Dynatrace Operator security

16-min read

Kubernetes observability relies on components with different purposes, default configurations, and permissions. These different components need permissions to perform and maintain operational function of Dynatrace within your cluster.

While Dynatrace permissions adhere to the principle of least privilege, make sure to secure the dynatrace namespace and limit access to a closed group of administrators and operators.

Permission list

Dynatrace Operator

Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.

Default configuration: 1-replica-per-cluster

RBAC objects:

Service Account dynatrace-operator
Cluster-Role dynatrace-operator
Role dynatrace-operator

Cluster-wide permissions

Resources accessed	API group	APIs used	Resource names
`nodes`	`""`	Get/List/Watch
`namespaces`	`""`	Get/List/Watch/Update
`secrets`	`""`	Create
`secrets`	`""`	Get/Update/Delete/List	`dynatrace-bootstrapper-config` `dynatrace-dynakube-config` `dynatrace-metadata-enrichment-endpoint`
`mutatingwebhookconfigurations`	`admissionregistration.k8s.io`	Get/Update	`dynatrace-webhook`
`validatingwebhookconfigurations`	`admissionregistration.k8s.io`	Get/Update	`dynatrace-webhook`
`customresourcedefinitions`	`apiextensions.k8s.io`	Get/Update	`dynakubes.dynatrace.com` `edgeconnects.dynatrace.com`
`securitycontextconstraints`	`security.openshift.io`	Use	`privileged` `nonroot-v2`

Namespace `dynatrace` permissions

Resources accessed	API group	APIs used
`dynakubes`	`dynatrace.com`	Get/List/Watch/Update
`edgeconnects`	`dynatrace.com`	Get/List/Watch/Update
`dynakubes/finalizers`	`dynatrace.com`	Update
`edgeconnects/finalizers`	`dynatrace.com`	Update
`dynakubes/status`	`dynatrace.com`	Update
`edgeconnects/status`	`dynatrace.com`	Update
`statefulsets`	`apps`	Get/List/Watch/Create/Update/Delete
`daemonsets`	`apps`	Get/List/Watch/Create/Update/Delete
`replicasets`	`apps`	Get/List/Watch/Create/Update/Delete
`deployments`	`apps`	Get/List/Watch/Create/Update/Delete
`deployments/finalizers`	`apps`	Update
`configmaps`	`""`	Get/List/Watch/Create/Update/Delete
`pods`	`""`	Get/List/Watch
`secrets`	`""`	Get/List/Watch/Create/Update/Delete
`events`	`""`	Create/Get/List
`services`	`""`	Create/Update/Delete/Get/List/Watch
`serviceentries`	`networking.istio.io`	Get/List/Create/Update/Delete
`virtualservices`	`networking.istio.io`	Get/List/Create/Update/Delete
`leases`	`coordination.k8s.io`	Get/Update/Create

Dynatrace Operator Webhook Server

Purposes:

Modifies pod definitions to include Dynatrace code modules for application observability
Validates DynaKube custom resources
Handles the DynaKube conversion between versions

Default configuration: 1-replica-per-cluster, can be scaled

RBAC objects:

Service Account dynatrace-webhook
Cluster-Role dynatrace-webhook
Role dynatrace-webhook

Cluster-wide permissions

Resources accessed	API group	APIs used	Resource names
`namespaces`	`""`	Get/List/Watch/Update
`secrets`	`""`	Create
`secrets`	`""`	Get/List/Watch/Update	`dynatrace-dynakube-config` `dynatrace-bootstrapper-config` `dynatrace-metadata-enrichment-endpoint`
`replicationcontrollers`	`""`	Get
`replicasets`	`apps`	Get
`statefulsets`	`apps`	Get
`daemonsets`	`apps`	Get
`deployments`	`apps`	Get
`jobs`	`batch`	Get
`cronjobs`	`batch`	Get
`deploymentconfigs`	`apps.openshift.io`	Get
`securitycontextconstraints`	`security.openshift.io`	Use	`privileged` `nonroot-v2`

Namespace `dynatrace` permissions

Resources accessed	API group	APIs used
`events`	`""`	Create/Patch
`secrets`	`""`	Get/List/Watch
`pods`	`""`	Get/List/Watch
`configmaps`	`""`	Get/List/Watch
`dynakubes`	`dynatrace.com`	Get/List/Watch

Dynatrace Operator CSI driver

Purpose:

For applicationMonitoring configurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node.
For hostMonitoring configurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used.
For cloudNativeFullStack, it provides both of the above.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

Service Account dynatrace-oneagent-csi-driver
Cluster-Role dynatrace-oneagent-csi-driver
Role dynatrace-oneagent-csi-driver

Cluster-wide permission

Resources accessed	API group	APIs used	Resource names
`securitycontextconstraints`	`security.openshift.io`	Use	`privileged`

Namespace `dynatrace` permissions

Resources accessed	API group	APIs used
`dynakubes`	`dynatrace.com`	Get/List/Watch
`secrets`	`""`	Get/List/Watch
`configmaps`	`""`	Get/List/Watch
`dynakubes/finalizers`	`dynatrace.com`	Update
`jobs`	`batch`	Get/List/Create/Delete/Watch
`events`	`""`	Create/Patch

ActiveGate

Kubernetes Platform Monitoring

Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.

Default configuration: 1-replica-per-cluster, can be scaled

RBAC objects:

Service Account: dynatrace-kubernetes-monitoring
Cluster-Role: dynatrace-kubernetes-monitoring

Cluster-wide permissions

Resources accessed	API group	APIs used	Resource names
`nodes`	`""`	List/Watch/Get
`pods`	`""`	List/Watch/Get
`namespaces`	`""`	List/Watch/Get
`replicationcontrollers`	`""`	List/Watch/Get
`events`	`""`	List/Watch/Get
`resourcequotas`	`""`	List/Watch/Get
`pods/proxy`	`""`	List/Watch/Get
`nodes/proxy`	`""`	List/Watch/Get
`nodes/metrics`	`""`	List/Watch/Get
`services`	`""`	List/Watch/Get
`persistentvolumeclaims`	`""`	List/Watch/Get
`persistentvolumes`	`""`	List/Watch/Get
`jobs`	`batch`	List/Watch/Get
`cronjobs`	`batch`	List/Watch/Get
`deployments`	`apps`	List/Watch/Get
`replicasets`	`apps`	List/Watch/Get
`statefulsets`	`apps`	List/Watch/Get
`daemonsets`	`apps`	List/Watch/Get
`deploymentconfigs`	`apps.openshift.io`	List/Watch/Get
`clusterversions`	`config.openshift.io`	List/Watch/Get
`dynakubes`	`dynatrace.com`	List/Watch/Get
`edgeconnects`	`dynatrace.com`	List/Watch/Get
`customresourcedefinitions`	`apiextensions.k8s.io`	List/Watch/Get
`ingresses`	`networking.k8s.io`	List/Watch/Get
`networkpolicies`	`networking.k8s.io`	List/Watch/Get
`securitycontextconstraints`	`security.openshift.io`	Use	`privileged` `nonroot-v2`

Dynatrace Kubernetes Security Posture Management (KSPM)

Purposes: Kubernetes Security Posture Management detects, analyzes, and continuously watches for misconfigurations, security hardening guidelines, and potential compliance violations in Kubernetes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

Service Account dynatrace-node-config-collector
Cluster-Role dynatrace-kubernetes-monitoring-kspm

Cluster-wide permissions

Resources accessed	API group	APIs used
`events`	`""`	Get/List/Watch
`namespaces`	`""`	Get/List/Watch
`nodes`	`""`	Get/List/Watch
`nodes/metrics`	`""`	Get/List/Watch
`nodes/proxy`	`""`	Get/List/Watch
`pods`	`""`	Get/List/Watch
`pods/proxy`	`""`	Get/List/Watch
`replicationcontrollers`	`""`	Get/List/Watch
`resourcequotas`	`""`	Get/List/Watch
`serviceaccounts`	`""`	Get/List/Watch
`services`	`""`	Get/List/Watch
`cronjobs`	`batch`	Get/List/Watch
`jobs`	`batch`	Get/List/Watch
`daemonsets`	`apps`	Get/List/Watch
`deployments`	`apps`	Get/List/Watch
`replicasets`	`apps`	Get/List/Watch
`statefulsets`	`apps`	Get/List/Watch
`networkpolicies`	`networking.k8s.io`	Get/List/Watch
`clusterrolebindings`	`rbac.authorization.k8s.io`	Get/List/Watch
`clusterroles`	`rbac.authorization.k8s.io`	Get/List/Watch
`rolebindings`	`rbac.authorization.k8s.io`	Get/List/Watch
`roles`	`rbac.authorization.k8s.io`	Get/List/Watch

OneAgent

Purposes:

Collects host metrics from Kubernetes nodes.
Detects new containers and injects Dynatrace code modules into application pods using classic full-stack injection. optional
Collects container logs from Kubernetes nodes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

Service Account dynatrace-dynakube-oneagent
Cluster-Role dynatrace-dynakube-oneagent
Cluster-Role dynatrace-logmonitoring

Policy settings: Allows HostNetwork, HostPID, to use any volume types.

Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE

Cluster-wide permissions

Resources accessed	API group	APIs used	Resource names
`nodes/proxy`	`""`	Get
`securitycontextconstraints`	`security.openshift.io`	Use	`privileged`

Dynatrace Log Module

Purposes:

Collects container logs from Kubernetes nodes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

Service Account dynatrace-logmonitoring
Cluster-Role dynatrace-logmonitoring

Cluster-wide permissions

Log monitoring requires the same cluster-wide permissions as OneAgent.

Dynatrace telemetry ingest

Purposes:

Enable Dynatrace telemetry endpoints in Kubernetes for cluster-local data ingest
- Ingest data via OTLP, Jaeger, StatsD or Zipkin endpoints
Analyze context-rich data with built-in apps, DQL, Notebooks and Dashboards

Cluster-wide permissions

Resources accessed	API group	APIs used	Resource names
`pods`	`""`	Get/Watch/List
`namespaces`	`""`	Get/Watch/List
`nodes`	`""`	Get/Watch/List
`replicasets`	`apps`	Get/List/Watch
`securitycontextconstraints`	`security.openshift.io`	Use	`privileged`

Security Controls of Dynatrace Operator components

The following table presents a detailed analysis of the security controls for Kubernetes components: Dynatrace Operator, Dynatrace Operator webhook, and Dynatrace Operator CSI driver. This report is based on:

CIS Benchmark, a globally recognized standard for securing Kubernetes deployments.
POD Security Standard policies.
Best practices.

Security Control	Standard (*)	Dynatrace Operator	Webhook	CSI driver
Disallow privileged containers	CIS ¹ 5.2.2 / PSSB ²	Satisfied	Satisfied	Required ⁵
Disallow privilege escalation	CIS ¹ 5.2.6 / PSSR ³	Satisfied	Satisfied	Required ⁵
Disallow containers running as root	CIS ¹ 5.2.7 / PSSR ³	Satisfied	Satisfied	Required ⁶
Disallow usage of too many or insecure capabilities	CIS ¹ 5.2.8 / 5.2.9 / 5.2.10 / PSSR ³	Satisfied	Satisfied	Satisfied
Disallow usage of HostPath volumes	CIS ¹ 5.2.12 / PSSB ²	Satisfied	Satisfied	Required ⁷
Disallow usage of HostPorts	CIS ¹ 5.2.13 / PSSB ²	Satisfied	Satisfied	Satisfied
Disallow access to host network	CIS ¹ 5.2.5 / PSSB ²	Satisfied	Satisfied	Satisfied
Disallow usage of host PID	CIS ¹ 5.2.3 / PSSB ²	Satisfied	Satisfied	Satisfied
Disallow usage of host IPC	CIS ¹ 5.2.4 / PSSB ²	Satisfied	Satisfied	Satisfied
Require readOnlyRootFilesystem	Best practice	Satisfied	Satisfied	Satisfied
Require Resource limits	Best practice	Satisfied	Satisfied	Satisfied
Demand seccomp to be used (at least default/runtime)	CIS ¹ 5.7.2 / PSSR ³	Satisfied	Satisfied	Satisfied
Disallow Secrets mounted as env variable	CIS ¹ 5.4.1	Satisfied	Satisfied	Satisfied
Restrict sysctls	PSSB ²	Satisfied	Satisfied	Satisfied
Restrict AppArmor	PSSB ²	Satisfied	Satisfied	Satisfied
Disallow SELinux	PSSB ²	Satisfied	Satisfied	Required ⁸
Restrict automounting of service account token	CIS ¹ 5.1.6	Required ⁴	Required ⁴	Required ⁴
/proc Mount Type	PSSB ²	Satisfied	Satisfied	Satisfied

Standard:

Center for Internet Security (CIS) Kubernetes benchmark.

POD Security Standards Baseline profile.

POD Security Standards Restricted profile.

General:

⁴

Component needs to communicate with the Kubernetes API.

CSI:

⁵

CSI driver requires elevated permissions to create and manage mounts on the host system. For more details, see CSI driver privileges.

⁶

CSI driver communicates with kubelet using a socket on the host, to access this socket the CSI driver needs to run as root.

⁷

CSI driver stores/caches the OneAgent binaries on the host's filesystem, in order to do that it needs a hostVolume mount.

⁸

CSI driver needs seLinux level s0 for the application pods to see files from the volume created by the CSI driver.

Security Controls of components managed by Dynatrace Operator

The following table presents a detailed analysis of the security controls for Kubernetes components managed by Dynatrace Operator: ActiveGate, OneAgent (CloudNative), LogAgent. This report is based on:

CIS Benchmark, a globally recognized standard for securing Kubernetes deployments.
POD Security Standard policies.
Best practices.

Security Control	Standard (*)	ActiveGate	OneAgent CloudNative	OneAgent Log Module
Disallow privileged containers	CIS ¹ 5.2.2 / PSSB ²	Satisfied	Satisfied	Required ¹⁵
Disallow privilege escalation	CIS ¹ 5.2.6 / PSSR ³	Satisfied	Required ⁶	Required ¹⁶
Disallow containers running as root	CIS ¹ 5.2.7 / PSSR ³	Satisfied	Satisfied	Satisfied
Disallow usage of too many or insecure capabilities	CIS ¹ 5.2.8 / 5.2.9 / 5.2.10 / PSSR ³	Satisfied	Required ⁷	Required ¹⁷
Disallow usage of HostPath volumes	CIS ¹ 5.2.12 / PSSB ²	Satisfied	Required ⁸	Required ¹⁸
Disallow usage of HostPorts	CIS ¹ 5.2.13 / PSSB ²	Satisfied	Satisfied	Satisfied
Disallow access to host network	CIS ¹ 5.2.5 / PSSB ²	Satisfied	Required ⁹	Satisfied
Disallow usage of host PID	CIS ¹ 5.2.3 / PSSB ²	Satisfied	Required ¹⁰	Satisfied
Disallow usage of host IPC	CIS ¹ 5.2.4 / PSSB ²	Satisfied	Satisfied	Satisfied
Require readOnlyRootFilesystem	Best practice	Satisfied	Satisfied	Satisfied
Require Resource limits	Best practice	Configurable ⁵	Configurable ¹¹	Configurable ¹⁹
Demand seccomp to be used (at least default/runtime)	CIS ¹ 5.7.2 / PSSR ³	Satisfied	Required ¹²	Required ²⁰
Disallow Secrets mounted as env variable	CIS ¹ 5.4.1	Satisfied	Satisfied	Satisfied
Restrict sysctls	PSSB ²	Satisfied	Satisfied	Satisfied
Restrict AppArmor	PSSB ²	Satisfied	Required ¹³	Satisfied
Disallow SELinux	PSSB ²	Satisfied	Satisfied	Satisfied
Restrict automounting of service account token	CIS ¹ 5.1.6	Required ⁴	Configurable ¹⁴	Required ⁴
/proc Mount Type	PSSB ²	Satisfied	Satisfied	Satisfied

Standard:

Center for Internet Security (CIS) Kubernetes benchmark.

POD Security Standards Baseline profile.

POD Security Standards Restricted profile.

General:

⁴

Component needs to communicate with the Kubernetes API.

ActiveGate

⁵

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

OneAgent

⁶

Privilege escalation is needed for processes inside OneAgent container to get Linux capabilities.

⁷

Monitoring actions executed by OneAgent processes need the following capabilities.

⁸

Mounted host's root filesystem is accessed by all OneAgent modules and allows for log files access, disk metrics, and other host and process monitoring capabilities.

⁹

OneAgent needs access to host network namespace to provide host-level and process-level network health monitoring.

¹⁰

OneAgent needs access to host process table to collect performance metrics for all processes running on the host.

¹¹

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

¹²

OneAgent needs access to kernel syscalls beyond the RuntimeDefault set for monitoring purposes.

¹³

OneAgent needs access to the mount command which is blocked by the default AppArmor profile.

¹⁴

OneAgent component needs to communicate with the kubelet /pods endpoint. The K8s token is not mounted to the Pod if LogMonitoring is turned off via Helm values.

OneAgent Log Module:

¹⁵

LogAgent needs to run as privileged container on OCP cluster to access its persistent storage. OCP persistent storage using hostPath.

¹⁶

AllowPrivilegeEscalation is always true when the container is run as privileged. Configure a Security Context for a Pod or Container.

¹⁷

LogAgent needs additional capability to get access to all monitored log files.

¹⁸

Needs access to log files on the host's filesystem.

¹⁹

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

²⁰

The seccomp profile can be set via DynaKube in order to run in secure computing mode.

Pod security policies

These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:

Dynatrace Operator version 0.2.2
LEGACY Dynatrace OneAgent Operator version 0.11.0
Corresponding Helm charts

Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:

If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.

Dynatrace Operator security context constraints

Dynatrace Operator version 0.12.0+

Starting with Dynatrace Operator version 0.12.0, the built-in creation of custom security context constraints (SCCs) has been removed for Dynatrace Operator and Dynatrace Operator–managed components. This change was made to reduce complications caused by custom SCCs in unique OpenShift setups.

Despite this update, the components maintain the same permissions and security requirements as before.

The following tables show the SCCs used in different versions of Dynatrace Operator and OpenShift.

Resources accessed	Custom SCC used in Dynatrace Operator versions earlier than 0.12.0	SCC in Dynatrace Operator version 0.12.0+ and OpenShift earlier than 4.11
Dynatrace Operator	`dynatrace-operator`	`privileged`¹
Dynatrace Operator Webhook Server	`dynatrace-webhook`	`privileged`¹
Dynatrace Operator CSI driver	`dynatrace-oneagent-csi-driver`	`privileged`¹
ActiveGate	`dynatrace-activegate`	`privileged`¹
OneAgent	`dynatrace-dynakube-oneagent-privileged` `dynatrace-dynakube-oneagent-unprivileged`	`privileged`¹

Resources accessed	Custom SCC used in Dynatrace Operator versions earlier than 0.12.0	SCC in Dynatrace Operator version 0.12.0+ and OpenShift 4.11+
Dynatrace Operator	`dynatrace-operator`	`nonroot-v2`
Dynatrace Operator Webhook Server	`dynatrace-webhook`	`nonroot-v2`
Dynatrace Operator CSI driver	`dynatrace-oneagent-csi-driver`	`privileged`¹
ActiveGate	`dynatrace-activegate`	`nonroot-v2`
OneAgent	`dynatrace-dynakube-oneagent-privileged` `dynatrace-dynakube-oneagent-unprivileged`	`privileged`¹

This SCC is the only built-in OpenShift SCC that allows usage of seccomp, which our components have set by default, and also the usage of CSI volumes.

It is still possible to create your own more permissive or restrictive SCCs that take your specific setup into consideration. You can safely remove the old SCCs that were created by a previous Dynatrace Operator version.

To remove the old SCCs, use the following command:

oc delete scc <scc-name>

Dynatrace Operator security

Permission list

Dynatrace Operator

Cluster-wide permissions

Namespace dynatrace permissions

Dynatrace Operator Webhook Server

Cluster-wide permissions

Namespace dynatrace permissions

Dynatrace Operator CSI driver

Cluster-wide permission

Namespace dynatrace permissions

ActiveGate

Kubernetes Platform Monitoring

Cluster-wide permissions

Dynatrace Kubernetes Security Posture Management (KSPM)

Cluster-wide permissions

OneAgent

Cluster-wide permissions

Dynatrace Log Module

Cluster-wide permissions

Dynatrace telemetry ingest

Cluster-wide permissions

Security Controls of Dynatrace Operator components

Security Controls of components managed by Dynatrace Operator

Pod security policies

Dynatrace Operator security context constraints

Namespace `dynatrace` permissions

Namespace `dynatrace` permissions

Namespace `dynatrace` permissions