Deploy Dynatrace Operator and enable Kubernetes API monitoring
Use the instructions below to configure Dynatrace Operator to monitor your Kubernetes cluster.
- Create the necessary objects for Dynatrace Operator.
Dynatrace Operator acts on its separate namespace, dynatrace
. It holds the operator deployment and all dependent objects, such as permissions, custom resources, and the corresponding DaemonSet and StatefulSet. You can also observe the logs of Dynatrace Operator.
kubectl create namespace dynatrace
kubectl apply -f https://github.com/Dynatrace/dynatrace-operator/releases/latest/download/kubernetes.yaml
kubectl -n dynatrace logs -f deployment/dynatrace-operator
- Create the secret holding API and PaaS tokens for authentication to the Dynatrace Cluster.
The name of the secret is important in a later step when you configure the custom resource (.spec.tokens
). In the following code snippet, the name is dynakube
. Be sure to replace API_TOKEN
and PAAS_TOKEN
with the values explained in the prerequisites.
kubectl -n dynatrace create secret generic dynakube --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"
- Get the DynaKube custom resource from the GitHub repository.
curl -o cr.yaml https://raw.githubusercontent.com/Dynatrace/dynatrace-operator/master/config/samples/cr.yaml
- Adapt the values of the custom resource as indicated below.
Example of a basic configuration:
apiVersion: dynatrace.com/v1alpha1
kind: DynaKube
metadata:
name: dynakube
namespace: dynatrace
spec:
apiUrl: https://YOUR_ENVIRONMENT_ID.live.dynatrace.com/api
kubernetesMonitoring:
enabled: true
classicFullStack:
enabled: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
If you want to revert an argument, you need to set it to empty instead of removing it from the custom resource.
Example:
args:
- "--set-proxy="
For a complete list of parameters, see the list below.
Parameters...Global parameters
Parameter |
Description |
Default value |
apiUrl |
Required Dynatrace apiUrl, including the /api path at the end. - For SaaS, set YOUR_ENVIRONMENT_ID to your environment ID. - For Managed, change the apiUrl address. For instructions on how to determine the environment ID and how to configure the apiUrl address, see Environment ID. |
|
tokens |
Optional Name of the secret holding the API and PaaS tokens. |
Name of custom resource (.metadata.name ) if unset |
skipCertCheck |
Optional Disable certificate check for the connection between Dynatrace Operator and the Dynatrace Cluster. Set to true if you want to skip certification validation checks. |
false |
proxy |
Optional Set custom proxy settings either directly or from a secret with the field proxy . Note: Only Dynatrace Operator traffic runs through this proxy; ActiveGate traffic doesn't. |
|
trustedCAs |
Optional Adds custom RootCAs from a configmap. Note: Applies only to Dynatrace Operator, not to ActiveGate. |
|
networkZone |
Optional Sets a network zone for the OneAgent and ActiveGate pods. |
|
customPullSecret |
Optional Defines a custom pull secret in case you use a private registry when pulling images from the Dynatrace environment. |
|
enableIstio |
Optional When enabled, and if Istio is installed on the Kubernetes environment, Dynatrace Operator will create the corresponding VirtualService and ServiceEntry objects to allow access to the Dynatrace Cluster from the OneAgent or ActiveGate. Disabled by default. |
false |
ActiveGate parameters
Parameter |
Description |
Default value |
activeGate.image |
Optional Configuration for ActiveGate instances (to use a custom ActiveGate Docker image). |
|
OneAgent parameters
Parameter |
Description |
Default value |
oneAgent.version |
Optional The OneAgent version to be used when useImmutableImage is enabled. The latest version is used by default. |
|
oneAgent.image |
Optional Use a custom OneAgent Docker image. Defaults to docker.io/dynatrace/oneagent in Kubernetes and registry.connect.redhat.com/dynatrace/oneagent in OpenShift. |
|
oneAgent.autoUpdate |
Optional Disables automatic restarts of OneAgent pods in case a new version is available. True by default. |
true |
Classic full-stack observability parameters
Parameter |
Description |
Default value |
classicFullStack.enabled |
Optional Enables classic OneAgent monitoring. |
false |
classicFullStack.nodeSelector |
Optional Specify the node selector that controls on which nodes OneAgent will be deployed. |
|
classicFullStack.tolerations |
Optional Tolerations to include with the OneAgent DaemonSet. For details, see Taints and Tolerations.
|
|
classicFullStack.resources |
Optional Resource settings for OneAgent container. Consumption of the OneAgent heavily depends on the workload to monitor; please adjust values accordingly. |
|
classicFullStack.args |
Optional Set additional arguments to the OneAgent installer. For available options, see Linux custom installation. For the list of limitations, see Limitations.
|
"--set-app-log-content-access=true" |
classicFullStack.env |
Optional Set additional environment variables for the OneAgent pods. |
|
classicFullStack.priorityClassName |
Optional Assign a priority class to the OneAgent pods. By default, no class is set. For details, see Pod Priority and Preemption. |
|
classicFullStack.dnsPolicy |
Optional Set the DNS Policy for OneAgent pods. For details, see Pods DNS Policy. |
ClusterFirstWithHostNet |
classicFullStack.serviceAccountName |
Optional The name of the ServiceAccount to assign to the OneAgent pods. |
"dynatrace-dynakube-oneagent" |
classicFullStack.labels |
Optional Your defined labels for OneAgent pods in order to structure workloads as desired. |
|
classicFullStack.useUnprivilegedMode |
Optional When enabled, the OneAgent pods will run as unprivileged. Enabled by default. |
true |
classicFullStack.useImmutableImage |
Optional When enabled, the Operator will use the immutable image from the Dynatrace environment or from your custom registry. Otherwise, an installer image is used. Disabled by default. |
false |
Kubernetes API Monitoring parameters
Parameter |
Description |
Default value |
kubernetesMonitoring.enabled |
Optional Enable Kubernetes monitoring functionality. |
false |
kubernetesMonitoring.replicas |
Optional Number of replicas of ActiveGate pods. |
1 |
kubernetesMonitoring.tolerations |
Optional Tolerations to include with the ActiveGate StatefulSet. For details, see Taints and Tolerations.
|
|
kubernetesMonitoring.nodeSelector |
Optional Node selector to control on which nodes the OneAgent will be deployed. |
{} |
kubernetesMonitoring.resources |
Optional Resource settings for ActiveGate container. Consumption of the ActiveGate heavily depends on the workload to monitor; please adjust values accordingly. |
|
kubernetesMonitoring.labels |
Optional Your defined labels for ActiveGate pods in order to structure workloads as desired. |
|
kubernetesMonitoring.args |
Optional Set additional arguments to the ActiveGate pods. |
|
kubernetesMonitoring.env |
Optional Set additional environment variables to the ActiveGate pods. |
|
kubernetesMonitoring.group |
Optional Set activation group for ActiveGate. |
|
kubernetesMonitoring.customProperties |
Optional Add a custom properties file by providing it as a value or reference it from a secret. Note: when referencing it from a secret, make sure the key is called customProperties . |
|
Routing parameters
Parameter |
Description |
Default value |
routing.enabled |
Optional Enable routing functionality. |
false |
For a complete file with all the properties, see the custom resource file on GitHub.
Configuration for Anthos, SUSE CaaS, GKE, IKS, and TKGIFor Anthos, SUSE CaaS, Google Kubernetes Engine, and VMware Tanzu Kubernetes Grid Integrated Edition (formerly PKE), you must add the following additional parameters to the env
section in the cr.yaml
file:
Anthos and GKEclassicFullStack:
env:
- name: ONEAGENT_ENABLE_VOLUME_STORAGE
value: "true"
TKGIclassicFullStack:
env:
- name: ONEAGENT_ENABLE_VOLUME_STORAGE
value: "true"
- name: ONEAGENT_CONTAINER_STORAGE_PATH
value: /var/vcap/store
IKSclassicFullStack:
env:
- name: ONEAGENT_ENABLE_VOLUME_STORAGE
value: "true"
- name: ONEAGENT_CONTAINER_STORAGE_PATH
value: /opt
SUSE CaaSclassicFullStack:
env:
- name: ONEAGENT_ENABLE_VOLUME_STORAGE
value: "true"
- Apply the custom resource.
kubectl apply -f cr.yaml
- You can configure optional parameters like proxy settings in the
cr.yaml
file in order to
- Download the OneAgent installer
- Ensure communication between the OneAgent and your Dynatrace environment
- Ensure communication between Dynatrace Operator and the Dynatrace API.
There are two ways to provide the proxy, depending on whether your proxy uses credentials.
No credentialsIf you have a proxy that doesn't use credentials, enter your proxy URL directly in the value
field for the proxy.
Example
apiVersion: dynatrace.com/v1alpha1
kind: DynaKube
metadata:
name: dynakube
namespace: dynatrace
spec:
apiUrl: https:
proxy:
value: http:
With credentialsIf your proxy uses credentials
Create a secret with a field called proxy
that holds your encrypted proxy URL with the credentials.
Example.
kubectl -n dynatrace create secret generic myproxysecret --from-literal="proxy=http://<user>:<password>@<IP>:<PORT>"
Provide the name of the secret in the valueFrom
section.
Example.
apiVersion: dynatrace.com/v1alpha1
kind: DynaKube
metadata:
name: dynakube
namespace: dynatrace
spec:
apiUrl: https:
proxy:
valueFrom: myproxysecret
Connect your Kubernetes cluster to Dynatrace
Some Kubernetes pages require that your Kubernetes cluster is connected to Dynatrace. This connection creates relationships among applications, services, processes, hosts, and Kubernetes objects, such as pods and namespaces.
To connect your cluster
- Get the Kubernetes API URL.
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
- Get the bearer token.
kubectl get secret $(kubectl get sa dynatrace-kubernetes-monitoring -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
Special instructions for Rancher distributions to get the API URL and the bearer tokenFor Rancher distributions of Kubernetes, you need to use the bearer token and API URL of the Rancher server, because this server manages and secures traffic to the Kubernetes API server. Follow the steps below.
- Get the Kubernetes API URL.
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
-
Configure a user.
On the Rancher web UI page, either create a new user or use an existing user to be associated with the token. We recommend creating a new user.
-
Set permissions.
Make sure the user has either Owner or Custom permissions to the cluster you want to monitor. We recommend using the Custom permissions for this type of account.
Note: If you select Custom permissions, be sure to select these two roles: View all Projects and View Nodes.
- Create an API key.
Go to API & Keys and create a key either for your specific account (enter your cluster name) or for all clusters (enter No scope). For security reasons, we recommend selecting the first option.
Note: Newly created keys display four fields. Make sure to use the content of the field called Bearer token to set up the connection to the Kubernetes API described in the next section.
- In Dynatrace, go to Settings > Cloud and virtualization > Kubernetes.
- Select Connect new cluster.
- Provide a Name, the Kubernetes API URL, and the Bearer token for the Kubernetes cluster.
Note: For Rancher distributions, you need the bearer token that was created in the Rancher web UI, as described in Special instructions for Rancher distributions to get the API URL and the bearer token above.
- Enable Enable monitoring and Show workloads and cloud applications.
In Dynatrace environments earlier than version 1.190, you need to enable Cloud application and workload detection in the Process group detection settings. This way, cloud applications and workloads will be detected properly and process groups won't be spread across different cloud applications and workloads.
- Select Connect to save your configuration.
Monitor large Kubernetes environments
Contact Dynatrace ONE if you want to monitor environments that are larger than:
- 50 Kubernetes clusters per Dynatrace environment
- 500 nodes per Kubernetes cluster
- 50,000 pods per Kubernetes cluster
Uninstall Dynatrace Operator
Remove DynaKube custom resources and clean all remaining Dynatrace Operator–specific objects.
kubectl delete -n dynatrace dynakube --all
kubectl delete -f https://github.com/Dynatrace/dynatrace-operator/releases/latest/download/kubernetes.yaml