Deploy OneAgent Operator on OpenShift

OneAgent Operator version 0.7.0

We recommend installing OneAgent Operator on OpenShift with oc. If you prefer Helm, you can use the OneAgent Helm chart as a basic alternative.
For more information on all deployment options, see Openshift deployment strategies.

Note: The instructions below apply to OpenShift Dedicated as well. For OpenShift Dedicated, you need cluster-admin privileges.


Find out below how to install and configure OneAgent.

  • Generate an API token and a PaaS token in your Dynatrace environment.
    Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.

  • See Support lifecycle for supported OpenShift versions.
  1. Add a new project.
$ oc adm new-project --node-selector="" dynatrace
  1. OCP version 3.11 Provide image pull secrets.
    Skip this step if you're using a later version.
    In order to use the certified OneAgent Operator and OneAgent images from Red Hat Container Catalog (RHCC), you need to provide image pull secrets. The Service Accounts on the openshift.yaml manifest already have links to the secrets to be created below.
# For OCP 3.11
$ oc -n dynatrace create secret docker-registry redhat-connect --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused
$ oc -n dynatrace create secret docker-registry redhat-connect-sso --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused
  1. OCP version 4.x OCP version 3.11 Apply the openshift.yaml manifest to deploy the OneAgent Operator.
$ oc apply -f
$ oc -n dynatrace logs -f deployment/dynatrace-oneagent-operator

For OpenShift versions earlier than 3.11.188 you need to delete the type: object line beneath the required spec validation in openshift.yaml before deploying the CustomResourceDefinition (OpenShift known bug).

-  spec
type: object  # delete this line, which is a validation rule
  1. Create the secret that holds the API and PaaS tokens for authenticating to the Dynatrace cluster.
    The name of the secret will be important in a later step when you configure the custom resource (.spec.tokens). In the following code-snippet the name is oneagent. Be sure to replace API_TOKEN and PAAS_TOKEN with the values mentioned in prerequisites.
$ oc -n dynatrace create secret generic oneagent --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"
  1. Save the custom resource.
    The rollout of Dynatrace OneAgent is governed by a custom resource of type OneAgent. Retrieve the cr.yaml file from the GitHub repository.
$ curl -o cr.yaml
  1. Adapt the custom resource.
  1. Create the custom resource.
$ oc apply -f cr.yaml
  1. Optional  Configure proxy.
  • You can configure optional parameters like proxy settings in the cr.yaml file in order to
    • download the OneAgent installer
    • ensure the communication between the OneAgent and your Dynatrace environment
    • ensure the communication between the Dynatrace OneAgent Operator and the Dynatrace API.

There are two ways to provide the proxy, depending on whether or not your proxy uses credentials.

  1. Optional Configure network zones.

    You can configure network zones by setting the following argument:

      - --set-network-zone=<>

    See network zones for more information.


See Docker limitations for details.


Find out how to troubleshoot issues that you may encounter when deploying OneAgent on OpenShift.

Connect your OpenShift clusters to Dynatrace

Now that you have OneAgent running on your OpenShift nodes, you're able to monitor those nodes, and the applications running in OpenShift. The next step is to connect the Kubernetes API to Dynatrace in order to get native Kubernetes metrics, like request limits, and differences in pods requested vs. running pods.
For further instructions see Monitor your OpenShift clusters with Dynatrace.