To ensure Dynatrace Operator components work correctly in a Kubernetes cluster, they need to be able to communicate with both the Dynatrace Cluster and the Kubernetes cluster.
Dynatrace Operator components are accessible through specific ports and access various resources inside and outside the Kubernetes cluster. For more details on which resources are accessed within the Kubernetes cluster, see the Operator RBAC permissions reference page.
| Source | Destination | Port | Note |
|---|---|---|---|
kubelet | Dynatrace Operator |
| Liveness probe 1 |
Prometheus metrics scraper Optional | Dynatrace Operator |
| Metrics address 2 |
kubelet | Dynatrace Webhook |
| Liveness/Readiness probe 1 |
kube-apiserver | Dynatrace Webhook |
| Dynamic Admission Controller |
Prometheus metrics scraperOptional | Dynatrace Webhook |
| Metrics address 2 |
kubelet | Dynatrace Operator CSI driver |
| Liveness probe 1 |
kubelet | Dynatrace Operator CSI driver |
| Liveness probe 1 |
Prometheus metrics scraper Optional | Dynatrace Operator CSI driver |
| Metrics address 2 |
Prometheus metrics scraper Optional | Dynatrace Operator CSI driver |
| Metrics address 2 |
kubelet | ActiveGate |
| Readiness probe 1 |
kubelet | Extension Execution Controller |
| Readiness probe 1 |
Application pods | ActiveGate |
| Default |
Application pods | ActiveGate |
| Default |
Application pods | Dynatrace Collector | ||
kubelet | SQL Extension Executor container |
| Liveness probe 1 |
kubelet | SQL Extension Executor container |
| Readiness probe 1 |
Liveness probes are used by Kubernetes to verify the container is running properly. If the request fails, the container will be restarted. Readiness probes are used by Kubernetes to verify the Pod is ready to accept traffic.
Metrics endpoints emit additional metrics in Prometheus format.
No ingress traffic is accepted for EdgeConnect and OneAgent.
Dynatrace Operator components have to access both the Kubernetes cluster and resources outside the Cluster to function properly. All resources in the namespace of Dynatrace Operator, with the default namespace being dynatrace, need to be able to resolve DNS requests.
Depending on your setup, the default port may be different from TCP 443.
| Source | Destination | Port | Note |
|---|---|---|---|
| kube-dns |
| Host name resolution for service discovery |
Dynatrace Operator | Dynatrace server |
| Server-side configuration 2 |
Dynatrace Operator | kube-apiserver |
| Lifecycle management of components |
Dynatrace Webhook | kube-apiserver |
| Mutating/Validating/Conversion requests |
Dynatrace Operator CSI driver | Dynatrace server |
| Default location for code module binaries 2 |
Dynatrace Operator CSI driver | kube-apiserver |
| CSI volume handling |
Dynatrace Operator CSI driver | private registry |
| Optional Communication with private registry to access code modules 3 |
ActiveGate | Communication endpoints 4 |
| Observability information 2 |
ActiveGate | kube-apiserver |
| Collect resources |
ActiveGate | Application Pods | Prometheus Exporter port 1 | Collect metrics |
OneAgent | Communication endpoints 4 |
| Observability information 2 |
EdgeConnect | Dynatrace server |
| Server-side configuration 2 |
EdgeConnect | kube-apiserver |
| Optional Workflow interactions 5 |
Extension Execution Controller | ActiveGate |
| Extension configuration and telemetry data 2 |
Depending on your setup, the port may differ from the default.
Communication with hosts must be allowed as configured in DynaKube (apiUrl) or EdgeConnect (apiServer) custom resources. Different communication endpoints may be used as fallback to ensure proper connection.
Only required when codeModulesImage field is used.
Only required when Kubernetes Automation is enabled.