Enable AppArmor for enhanced security

• Latest Dynatrace
• 2-min read
• Updated on Mar 09, 2026

You can make Dynatrace Operator more secure by enabling AppArmor.

Enable AppArmor for Dynatrace Operator, Webhook, and CSI driver

Depending on whether you deployed Dynatrace Operator using Helm or by directly applying YAML manifests.

operator:
  podSecurityContext:
    appArmorProfile:
      type: RuntimeDefault

webhook:
  podSecurityContext:
    appArmorProfile:
      type: RuntimeDefault

csidriver:
  csiInit:
    securityContext:
      appArmorProfile:
        type: RuntimeDefault
  server:
    securityContext:
      appArmorProfile:
        type: RuntimeDefault
  provisioner:
    securityContext:
      appArmorProfile:
        type: RuntimeDefault
  registrar:
    securityContext:
      appArmorProfile:
        type: RuntimeDefault
  livenessprobe:
    securityContext:
      appArmorProfile:
        type: RuntimeDefault

Enable AppArmor for operator-deployed components

To enable AppArmor for components that are deployed by the Dynatrace Operator into monitored clusters, you need to opt in for each component separately.

ActiveGate

On Kubernetes 1.31+, AppArmor is configured via securityContext. On older clusters, an annotation is used instead. The Operator automatically selects the appropriate method based on the cluster version. To opt in, add the following annotation to your DynaKube:

apiVersion: dynatrace.com/v1beta6
kind: DynaKube
metadata:
  annotations:
    feature.dynatrace.com/activegate-apparmor: true

OneAgent

On Kubernetes 1.31+, the Operator automatically applies AppArmor via securityContext — no user action is required. On Kubernetes 1.30 and earlier, AppArmor for OneAgent is not automatically applied. To use a custom AppArmor profile on older clusters, see Enable a custom AppArmor profile for OneAgent.

EdgeConnect

To enable AppArmor for EdgeConnect, add the AppArmor annotation via the DynaKube spec.edgeConnect.annotations field:

apiVersion: dynatrace.com/v1beta6
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  edgeConnect:
    annotations:
      container.apparmor.security.beta.kubernetes.io/edge-connect: runtime/default

Enable a custom AppArmor profile for OneAgent

You can restrict the OneAgent access to a desired set of features. See below for how to enable a custom AppArmor profile and apply it to the OneAgent pods.

Create a custom OneAgent AppArmor profile

Install the profile on all worker nodes

Enforce the profile on all OneAgent pods

Create a custom OneAgent AppArmor profile

See Run OneAgent as a Docker container for details on how to create a custom AppArmor profile.

Install the profile on all worker nodes

OneAgent is deployed as a daemonset by default, which means pods that use the AppArmor profile will be used on every node. You therefore need to install the OneAgent AppArmor profile on all nodes.

Depending on the environment, this can be done in several ways, such as by using the kube-apparmor-manager or the security-profiles-operator. Please refer to the official documentation of these tools on how to apply them in your cluster.

Enforce the profile on all OneAgent pods

To enable AppArmor for all the OneAgent pods, add the container.apparmor.security.beta.kubernetes.io/dynatrace-oneagent: localhost/oneagent annotation to one of the following fields, depending on your deployment:

Example for cloudNativeFullStack deployment:

apiVersion: dynatrace.com/v1beta6
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://ENVIRONMENTID.live.dynatrace.com/api
  oneAgent:
    cloudNativeFullStack:
      annotations:
        container.apparmor.security.beta.kubernetes.io/dynatrace-oneagent: localhost/oneagent