Kubernetes observability relies on components with different purposes, default configurations, and permissions. These different components need permissions to perform and maintain operational function of Dynatrace within your cluster.
While Dynatrace permissions adhere to the principle of least privilege, make sure to secure the dynatrace
namespace and limit access to a closed group of administrators and operators.
Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.
Default configuration: 1-replica-per-cluster
RBAC objects:
dynatrace-operator
dynatrace-operator
dynatrace-operator
Resources accessed | API group | APIs used | Resource names |
---|---|---|---|
nodes | "" | Get/List/Watch | |
namespaces | "" | Get/List/Watch/Update | |
secrets | "" | Create | |
secrets | "" | Get/Update/Delete/List | dynatrace-bootstrapper-config dynatrace-dynakube-config dynatrace-metadata-enrichment-endpoint |
mutatingwebhookconfigurations | admissionregistration.k8s.io | Get/Update | dynatrace-webhook |
validatingwebhookconfigurations | admissionregistration.k8s.io | Get/Update | dynatrace-webhook |
customresourcedefinitions | apiextensions.k8s.io | Get/Update | dynakubes.dynatrace.com edgeconnects.dynatrace.com |
securitycontextconstraints | security.openshift.io | Use | privileged nonroot-v2 |
dynatrace
permissionsResources accessed | API group | APIs used | Resource names |
---|---|---|---|
dynakubes | dynatrace.com | Get/List/Watch/Update | |
edgeconnects | dynatrace.com | Get/List/Watch/Update | |
dynakubes/finalizers | dynatrace.com | Update | |
edgeconnects/finalizers | dynatrace.com | Update | |
dynakubes/status | dynatrace.com | Update | |
edgeconnects/status | dynatrace.com | Update | |
statefulsets | apps | Get/List/Watch/Create/Update/Delete | |
daemonsets | apps | Get/List/Watch/Create/Update/Delete | |
replicasets | apps | Get/List/Watch/Create/Update/Delete | |
deployments | apps | Get/List/Watch/Create/Update/Delete | |
deployments/finalizers | apps | Update | |
configmaps | "" | Get/List/Watch/Create/Update/Delete | |
pods | "" | Get/List/Watch | |
secrets | "" | Get/List/Watch/Create/Update/Delete | |
events | "" | Create/Get/List | |
services | "" | Create/Update/Delete/Get/List/Watch | |
serviceentries | networking.istio.io | Get/List/Create/Update/Delete | |
virtualservices | networking.istio.io | Get/List/Create/Update/Delete | |
leases | coordination.k8s.io | Get/Update/Create |
Purposes:
Default configuration: 1-replica-per-cluster
, can be scaled
RBAC objects:
dynatrace-webhook
dynatrace-webhook
dynatrace-webhook
Resources accessed | API group | APIs used | Resource names |
---|---|---|---|
namespaces | "" | Get/List/Watch/Update | |
secrets | "" | Create | |
secrets | "" | Get/List/Watch/Update | dynatrace-dynakube-config dynatrace-bootstrapper-config dynatrace-metadata-enrichment-endpoint |
replicationcontrollers | "" | Get | |
replicasets | apps | Get | |
statefulsets | apps | Get | |
daemonsets | apps | Get | |
deployments | apps | Get | |
jobs | batch | Get | |
cronjobs | batch | Get | |
deploymentconfigs | apps.openshift.io | Get | |
securitycontextconstraints | security.openshift.io | Use | privileged nonroot-v2 |
dynatrace
permissionsResources accessed | API group | APIs used | Resource names |
---|---|---|---|
events | "" | Create/Patch | |
secrets | "" | Get/List/Watch | |
pods | "" | Get/List/Watch | |
configmaps | "" | Get/List/Watch | |
dynakubes | dynatrace.com | Get/List/Watch |
Purpose:
applicationMonitoring
configurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node.hostMonitoring
configurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used.cloudNativeFullStack
, it provides both of the above.Default configuration: 1-replica-per-node
(deployed via a DaemonSet)
RBAC objects:
dynatrace-oneagent-csi-driver
dynatrace-oneagent-csi-driver
dynatrace-oneagent-csi-driver
Resources accessed | API group | APIs used | Resource names |
---|---|---|---|
securitycontextconstraints | security.openshift.io | Use | privileged |
dynatrace
permissionsResources accessed | API group | APIs used | Resource names |
---|---|---|---|
dynakubes | dynatrace.com | Get/List/Watch | |
secrets | "" | Get/List/Watch | |
configmaps | "" | Get/List/Watch | |
dynakubes/finalizers | dynatrace.com | Update | |
jobs | batch | Get/List/Create/Delete/Watch | |
events | "" | Create/Patch |
Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.
Default configuration: 1-replica-per-cluster
, can be scaled
RBAC objects:
dynatrace-kubernetes-monitoring
dynatrace-kubernetes-monitoring
Resources accessed | API group | APIs used | Resource names |
---|---|---|---|
nodes | "" | List/Watch/Get | |
pods | "" | List/Watch/Get | |
namespaces | "" | List/Watch/Get | |
replicationcontrollers | "" | List/Watch/Get | |
events | "" | List/Watch/Get | |
resourcequotas | "" | List/Watch/Get | |
pods/proxy | "" | List/Watch/Get | |
nodes/proxy | "" | List/Watch/Get | |
nodes/metrics | "" | List/Watch/Get | |
services | "" | List/Watch/Get | |
persistentvolumeclaims | "" | List/Watch/Get | |
persistentvolumes | "" | List/Watch/Get | |
jobs | batch | List/Watch/Get | |
cronjobs | batch | List/Watch/Get | |
deployments | apps | List/Watch/Get | |
replicasets | apps | List/Watch/Get | |
statefulsets | apps | List/Watch/Get | |
daemonsets | apps | List/Watch/Get | |
deploymentconfigs | apps.openshift.io | List/Watch/Get | |
clusterversions | config.openshift.io | List/Watch/Get | |
dynakubes | dynatrace.com | List/Watch/Get | |
edgeconnects | dynatrace.com | List/Watch/Get | |
customresourcedefinitions | apiextensions.k8s.io | List/Watch/Get | |
ingresses | networking.k8s.io | List/Watch/Get | |
networkpolicies | networking.k8s.io | List/Watch/Get | |
securitycontextconstraints | security.openshift.io | Use | privileged nonroot-v2 |
Purposes: Kubernetes Security Posture Management detects, analyzes, and continuously watches for misconfigurations, security hardening guidelines, and potential compliance violations in Kubernetes.
Default configuration: 1-replica-per-node
(deployed via a DaemonSet)
RBAC objects:
dynatrace-node-config-collector
dynatrace-kubernetes-monitoring-kspm
Resources accessed | API group | APIs used | Resource names |
---|---|---|---|
events | "" | Get/List/Watch | |
namespaces | "" | Get/List/Watch | |
nodes | "" | Get/List/Watch | |
nodes/metrics | "" | Get/List/Watch | |
nodes/proxy | "" | Get/List/Watch | |
pods | "" | Get/List/Watch | |
pods/proxy | "" | Get/List/Watch | |
replicationcontrollers | "" | Get/List/Watch | |
resourcequotas | "" | Get/List/Watch | |
serviceaccounts | "" | Get/List/Watch | |
services | "" | Get/List/Watch | |
cronjobs | batch | Get/List/Watch | |
jobs | batch | Get/List/Watch | |
daemonsets | apps | Get/List/Watch | |
deployments | apps | Get/List/Watch | |
replicasets | apps | Get/List/Watch | |
statefulsets | apps | Get/List/Watch | |
networkpolicies | networking.k8s.io | Get/List/Watch | |
clusterrolebindings | rbac.authorization.k8s.io | Get/List/Watch | |
clusterroles | rbac.authorization.k8s.io | Get/List/Watch | |
rolebindings | rbac.authorization.k8s.io | Get/List/Watch | |
roles | rbac.authorization.k8s.io | Get/List/Watch |
Purposes:
Default configuration: 1-replica-per-node
(deployed via a DaemonSet)
RBAC objects:
dynatrace-dynakube-oneagent
dynatrace-dynakube-oneagent
dynatrace-logmonitoring
Policy settings: Allows HostNetwork, HostPID, to use any volume types.
Necessary capabilities: CHOWN
, DAC_OVERRIDE
, DAC_READ_SEARCH
, FOWNER
, FSETID
, KILL
, NET_ADMIN
, NET_RAW
, SETFCAP
, SETGID
, SETUID
, SYS_ADMIN
, SYS_CHROOT
, SYS_PTRACE
, SYS_RESOURCE
Resources accessed | API group | APIs used | Resource names |
---|---|---|---|
nodes/proxy | "" | Get | |
securitycontextconstraints | security.openshift.io | Use | privileged |
Purposes:
Default configuration: 1-replica-per-node
(deployed via a DaemonSet)
RBAC objects:
dynatrace-logmonitoring
dynatrace-logmonitoring
Log monitoring requires the same cluster-wide permissions as OneAgent.
Purposes:
Resources accessed | API group | APIs used | Resource names |
---|---|---|---|
pods | "" | Get/Watch/List | |
namespaces | "" | Get/Watch/List | |
nodes | "" | Get/Watch/List | |
replicasets | apps | Get/List/Watch | |
securitycontextconstraints | security.openshift.io | Use | privileged |
The following table presents a detailed analysis of the security controls for Kubernetes components: Dynatrace Operator, Dynatrace Operator webhook, and Dynatrace Operator CSI driver. This report is based on:
Security Control | Standard (*) | Dynatrace Operator | Webhook | CSI driver |
---|---|---|---|---|
Disallow privileged containers | CIS 1 5.2.2 / PSSB 2 | Satisfied | Satisfied | Required 5 |
Disallow privilege escalation | CIS 1 5.2.6 / PSSR 3 | Satisfied | Satisfied | Required 5 |
Disallow containers running as root | CIS 1 5.2.7 / PSSR 3 | Satisfied | Satisfied | Required 6 |
Disallow usage of too many or insecure capabilities | CIS 1 5.2.8 / 5.2.9 / 5.2.10 / PSSR 3 | Satisfied | Satisfied | Satisfied |
Disallow usage of HostPath volumes | CIS 1 5.2.12 / PSSB 2 | Satisfied | Satisfied | Required 7 |
Disallow usage of HostPorts | CIS 1 5.2.13 / PSSB 2 | Satisfied | Satisfied | Satisfied |
Disallow access to host network | CIS 1 5.2.5 / PSSB 2 | Satisfied | Satisfied | Satisfied |
Disallow usage of host PID | CIS 1 5.2.3 / PSSB 2 | Satisfied | Satisfied | Satisfied |
Disallow usage of host IPC | CIS 1 5.2.4 / PSSB 2 | Satisfied | Satisfied | Satisfied |
Require readOnlyRootFilesystem | Best practice | Satisfied | Satisfied | Satisfied |
Require Resource limits | Best practice | Satisfied | Satisfied | Satisfied |
Demand seccomp to be used (at least default/runtime) | CIS 1 5.7.2 / PSSR 3 | Satisfied | Satisfied | Satisfied |
Disallow Secrets mounted as env variable | CIS 1 5.4.1 | Satisfied | Satisfied | Satisfied |
Restrict sysctls | PSSB 2 | Satisfied | Satisfied | Satisfied |
Restrict AppArmor | PSSB 2 | Satisfied | Satisfied | Satisfied |
Disallow SELinux | PSSB 2 | Satisfied | Satisfied | Required 8 |
Restrict automounting of service account token | CIS 1 5.1.6 | Required 4 | Required 4 | Required 4 |
/proc Mount Type | PSSB 2 | Satisfied | Satisfied | Satisfied |
Standard:
General:
Component needs to communicate with the Kubernetes API.
CSI:
CSI driver requires elevated permissions to create and manage mounts on the host system. For more details, see CSI driver privileges.
CSI driver communicates with kubelet using a socket on the host, to access this socket the CSI driver needs to run as root.
CSI driver stores/caches the OneAgent binaries on the host's filesystem, in order to do that it needs a hostVolume mount.
CSI driver needs seLinux level s0 for the application pods to see files from the volume created by the CSI driver.
The following table presents a detailed analysis of the security controls for Kubernetes components managed by Dynatrace Operator: ActiveGate, OneAgent (CloudNative), LogAgent. This report is based on:
Security Control | Standard (*) | ActiveGate | OneAgent CloudNative | OneAgent Log Module |
---|---|---|---|---|
Disallow privileged containers | CIS 1 5.2.2 / PSSB 2 | Satisfied | Satisfied | Required 15 |
Disallow privilege escalation | CIS 1 5.2.6 / PSSR 3 | Satisfied | Required 6 | Required 16 |
Disallow containers running as root | CIS 1 5.2.7 / PSSR 3 | Satisfied | Satisfied | Satisfied |
Disallow usage of too many or insecure capabilities | CIS 1 5.2.8 / 5.2.9 / 5.2.10 / PSSR 3 | Satisfied | Required 7 | Required 17 |
Disallow usage of HostPath volumes | CIS 1 5.2.12 / PSSB 2 | Satisfied | Required 8 | Required 18 |
Disallow usage of HostPorts | CIS 1 5.2.13 / PSSB 2 | Satisfied | Satisfied | Satisfied |
Disallow access to host network | CIS 1 5.2.5 / PSSB 2 | Satisfied | Required 9 | Satisfied |
Disallow usage of host PID | CIS 1 5.2.3 / PSSB 2 | Satisfied | Required 10 | Satisfied |
Disallow usage of host IPC | CIS 1 5.2.4 / PSSB 2 | Satisfied | Satisfied | Satisfied |
Require readOnlyRootFilesystem | Best practice | Satisfied | Satisfied | Satisfied |
Require Resource limits | Best practice | Configurable 5 | Configurable 11 | Configurable 19 |
Demand seccomp to be used (at least default/runtime) | CIS 1 5.7.2 / PSSR 3 | Satisfied | Required 12 | Required 20 |
Disallow Secrets mounted as env variable | CIS 1 5.4.1 | Satisfied | Satisfied | Satisfied |
Restrict sysctls | PSSB 2 | Satisfied | Satisfied | Satisfied |
Restrict AppArmor | PSSB 2 | Satisfied | Required 13 | Satisfied |
Disallow SELinux | PSSB 2 | Satisfied | Satisfied | Satisfied |
Restrict automounting of service account token | CIS 1 5.1.6 | Required 4 | Configurable 14 | Required 4 |
/proc Mount Type | PSSB 2 | Satisfied | Satisfied | Satisfied |
Standard:
General:
Component needs to communicate with the Kubernetes API.
ActiveGate
The limits are highly dependent on the amount of data processed. Can be set via DynaKube.
OneAgent
Privilege escalation is needed for processes inside OneAgent container to get Linux capabilities.
Monitoring actions executed by OneAgent processes need the following capabilities.
Mounted host's root filesystem is accessed by all OneAgent modules and allows for log files access, disk metrics, and other host and process monitoring capabilities.
OneAgent needs access to host network namespace to provide host-level and process-level network health monitoring.
OneAgent needs access to host process table to collect performance metrics for all processes running on the host.
The limits are highly dependent on the amount of data processed. Can be set via DynaKube.
OneAgent needs access to kernel syscalls beyond the RuntimeDefault set for monitoring purposes.
OneAgent needs access to the mount command which is blocked by the default AppArmor profile.
OneAgent component needs to communicate with the kubelet /pods
endpoint. The K8s token is not mounted to the Pod if LogMonitoring is turned off via Helm values.
OneAgent Log Module:
LogAgent needs to run as privileged container on OCP cluster to access its persistent storage. OCP persistent storage using hostPath.
AllowPrivilegeEscalation is always true when the container is run as privileged. Configure a Security Context for a Pod or Container.
LogAgent needs additional capability to get access to all monitored log files.
Needs access to log files on the host's filesystem.
The limits are highly dependent on the amount of data processed. Can be set via DynaKube.
The seccomp profile can be set via DynaKube in order to run in secure computing mode.
These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:
Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:
If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.
Dynatrace Operator version 0.12.0+
Starting with Dynatrace Operator version 0.12.0, the built-in creation of custom security context constraints (SCCs) has been removed for Dynatrace Operator and Dynatrace Operator–managed components. This change was made to reduce complications caused by custom SCCs in unique OpenShift setups.
Despite this update, the components maintain the same permissions and security requirements as before.
The following tables show the SCCs used in different versions of Dynatrace Operator and OpenShift.
Resources accessed | Custom SCC used in Dynatrace Operator versions earlier than 0.12.0 | SCC in Dynatrace Operator version 0.12.0+ and OpenShift earlier than 4.11 |
---|---|---|
Dynatrace Operator | dynatrace-operator | privileged 1 |
Dynatrace Operator Webhook Server | dynatrace-webhook | privileged 1 |
Dynatrace Operator CSI driver | dynatrace-oneagent-csi-driver | privileged 1 |
ActiveGate | dynatrace-activegate | privileged 1 |
OneAgent | dynatrace-dynakube-oneagent-privileged dynatrace-dynakube-oneagent-unprivileged | privileged 1 |
Resources accessed | Custom SCC used in Dynatrace Operator versions earlier than 0.12.0 | SCC in Dynatrace Operator version 0.12.0+ and OpenShift 4.11+ |
---|---|---|
Dynatrace Operator | dynatrace-operator | nonroot-v2 |
Dynatrace Operator Webhook Server | dynatrace-webhook | nonroot-v2 |
Dynatrace Operator CSI driver | dynatrace-oneagent-csi-driver | privileged 1 |
ActiveGate | dynatrace-activegate | nonroot-v2 |
OneAgent | dynatrace-dynakube-oneagent-privileged dynatrace-dynakube-oneagent-unprivileged | privileged 1 |
This SCC is the only built-in OpenShift SCC that allows usage of seccomp, which our components have set by default, and also the usage of CSI volumes.
It is still possible to create your own more permissive or restrictive SCCs that take your specific setup into consideration. You can safely remove the old SCCs that were created by a previous Dynatrace Operator version.
To remove the old SCCs, use the following command:
oc delete scc <scc-name>