Install Operator in FIPS mode

    Dynatrace Operator version 1.6+

    The Dynatrace Operator supports FIPS mode in Kubernetes, enabling deployment in environments that require compliance with the Federal Information Processing Standards (FIPS). FIPS is a set of U.S. government standards used to ensure the security and integrity of cryptographic modules for sensitive data protection.

    Prerequisites

    • Dynatrace Operator version 1.6.0 or newer

    Limitations

    Note that the following configurations are temporarily not supported:

    • Cloud-native full-stack mode
    • Application monitoring mode

    With a future OneAgent release, FIPS mode will additionally become available for cloud-native full-stack and application monitoring mode.

    Deployment

    To deploy the Dynatrace Operator in FIPS mode, a respective FIPS-compliant image of the Dynatrace Operator must be used. FIPS-enabled images are tagged with a -fips suffix (e.g., v1.6.0-fips). For more details on repositories and tag information, explore our supported public registries.

    You can specify operator images for FIPS as shown in the following Helm command:

    helm install dynatrace-operator oci://public.ecr.aws/dynatrace/dynatrace-operator \
      --version 1.6.0 \
      --set "imageRef.repository=public.ecr.aws/dynatrace/dynatrace-operator" \
      --set "imageRef.tag=v1.6.0-fips" \
      --create-namespace --namespace dynatrace \
      --atomic

    To deploy the ActiveGate in FIPS mode, a FIPS-compliant image of the Dynatrace ActiveGate must be used. FIPS-enabled images are tagged with a -fips suffix (e.g., 1.315.25.20250527-232755-fips). For more details on repositories and tag information, explore our supported public registries.

    apiVersion: dynatrace.com/v1beta5
    kind: DynaKube
    metadata:
      name: dynakube
      namespace: dynatrace
    spec:
      apiUrl: https://<tenant-uid>.live.dynatrace.com/api
      tokens: dynakube
    

      activeGate:
        capabilities:
          - routing
          - kubernetes-monitoring
    

        image: "public.ecr.aws/dynatrace/dynatrace-activegate:1.315.25.20250527-232755-fips"
      ...

    classicFullStackhostMonitoring 1

    With a future OneAgent release, FIPS mode will additionally become available for cloud-native full-stack and application monitoring mode.

    To deploy OneAgents in FIPS mode, a command line argument must be set.

    apiVersion: dynatrace.com/v1beta5
    kind: DynaKube
    metadata:
      name: dynakube
      namespace: dynatrace
    spec:
      apiUrl: https://<tenant-uid>.live.dynatrace.com/api
      tokens: dynakube
    

      oneAgent:
        classicFullStack:
          args:
            - --set-fips-enabled=true
      ...
    1

    Works only with images sourced from the Dynatrace built-in registry (i.e., no image specified in image fields).