Kubernetes Security Posture Management

Latest Dynatrace Early Adopter

Dynatrace Kubernetes Security Posture Management enables you to detect, analyze, and monitor misconfigurations, security hardening guidelines, and potential compliance violations across your Kubernetes deployment.

Prerequisites

Dynatrace version 1.305+ Dynatrace Operator version 1.4.0+ ActiveGate version 1.303+

Support is limited to compatibility with upstream Kubernetes and available for x86-64 CPU architectures only.
Amount of replicas of ActiveGate pods needs to be set to 1 (default).
If you're using a Dynatrace Operator version earlier than 1.4.0, you need to upgrade before you can continue.

Activate Security Posture Management

To activate Security Posture Management, contact a Dynatrace product expert via live chat. Our DevOps team will evaluate your environment and then activate Security Posture Management.

Security Posture Management is licensed based on the consumption of host-hours and requires the Dynatrace Platform Subscription (DPS) licensing model.

Deploy

See below how to set up and enable Kubernetes Security Posture Management.

Set up

Create secret

Configure DynaKube

Verify configuration

Create secret

If you already created a secret with a token in a previous deployment of Dynatrace Operator, you can skip this step.

Create a Dynatrace Operator token.

For instructions, see Access tokens and permissions.
Create a secret to hold the access token that will be used by Dynatrace Operator to communicate with the Dynatrace environment.
```
kubectl -n dynatrace create secret generic dynakube --from-literal="apiToken=<OPERATOR_TOKEN>"
```

Configure DynaKube

Create your DynaKube custom resource (apiVersion: dynatrace.com/v1beta3 is required), making sure to enable the following:

Kubernetes Security Posture Management:
- spec.kspm: {}: Enables the KSPM Node Configuration Collector DaemonSet (for details, see How it works)
ActiveGate with Kubernetes monitoring and additional configuration:
- spec.activeGate.capabilites: Must contain kubernetes-monitoring
- spec.activeGate.customProperties: Must contain the following:
```
[kubernetes_monitoring]
kubernetes_configuration_dataset_pipeline_enabled = true
kubernetes_configuration_dataset_pipeline_include_node_config = true
```

Templates with Kubernetes Security Posture Management image:

spec:
  ...
  templates:
    kspmNodeConfigurationCollector:
      imageRef:
        repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector
        tag: <tag>

For more information on tags, visit the public registry repository.

Tolerations to deploy Node Configuration Collector to the control plane and master nodes
- .spec.templates.kspmNodeConfigurationCollector.tolerations

For guidelines on how to set properties, see Add a custom properties file.

For a list of all available parameters, see DynaKube parameters for Dynatrace Operator.

Example DynaKube:

apiVersion: dynatrace.com/v1beta3
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: <environment-api-url>
  tokens: dynakube
  kspm: {}
  activeGate:
    capabilities:
      - kubernetes-monitoring
    customProperties:
      value: |
        [kubernetes_monitoring]
        kubernetes_configuration_dataset_pipeline_enabled = true
        kubernetes_configuration_dataset_pipeline_include_node_config = true
  templates:
    kspmNodeConfigurationCollector:
      imageRef:
        repository: public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector
        tag: <tag>
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
          operator: Exists

Apply the DynaKube custom resource.
```
kubectl apply -f dynakube.yaml
```

Verify configuration

Check the status of your DynaKube custom resource.

kubectl get dks -n dynatrace

DynaKube status is Running.

NAME       APIURL                  STATUS    AGE
dynakube   <environment-api-url>   Running   3m48s

Check the deployment status of the Node Configuration Collector DaemonSet.

kubectl get daemonset -n dynatrace -l app.kubernetes.io/component=kspm

All pods are in READY mode.

NAME                             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
dynakube-node-config-collector   3         3         3       3            3           <none>          11m

Check the deployment status of the ActiveGate StatefulSet.

kubectl get statefulset -n dynatrace -l app.kubernetes.io/component=activegate

ActiveGate is in READY mode.

NAME                  READY   AGE
dynakube-activegate   1/1     14m

Enable

Once you set up Kubernetes Security Posture Management, you need to enable it in Settings.

You have two options:

To enable Kubernetes Security Posture Management for all your monitored clusters

Go to Settings Classic and select Application Security > Security Posture Management.
Under Kubernetes, select Enable Security Posture Management.

To enable Kubernetes Security Posture Management for a specific monitored cluster

Open Kubernetes .
Go to Clusters and select the cluster for which you want to enable Security Posture Management.
In the upper-right, select , then select Settings.
In the Open with menu, select Settings Classic.
Select Security Posture Management, then select Enable Security Posture Management.
To verify your configuration, select Test configuration.

What's next

Once you set up Kubernetes Security Posture Management, you can use

Security Posture Management app to analyze your clusters' security posture and evaluate your compliance with industry standards
Security Investigator to query compliance events for further insights
Notebooks to share finding reports with stakeholders

Further resources

For a use case scenario, see Stay compliant with Security Posture Management.
For more information about Kubernetes Security Posture Management, see Get started with Kubernetes Security Posture Management.
For a list of frequently asked questions on Kubernetes Security Posture Management, see FAQ.
For a list of DQL examples based on compliance events that you can use for further investigation or reporting, see Query compliance events.
For an overview of security data usage, see Security data on Grail.