Configure Dynatrace in network-restricted environments with network configurations, proxy settings, and URL exclusions.
For details on setting up and managing network zones, initial endpoint setup, and advanced configurations in restricted environments, see Using network zones in Kubernetes.
For Kubernetes Platform Monitoring with Dynatrace, you might need to configure a proxy, which facilitates all outgoing connections for Dynatrace Operator components (such as csi-driver
and operator
), OneAgent, and ActiveGate.
Depending on your proxy configuration, especially regarding credentials, there are two options for configuring your proxy in a DynaKube:
Dynatrace Operator version 1.0.0+
The connection between OneAgent and Dynatrace code modules with ActiveGate will always bypass the proxy, ensuring direct communication for these components.
If you need to bypass the proxy for other reasons, see the next section.
To set the list of URLs to exclude from the proxy configuration, add the following annotation to the DynaKube custom resource.
apiVersion: dynatrace.com/v1beta2kind: DynaKubemetadata:annotations:feature.dynatrace.com/no-proxy: "some.url.com,other.url.com"
Dynatrace Operator then excludes the listed URLs from the proxy settings. This exclusion applies specifically to Dynatrace Operator and the CSI driver. It doesn't affect the proxy settings for other components managed by Dynatrace Operator, such as OneAgent or ActiveGate.
To add trusted CA certificates to ActiveGate, OneAgent and/or Dynatrace Operator, the certificates must be provided via a Kubernetes ConfigMap referenced in your DynaKube configuration.
Create a ConfigMap (replace <ca-certificates>
with the CA certificates to be trusted).
apiVersion: v1kind: ConfigMapmetadata:name: mycaconfigmapnamespace: dynatracedata:certs: |<ca-certificates>
For example:
data:certs: |-----BEGIN CERTIFICATE-----MIIFmTCCA4GgAwIBAgIUNGBlRh1tuDIqr25rjNfMtvzfkRUwDQYJKoZIhvcNAQELBQAwXDELMAkGA1UEBhMCUEwxDDAKBgNVBAgMA1BPTTELMAkGA1UEBwwCR0QxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxFDASBgNVBAMMC3NxdWlkLnByb3h5MB4XDTI0MDYxODExNTU0OVoXDTI1MDYxODExNTU0OVowXDELMAkGA1UEBhMCUEwxDDAKBgNVBAgMA1BPTTELMAkGA1UEBwwCR0QxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxFDASBgNVBAMMC3NxdWlkLnByb3h5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3oM7eX/p68jIjqOcRnUUOoLz14s4rEdGr44j7W0Kkm3O+zzy5xEDh3lz8Wt5MGfkGYzuo9yxdmt6gCRSzOER6Af/uaALk5gO1I4wdgsRG7vAi5GcS4oWqrOAVgbNNtVRd3g5+ouWH1wx4hhu1w/XYIiQOiraCINiFLpxJ2OmcBB1CPR3DfwoB39tN/aqf0W7tWwG7kf3aabQ4giCFsoadV/h4pEXNx7sFS5rNSXBlajlzfau1O/QYdhzBEdeF7pNwG1EDfa66+Frb/luVjuea0c5UABV9xTiLSb3evFAx9w6n4dN3T2V9uBlhvKRAkqKuh70uTW1NlsNdo6xVBvl9ivPcqtM/p5nHgqTlX+UIbAuSmTOF5NB90EqHnb/BjPYUtaIWE6Zj8BkhEVbPejipsBBqci1iCnUFBGD1U8TNZGg2ySy5GH6Q6RIJ6JFOYtaHqYQg/VsLT55uRJzqgVNaOjDffYlaoNBdiBaQfzt+NxkrF8p9un8hBb0CX2iwpyX5vy2HIXNtJrHOi1CcBMLYuxCyFrQChanB2NwQ1l1BIM6zDoHZh2CaPJTE/g0152dgvl0Xs1MtrQ/6Dmwodmitse/oWAO9CZBg6ELGZyjOKQnyvQbxMf3H9vOrddPQFEuhaErJNJUGDtvAH4i/CfmTyYSc61k+AwXLB39hrz7rMUCAwEAAaNTMFEwHQYDVR0OBBYEFPQEwTqk6OjBWqyNAFKD8FGetZd8MB8GA1UdIwQYMBaAFPQEwTqk6OjBWqyNAFKD8FGetZd8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGpfz5NM4nlcA88FfG22Re7osKkBaP+GZBujpwRHGNYgJQ1T5yjrNSzGfI2kNz7m/SuauUQN8ehS57t9kvQHOru4Y0A5oxnRh+1jMSVX5Ri8o6ZDObQ4J99YriGZVfOyiahQ41ekRprvLBALmfLjFsQKMWGy4B2p7YsTpQdK9Nl7TXub6Y6ZGousk5Kf/cKX3xxyHWbWsLqOwxfcpBGbi9AHZjBZX2utLq1sxQHg4/ma1fR0MXX49kXoJDCWZkd2qumwT7rpibp2KGul5jQ8gmUSO25T3r9xfygnzBk0obneya/JNW06SWHgmT+z5pWly6/9Y8hBtD8GD4AY7GgjmojF3ziDtddFhbPd1C2S8xdvFYiuqkjlLRuqRPyF3zwUiiFw8/D03Sc8hIR14XCGVexRgOzqUi1TrZ4Glb2uLF/vdLhzLoi9xjUSETsVvVuxAbGlU7pVLQJWElTETmdgYqzOPGE0m3ROSQxkSDLKe+7k9xZLPQSICKQYuD2dzttjx99cVZMLgiuaH2APsv1eIggf5tAC/LVyKZOf/QedG5o1Bb2TgoCos2lkkJcV/LDBNE2X5+IS/3q3v0Esq90prl9wXH83CVtG4lJVpm42TccCwRIDj4xHGOuWrdmKRafgeohGIsH1ZhckkPc4Vcri2232dRPUAXziS+Yp3Ef9xdov-----END CERTIFICATE-----
Apply the ConfigMap to your cluster.
kubectl apply -f my-ca-configmap.yaml
In your DynaKube, reference the ConfigMap in the trustedCAs
field.
apiVersion: dynatrace.com/v1beta1kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:apiUrl: https://<activegate-host>:9999/e/<environment-id>/apitrustedCAs: mycaconfigmap
Apply the DynaKube configuration to your cluster.
kubectl apply -f dynakube-config.yaml
skipCertCheck
to bypass certificate verificationTo ignore certificate verification for Dynatrace Operator components (operator
and csi-driver
), set skipCertCheck
in your DynaKube configuration. This setting should only be used if the custom certificate authority is unknown or can't be provided to Dynatrace Operator via the trustedCAs
field.
In Dynatrace Operator version 1.0.0 and earlier, the skipCertCheck
setting was not applied during the image pulling process.
apiVersion: dynatrace.com/v1beta2kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:apiUrl: https://<activegate-host>:9999/e/<environment-id>/apiskipCertCheck: true
By default, ActiveGate uses a self-signed certificate, which can be replaced by a self-managed certificate as described in Custom SSL certificate for ActiveGate.
To configure a server TLS certificate for the ActiveGate:
Create the Kubernetes Opaque secret holding the ActiveGate certificate(s) and ActiveGate private key.
kubectl -n dynatrace create secret generic mytlssecret --from-file=server.p12=<myag.p12> --from-file=server.crt=<myag.crt> --from-literal=password=<mypassword>
Where:
server.crt
–Dynatrace Operator propagates ActiveGate certificate(s) from the file to OneAgents.server.p12
–ActiveGate certificate(s) and ActiveGate private key, ActiveGate reads the file and configures itself to use the provided private key and certificates.password
–ActiveGate reads it and uses it to decrypt the server.p12
file.server.12
and server.crt
files should contain the same certificate(s).
Provide the name of the secret via the tlsSecretName
field.
apiVersion: dynatrace.com/v1beta1kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:...activeGate:tlsSecretName: <mytlssecret>...