Deploy OneAgent Operator via kubectl

Learn how you can set up OneAgent on Kubernetes using the OneAgent Operator. To understand all available Kubernetes deployment strategies, including our recommended Helm approach, see Kubernetes deployment strategies.


Generate an API token and a PaaS token in your Dynatrace environment.
Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.

Install OneAgent Operator

Create the necessary objects for OneAgent Operator. OneAgent Operator acts on its separate namespace dynatrace. It holds the operator deployment and all dependent objects like permissions, custom resources and the corresponding DaemonSet. You can also observe the logs of OneAgent Operator.

$ kubectl create namespace dynatrace
$ kubectl apply -f
$ kubectl -n dynatrace logs -f deployment/dynatrace-oneagent-operator

Create the secret holding API and PaaS tokens for authenticating to the Dynatrace cluster. The name of the secret is important in a later step when you configure the custom resource (.spec.tokens). In the following code-snippet the name is oneagent. Be sure to replace API_TOKEN and PAAS_TOKEN with the values explained above.

$ kubectl -n dynatrace create secret generic oneagent --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"

Save custom resource

The rollout of Dynatrace OneAgent is governed by a custom resource of type OneAgent.

Retrieve the cr.yaml file from the GitHub repository.

$ curl -o cr.yaml

Adapt custom resource

Adapt the values of the custom resource as indicated in the following table.

Parameter Description Default value
  • For Dynatrace SaaS, where OneAgent can connect to the internet, replace the Dynatrace ENVIRONMENTID in

  • For Dynatrace SaaS, where OneAgent can't connect to the internet, use the following to download the OneAgent, as well as to communicate OneAgent traffic through the ActiveGate: https://YourActiveGateIP or FQDN:9999/e/<ENVIRONMENTID>/api.

  • For Dynatrace Managed, use the following either for an ActiveGate or to connect directly to your server: https://ag, or server IP, or FQDN/e/<ENVIRONMENTID>/api. Note that depending on your settings, you may need the port as well.
tokens Name of the secret that holds the API and PaaS tokens from above. Name of custom resource ( if unset
args Parameters to be passed to the OneAgent installer. All the command line parameters of the installer are supported, with the exception of INSTALL_PATH. Starting with OneAgent version 1.185, we recommend you set --set-app-log-content-access=true (for earlier versions, set APP_LOG_CONTENT_ACCESS=1). []
env Environment variables for OneAgent container. []

Required configuration for Anthos, CaaS, GKE, and TKGI

There are some extra configuration steps in the custom resource file that need to be performed for the following Kubernetes flavors:

Create the custom resource

$ kubectl apply -f cr.yaml

Configure proxy (optional)

  • For Operator version 0.7.0, you can configure optional parameters like proxy settings in the custom resource.
  • For earlier versions of the Operator, add environment variables as needed to the corresponding containers.


See Docker limitations for details.


Find out how to troubleshoot issues that you may encounter when deploying OneAgent on Kubernetes.

Connect your Kubernetes clusters to Dynatrace

Now that you have OneAgent running on your Kubernetes nodes, you are able to monitor those nodes, and the applications running in Kubernetes. The next step is to connect the Kubernetes API to Dynatrace in order to get native Kubernetes metrics, like request limits, and differences in pods requested vs. running pods.
For further instructions see Monitor your Kubernetes clusters with Dynatrace.