed analysis of the security controls for Kubernetes components - Dynatrace Operator, Webhook, and CSI. This report is based on the CIS Benchmark, a globally recognized standard for securing Kubernetes deployments.

Security ControlOperatorWebhookCSI
Disallow privileged ContainersSatisfiedSatisfiedWorks as designed
Disallow privilege escalationSatisfiedSatisfiedWorks as designed
Disallow containers running as rootSatisfiedSatisfiedWorks as designed 3
Disallow usage of too many or insecure capabilitiesSatisfiedSatisfiedSatisfied
Disallow usage of hostPath volumesSatisfiedSatisfiedWorks as designed 4
Disallow usage of HostPortsSatisfiedSatisfiedSatisfied
Disallow access to host networkSatisfiedSatisfiedSatisfied
Disallow usage of Host PID and Host IPCSatisfiedSatisfiedSatisfied
Require readOnlyRootFilesystemSatisfiedSatisfiedSatisfied
Require Resource limitsSatisfiedSatisfiedSatisfied
Demand seccomp to be used (at least default/runtime)SatisfiedSatisfiedSatisfied
Disallow Secrets mounted as env variableSatisfiedSatisfiedSatisfied
Restrict sysctlsSatisfiedSatisfiedSatisfied
Restrict AppArmorSatisfiedSatisfiedSatisfied
Disallow SELinuxSatisfiedSatisfiedWorks as designed 5
Restrict automounting of service account tokenWorks as designed 1Works as designed 1Works as designed 1

General:

1

component needs to communicate with the Kubernetes API

CSI:

3

The CSI driver communicates with kubelet using a socket on the host, to access this socket the CSI driver needs to run as root.

4

The CSI driver stores/caches the OneAgent binaries on the host's filesystem, in order to do that it needs a hostVolume mount.

5

The CSI driver needs seLinux level s0 for the application pods to see files from the volume created by the CSI driver.

Pod security policies

These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:

  • Dynatrace Operator version 0.2.2
  • LEGACY Dynatrace OneAgent Operator version 0.11.0
  • Corresponding Helm charts

Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:

  • k-rail
  • Kyverno
  • Gatekeeper

If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.

Dynatrace Operator security context constraints

Dynatrace Operator version 0.12.0+

Starting with Dynatrace Operator version 0.12.0, the built-in creation of custom security context constraints (SCCs) has been removed for Dynatrace Operator and Dynatrace Operator–managed components. This change was made to reduce complications caused by custom SCCs in unique OpenShift setups.

Despite this update, the components maintain the same permissions and security requirements as before.

The following tables show the SCCs used in different versions of Dynatrace Operator (DTO) and OpenShift.

Resources accessedCustom SCC used in DTO versions earlier than 0.12.0SCC in DTO version 0.12.0+ and OpenShift earlier than 4.11
Dynatrace Operatordynatrace-operatorprivileged1
Webhookdynatrace-webhookprivileged1
CSI Driverdynatrace-oneagent-csi-driverprivileged1
OneAgentdynatrace-dynakube-oneagent-privileged
dynatrace-dynakube-oneagent-unprivileged		privileged1
ActiveGatedynatrace-activegateprivileged1
Resources accessedCustom SCC used in DTO versions earlier than 0.12.0SCC in DTO version 0.12.0+ and OpenShift 4.11+
Dynatrace Operatordynatrace-operatornonroot-v2
Webhookdynatrace-webhooknonroot-v2
CSI Driverdynatrace-oneagent-csi-driverprivileged1
OneAgentdynatrace-dynakube-oneagent-privileged
dynatrace-dynakube-oneagent-unprivileged		privileged1
ActiveGatedynatrace-activegatenonroot-v2
1

This SCC is the only built-in OpenShift SCC that allows usage of seccomp, which our components have set by default, and also the usage of CSI volumes.

It is still possible to create your own more permissive or restrictive SCCs that take your specific setup into consideration. You can safely remove the old SCCs that were created by a previous Dynatrace Operator version.

To remove the old SCCs, use the following command:

bash
oc delete scc <scc-name>