Kubernetes Security Posture Management

  • Latest Dynatrace
  • How-to guide
  • 5-min read

Dynatrace Kubernetes Security Posture Management enables you to detect, analyze, and monitor misconfigurations, security hardening guidelines, and potential compliance violations across your Kubernetes deployment.

Dynatrace ingests configuration data from your clusters and workloads into Grail, where it's formatted into compliance events according to the Semantic Dictionary conventions.

The mechanism is described below.

Diagram showing how Security Posture Management works on Kubernetes

Once you enable Dynatrace Kubernetes Node Configuration Collector in Dynatrace Operator, it's deployed as a DaemonSet on your monitored cluster's nodes to collect cluster and workload configuration data.

  • Node Configuration Collector collects data from the cluster nodes.
    • Frequency: every minute
  • ActiveGate collects data from the Kubernetes API.
    • Frequency: every hour

ActiveGate processes all data received from the nodes and Kubernetes API and sends it to the Dynatrace Cluster.

This section has been updated to align with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.

The cluster and workload configuration data is mapped as compliance events according to the Semantic Dictionary and stored in the default_securityevents_builtin bucket (for details, see Built-in Grail buckets).

Once data is ingested into Grail, you can analyze your clusters' security posture and evaluate your compliance with industry standards. For details, see What's next.

Prerequisites

Dynatrace version 1.305+ Dynatrace Operator version 1.5.0+ ActiveGate version 1.321+

  • Support is limited to compatibility with upstream Kubernetes and available for x86-64 CPU architectures only.

  • Amount of replicas of ActiveGate Pods needs to be set to 1 (default).

  • If you're using a Dynatrace Operator version earlier than 1.4.0, you need to upgrade before you can continue.

Activate Security Posture Management

To activate Security Posture Management, contact a Dynatrace product expert via live chat. Our DevOps team will evaluate your environment and then activate Security Posture Management.

Deploy

See below how to set up and enable Kubernetes Security Posture Management.

Set up Dynatrace Kubernetes Node Configuration Collector

If you already created a secret with a token in a previous deployment of Dynatrace Operator, you can skip this step.

  1. Create a Dynatrace Operator token.

    For instructions, see Access tokens and permissions.

  2. Create a secret to hold the access token that will be used by Dynatrace Operator to communicate with the Dynatrace environment.

    kubectl -n dynatrace create secret generic dynakube --from-literal="apiToken=<OPERATOR_TOKEN>"

  1. Create your DynaKube custom resource (minimum apiVersion: dynatrace.com/v1beta4 is required), making sure to enable the following:

    • Kubernetes Security Posture Management:

      • spec.kspm: {}: Enables the KSPM Node Configuration Collector DaemonSet (for details, see How it works)

      KSPM mounts the hosts root filesystem by default. If you want to limit that to specific paths, you can use the field spec.kspm.mappedHostPaths. The spec.kspm.mappedHostPaths field defines the host paths that are mounted to the container. For a list of suggested paths, see the Dynatrace Operator repository sample.

    • ActiveGate with Kubernetes monitoring and additional configuration:

      • spec.activeGate.capabilites: Must contain kubernetes-monitoring

        For ActiveGate versions earlier than 1.311, make sure to enable the following:

        • spec.activeGate.capabilites: Must contain kubernetes-monitoring

        • spec.activeGate.customProperties: Must contain the following:

          [kubernetes_monitoring]
          kubernetes_configuration_dataset_pipeline_enabled = true
          kubernetes_configuration_dataset_pipeline_include_node_config = true

    • Templates with Kubernetes Security Posture Management image:

      spec:
        ...
        templates:
          kspmNodeConfigurationCollector:
            imageRef:
              repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector
              tag: <tag>

      For more information on tags, visit the public registry repository.

    • Tolerations to deploy Node Configuration Collector to the control plane and master nodes

      • .spec.templates.kspmNodeConfigurationCollector.tolerations

    For guidelines on how to set properties, see Add a custom properties file.

    For a list of all available parameters, see DynaKube parameters for Dynatrace Operator.

    Example DynaKube:

    apiVersion: dynatrace.com/v1beta5
    kind: DynaKube
    metadata:
      name: dynakube
      namespace: dynatrace
    spec:
      apiUrl: <environment-api-url>
      tokens: dynakube
      kspm: {}
      activeGate:
        capabilities:
          - kubernetes-monitoring
      templates:
        kspmNodeConfigurationCollector:
          imageRef:
            repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector
            tag: <tag>
          tolerations:
            - effect: NoSchedule
              key: node-role.kubernetes.io/master
              operator: Exists
            - effect: NoSchedule
              key: node-role.kubernetes.io/control-plane
              operator: Exists
    apiVersion: dynatrace.com/v1beta5
    kind: DynaKube
    metadata:
      name: dynakube
      namespace: dynatrace
    spec:
      apiUrl: <environment-api-url>
      tokens: dynakube
      kspm: {}
      activeGate:
        capabilities:
          - kubernetes-monitoring
        customProperties:
          value: |
            [kubernetes_monitoring]
            kubernetes_configuration_dataset_pipeline_enabled = true
            kubernetes_configuration_dataset_pipeline_include_node_config = true
      templates:
        kspmNodeConfigurationCollector:
          imageRef:
            repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector
            tag: <tag>
          tolerations:
            - effect: NoSchedule
              key: node-role.kubernetes.io/master
              operator: Exists
            - effect: NoSchedule
              key: node-role.kubernetes.io/control-plane
              operator: Exists

  2. Apply the DynaKube custom resource.

    kubectl apply -f dynakube.yaml

  1. Check the status of your DynaKube custom resource.

    kubectl get dks -n dynatrace

    DynaKube status is Running.

    NAME       APIURL                  STATUS    AGE
    dynakube   <environment-api-url>   Running   3m48s

  2. Check the deployment status of the Node Configuration Collector DaemonSet.

    kubectl get daemonset -n dynatrace -l app.kubernetes.io/component=kspm

    All Pods are in READY mode.

    NAME                             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
    dynakube-node-config-collector   3         3         3       3            3           <none>          11m

  3. Check the deployment status of the ActiveGate StatefulSet.

    kubectl get statefulset -n dynatrace -l app.kubernetes.io/component=activegate

    ActiveGate is in READY mode.

    NAME                  READY   AGE
    dynakube-activegate   1/1     14m

Enable Kubernetes Security Posture Management

Once you set up Dynatrace Kubernetes Node Configuration Collector, you can enable Kubernetes Security Posture Management in Settings.

You have two options:

To enable Kubernetes Security Posture Management for all your monitored clusters

  1. Go to Settings Classic and select Application Security > Security Posture Management.
  2. Under Kubernetes, select Enable Security Posture Management.

What's next

Once you set up Kubernetes Security Posture Management, you can use

Limitations

Up to 100 nodes and 3,000 pods per Kubernetes cluster can be covered by Kubernetes Security Posture Management.

Further resources