Deploy OneAgent Operator via oc

Learn how you can set up OneAgent on OpenShift using the OneAgent Operator. For a clear view of all the deployment strategies, including our recommended Helm approach, see OpenShift deployment strategies.

OneAgent Operator version 0.3+ requires OpenShift version 3.11+. Older versions of the OneAgent Operator work with OpenShift version 3.9+.


Generate an API token and a PaaS token in your Dynatrace environment.
Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.

Install OneAgent Operator

Start by adding a new project as follows:

$ oc adm new-project --node-selector="" dynatrace

If you're installing the Operator on an OpenShift Container Platform version 3.11 environment, in order to use the certified OneAgent Operator and OneAgent images from Red Hat Container Catalog (RHCC), you need to provide image pull secrets. The Service Accounts on the openshift.yaml manifest already have links to the secrets to be created below.
Skip this step if you're using OpenShift Container Platform versions 4.x.

# For OCP 3.11
$ oc -n dynatrace create secret docker-registry redhat-connect --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused
$ oc -n dynatrace create secret docker-registry redhat-connect-sso --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused

For both 4.x and 3.11, we apply the openshift.yaml manifest to deploy the Operator.

OpenShift versions earlier than 3.11.188 require that you delete a line in openshift.yaml before deploying. The type: object line beneath the required spec validation must be deleted.

-  spec
type: object  # delete this line, which is a validation rule
$ oc apply -f
$ oc -n dynatrace logs -f deployment/dynatrace-oneagent-operator

Create the secret that holds the API and PaaS tokens for authenticating to the Dynatrace cluster. The name of the secret will be important in a later step when you configure the custom resource (.spec.tokens). In the following code-snippet the name is oneagent. Be sure to replace API_TOKEN and PAAS_TOKEN with the values explained above.

$ oc -n dynatrace create secret generic oneagent --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"

Save custom resource

The rollout of Dynatrace OneAgent is governed by a custom resource of type OneAgent.

Retrieve the cr.yaml file from the GitHub repository.

$ curl -o cr.yaml

Adapt custom resource

Adapt the values of the custom resource as indicated in the following table.

Parameter Description Default value
apiUrl Dynatrace SaaS: Replace ENVIRONMENTID with your Dynatrace environment ID in
Dynatrace Managed: Provide your Dynatrace Server URL (https://<YourDynatraceServerURL>/e/<ENVIRONMENTID>/api)
tokens Name of the secret that holds the API and PaaS tokens from above. Name of custom resource ( if unset
image Define the OneAgent image to be taken. Defaults to the publicly available OneAgent image on Docker Hub. In order to use the certified OneAgent image from Red Hat Container Catalog you need to set .spec.image to in the custom resource and provide image pull secrets as shown in the next step. if unset
args Parameters to be passed to the OneAgent installer. All the command-line parameters of the installer are supported, with the exception of INSTALL_PATH. Starting with OneAgent version 1.185, we recommend you set --set-app-log-content-access=true (for earlier versions, set APP_LOG_CONTENT_ACCESS=1). []

Create the custom resource

$ oc apply -f cr.yaml

Configure proxy (optional)

  • For Operator version 0.7.0, you can configure optional parameters like proxy settings in the custom resource.
  • For earlier versions of the Operator, add environment variables as needed to the corresponding containers.


See Docker limitations for details.


Find out how to troubleshoot issues that you might encounter when deploying OneAgent on OpenShift.

Connect your OpenShift clusters to Dynatrace

Now that you have OneAgent running on your OpenShift nodes, you're able to monitor those nodes, and the applications running in OpenShift. The next step is to connect the Kubernetes API to Dynatrace in order to get native Kubernetes metrics, like request limits, and differences in pods requested vs. running pods. For further instructions see Connect your OpenShift clusters to Dynatrace.