Private preview Dynatrace Operator version 1.5.0+
In a private preview, Dynatrace is expanding the scope of monitored Kubernetes objects. To facilitate this, the ActiveGate, which queries the Kubernetes endpoints, requires extended read permissions. These permissions are granted through a new ClusterRole, which is bound to the ActiveGate's service account. This ClusterRole is not deployed by default and must be manually opted into.
The ClusterRole can be activated when installing Dynatrace Operator using the Helm chart. The Helm option for this ClusterRole is
preview.fullObjectCoverage.enabled = true
This option can be either provided in your values.yaml that is used during installation or directly on the Helm command line
helm install dynatrace-operator \oci://public.ecr.aws/dynatrace/dynatrace-operator \--create-namespace \--namespace dynatrace \--atomic \--set preview.fullObjectCoverage.enabled=true
The Kubernetes objects that are created by this switch are:
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: dynatrace-kubernetes-monitoring-fullrules:- apiGroups: [ "*" ]resources: [ "*" ]verbs:- list- watch- get- nonResourceURLs:- /metrics- /version- /readyz- /livezverbs:- get
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: dynatrace-kubernetes-monitoring-fullroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: dynatrace-kubernetes-monitoring-fullsubjects:- kind: ServiceAccountname: dynatrace-kubernetes-monitoringnamespace: dynatrace
If you need to fine-tune the permissions and don't want to use the defaults, you can also choose to create a suiting ClusterRole yourself. For more information about creating ClusterRoles please also visit the official RBAC documentation. To attach your ClusterRole to the ActiveGate, you need to bind your ClusterRole to the service account dynatrace-kubernetes-monitoring and restart the ActiveGate. The examples above can lend you some guidance.
Note: This service account is by default also bound to the ClusterRole dynatrace-kubernetes-monitoring. The permissions of both ClusterRoles are combined. So there's no need to add the permissions that are required for standard Kubernetes monitoring to your manually created ClusterRole.