Kubernetes Security Posture Management
Latest Dynatrace Early Adopter
Dynatrace Kubernetes Security Posture Management enables you to detect, analyze, and monitor misconfigurations, security hardening guidelines, and potential compliance violations across your Kubernetes deployment.
Prerequisites
Dynatrace version 1.305+ Dynatrace Operator version 1.4.0+ ActiveGate version 1.303+
-
Security Posture Management is licensed based on the consumption of host-hours and requires the Dynatrace Platform Subscription (DPS) licensing model
-
Support is limited to compatibility with upstream Kubernetes and available for x86-64 CPU architectures only.
-
Amount of replicas of ActiveGate pods needs to be set to 1 (default).
-
If you're using a Dynatrace Operator version earlier than 1.4.0, you need to upgrade before you can continue.
Activate Security Posture Management
To activate Security Posture Management, contact a Dynatrace product expert via live chat. Our DevOps team will evaluate your environment and then activate Security Posture Management.
Deploy
See below how to set up and enable Kubernetes Security Posture Management.
Set up
If you already created a secret with a token in a previous deployment of Dynatrace Operator, you can skip this step.
-
Create a Dynatrace Operator token.
For instructions, see Access tokens and permissions.
-
Create a secret to hold the access token that will be used by Dynatrace Operator to communicate with the Dynatrace environment.
kubectl -n dynatrace create secret generic dynakube --from-literal="apiToken=<OPERATOR_TOKEN>"
-
Create your DynaKube custom resource (
apiVersion: dynatrace.com/v1beta3is required), making sure to enable the following:-
Kubernetes Security Posture Management:
spec.kspm: {}: Enables the KSPM Node Configuration Collector DaemonSet (for details, see How it works)
-
ActiveGate with Kubernetes monitoring and additional configuration:
-
spec.activeGate.capabilites: Must containkubernetes-monitoringFor ActiveGate versions earlier than 1.311, make sure to enable the following:
-
spec.activeGate.capabilites: Must containkubernetes-monitoring -
spec.activeGate.customProperties: Must contain the following:[kubernetes_monitoring]kubernetes_configuration_dataset_pipeline_enabled = truekubernetes_configuration_dataset_pipeline_include_node_config = true
-
-
-
Templates with Kubernetes Security Posture Management image:
spec:...templates:kspmNodeConfigurationCollector:imageRef:repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collectortag: <tag>For more information on tags, visit the public registry repository.
-
Tolerations to deploy Node Configuration Collector to the control plane and master nodes
.spec.templates.kspmNodeConfigurationCollector.tolerations
For guidelines on how to set properties, see Add a custom properties file.
For a list of all available parameters, see DynaKube parameters for Dynatrace Operator.
Example DynaKube:
apiVersion: dynatrace.com/v1beta3kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:apiUrl: <environment-api-url>tokens: dynakubekspm: {}activeGate:capabilities:- kubernetes-monitoringtemplates:kspmNodeConfigurationCollector:imageRef:repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collectortag: <tag>tolerations:- effect: NoSchedulekey: node-role.kubernetes.io/masteroperator: Exists- effect: NoSchedulekey: node-role.kubernetes.io/control-planeoperator: ExistsapiVersion: dynatrace.com/v1beta3kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:apiUrl: <environment-api-url>tokens: dynakubekspm: {}activeGate:capabilities:- kubernetes-monitoringcustomProperties:value: |[kubernetes_monitoring]kubernetes_configuration_dataset_pipeline_enabled = truekubernetes_configuration_dataset_pipeline_include_node_config = truetemplates:kspmNodeConfigurationCollector:imageRef:repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collectortag: <tag>tolerations:- effect: NoSchedulekey: node-role.kubernetes.io/masteroperator: Exists- effect: NoSchedulekey: node-role.kubernetes.io/control-planeoperator: Exists -
-
Apply the DynaKube custom resource.
kubectl apply -f dynakube.yaml
-
Check the status of your DynaKube custom resource.
kubectl get dks -n dynatraceDynaKube status is
Running.NAME APIURL STATUS AGEdynakube <environment-api-url> Running 3m48s -
Check the deployment status of the Node Configuration Collector DaemonSet.
kubectl get daemonset -n dynatrace -l app.kubernetes.io/component=kspmAll pods are in
READYmode.NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGEdynakube-node-config-collector 3 3 3 3 3 <none> 11m -
Check the deployment status of the ActiveGate StatefulSet.
kubectl get statefulset -n dynatrace -l app.kubernetes.io/component=activegateActiveGate is in
READYmode.NAME READY AGEdynakube-activegate 1/1 14m
Enable
Once you set up Kubernetes Security Posture Management, you need to enable it in Settings.
You have two options:
To enable Kubernetes Security Posture Management for all your monitored clusters
- Go to Settings Classic and select Application Security > Security Posture Management.
- Under Kubernetes, select Enable Security Posture Management.
What's next
Once you set up Kubernetes Security Posture Management, you can use
- Security Posture Management app
to analyze your clusters' security posture and evaluate your compliance with industry standards - Security Investigator
to query compliance events for further insights - Notebooks
to share finding reports with stakeholders
Further resources
- For a use case scenario, see Stay compliant with Security Posture Management.
- For a list of frequently asked questions on Kubernetes Security Posture Management, see FAQ.
- For a list of DQL examples based on compliance events that you can use for further investigation or reporting, see Query compliance events.
- For an overview of security data usage, see Security data on Grail.