Install Operator in FIPS mode

How-to guide

The Dynatrace Operator supports FIPS mode in Kubernetes, enabling deployment in environments that require compliance with the Federal Information Processing Standards (FIPS). FIPS is a set of U.S. government standards used to ensure the security and integrity of cryptographic modules for sensitive data protection.

Prerequisites

Dynatrace Operator version 1.6.0 or later.
Dynatrace component images sourced from our supported public registries

FIPS support

The following table provides information on FIPS compliance across Dynatrace container images. FIPS-compliant images are consistantly tagged with a -fips suffix. For more details on repositories and tag information, explore our supported public registries.

Container image

FIPS-compliant image available

Dynatrace Operator

1.6+

Dynatrace ActiveGate

1.315+

Dynatrace OneAgent

1.321+

Dynatrace code modules

1.321+

Dynatrace log module

Not available

Dynatrace Kubernetes node config collector (KSPM)

Not available

Dynatrace OpenTelemetry Collector

Not available

EdgeConnect

Not available

Deployment

Deploy the Dynatrace Operator in FIPS mode

To deploy Dynatrace Operator in FIPS mode, a respective FIPS-compliant image of Dynatrace Operator must be used. FIPS-enabled images are tagged with a -fips suffix (for example, v1.7.0-fips).

For more details on repositories and tag information, explore our supported public registries.

You can specify the operator images for FIPS as shown in the following Helm command:

helm install dynatrace-operator oci://public.ecr.aws/dynatrace/dynatrace-operator \
  --version 1.7.0 \
  --set "imageRef.repository=public.ecr.aws/dynatrace/dynatrace-operator" \
  --set "imageRef.tag=v1.7.0-fips" \
  --create-namespace --namespace dynatrace \
  --atomic

Deploy Dynatrace components in FIPS mode

To deploy Dynatrace components in FIPS mode, a FIPS-compliant image must be used. The following DynaKube custom resource snippets outline the configuration of FIPS-compliant images across monitoring modes.

apiVersion: dynatrace.com/v1beta5
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://<tenant-uid>.live.dynatrace.com/api

  activeGate:
    image: public.ecr.aws/dynatrace/dynatrace-activegate:1.321.25.20250822-083923-fips

    capabilities:
    - routing
    - kubernetes-monitoring

  oneAgent:
    cloudNativeFullStack:
      image: public.ecr.aws/dynatrace/dynatrace-oneagent:1.321.42.20250826-091609-fips
      codeModulesImage: public.ecr.aws/dynatrace/dynatrace-codemodules:1.321.42.20250826-091609-fips

  ...

apiVersion: dynatrace.com/v1beta5
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://<tenant-uid>.live.dynatrace.com/api

  activeGate:
    image: public.ecr.aws/dynatrace/dynatrace-activegate:1.321.25.20250822-083923-fips

    capabilities:
    - routing
    - kubernetes-monitoring

  oneAgent:
    applicationMonitoring:
      codeModulesImage: public.ecr.aws/dynatrace/dynatrace-codemodules:1.321.42.20250826-091609-fips

  ...

apiVersion: dynatrace.com/v1beta5
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://<tenant-uid>.live.dynatrace.com/api

  activeGate:
    image: public.ecr.aws/dynatrace/dynatrace-activegate:1.321.25.20250822-083923-fips

    capabilities:
    - routing
    - kubernetes-monitoring

  oneAgent:
    hostMonitoring:
      image: public.ecr.aws/dynatrace/dynatrace-oneagent:1.321.42.20250826-091609-fips
  ...

Please note that classic full-stack only works with images sourced from the Dynatrace built-in registry (i.e., no image specified in image fields).

apiVersion: dynatrace.com/v1beta5
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://<tenant-uid>.live.dynatrace.com/api

  activeGate:
    image: public.ecr.aws/dynatrace/dynatrace-activegate:1.321.25.20250822-083923-fips

    capabilities:
    - routing
    - kubernetes-monitoring

  oneAgent:
    classicFullStack:
      args:
        - --set-fips-enabled=true

  ...