Seccomp (secure computing mode) is a Linux kernel security feature that restricts the system calls a process is allowed to make. By applying a seccomp profile to a container, you limit which kernel-level operations it can perform, reducing the attack surface of your workloads. Kubernetes supports configuring seccomp profiles at both the pod and container level through the securityContext field, making it a key mechanism for meeting security standards such as the Kubernetes Pod Security Standards.
There are three seccomp profile types in Kubernetes:
All Dynatrace Operator infrastructure components (operator, webhook, and CSI driver) and operator-deployed components (ActiveGate, EdgeConnect) use the RuntimeDefault seccomp profile. The exception is OneAgent, which is unconfined (no seccomp profile set). The RuntimeDefault profile is suitable for most workloads and satisfies the restricted Pod Security Standard.
The OneAgent runs without a seccomp profile (unconfined) by default. This default was chosen to ensure compatibility with the widest range of platforms and container runtimes, as the OneAgent requires access to a broader set of system calls for deep host-level monitoring.
Dynatrace Operator version 1.2.0+
If your security policies require a seccomp profile on the OneAgent, you can configure one using the secCompProfile field under the appropriate OneAgent mode in your DynaKube custom resource.
Limitation: The OneAgent seccomp profile is always applied with the type Localhost. This means you must provide a custom seccomp profile JSON file on each node—you cannot set the type to RuntimeDefault or Unconfined through this field.
apiVersion: dynatrace.com/v1beta6kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:oneAgent:cloudNativeFullStack:secCompProfile: "my-seccomp-profile.json"
The Localhost type requires that the seccomp profile JSON file is present on the node's local filesystem, under the kubelet's configured seccomp profile root directory (by default /var/lib/kubelet/seccomp/). For the examples above, the profile file would need to be located at /var/lib/kubelet/seccomp/my-seccomp-profile.json on every node where the OneAgent is scheduled.
To learn how to create and manage Localhost seccomp profiles, refer to the Kubernetes documentation:
Dynatrace Operator version 0.11.2+
The seccomp profile for the Dynatrace init container (used for code module injection) is controlled by the feature.dynatrace.com/init-container-seccomp-profile feature flag.
Starting with Dynatrace Operator version 1.9.0, the default value of this feature flag changed from "false" to "true". This means the init container now has the RuntimeDefault seccomp profile applied by default, helping meet the requirements of the restricted Pod Security Standard for your monitored Kubernetes workloads.
If you are running Dynatrace Operator version 0.11.2 through 1.8.x, you must explicitly enable this feature flag to apply the RuntimeDefault profile:
apiVersion: dynatrace.com/v1beta6kind: DynaKubemetadata:name: dynakubenamespace: dynatraceannotations:feature.dynatrace.com/init-container-seccomp-profile: "true"
To disable the seccomp profile on the init container (on any version), set the feature flag to "false":
apiVersion: dynatrace.com/v1beta6kind: DynaKubemetadata:name: dynakubenamespace: dynatraceannotations:feature.dynatrace.com/init-container-seccomp-profile: "false"
When set to "false", the init container will not have a seccomp profile set, and the default behavior of your container runtime will be used instead.