Dynatrace Operator security

Kubernetes observability relies on components with different purposes, default configurations, and permissions. These different components need permissions to perform and maintain operational function of Dynatrace within your cluster.

While Dynatrace permissions adhere to the principle of least privilege, make sure to secure the dynatrace namespace and limit access to a closed group of administrators and operators.

Permission list

Dynatrace Operator

Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.

Default configuration: 1-replica-per-cluster

RBAC objects:

Service Account dynatrace-operator
Cluster-Role dynatrace-operator
Role dynatrace-operator

Cluster-wide permissions

Resources accessed

API group

APIs used

Resource names

nodes

""

Get/List/Watch

namespaces

""

Get/List/Watch/Update

secrets

""

Create

secrets

""

Get/Update/Delete/List

dynatrace-bootstrapper-config
dynatrace-dynakube-config
dynatrace-metadata-enrichment-endpoint

mutatingwebhookconfigurations

admissionregistration.k8s.io

Get/Update

dynatrace-webhook

validatingwebhookconfigurations

admissionregistration.k8s.io

Get/Update

dynatrace-webhook

customresourcedefinitions

apiextensions.k8s.io

Get/Update

dynakubes.dynatrace.com
edgeconnects.dynatrace.com

securitycontextconstraints

security.openshift.io

Use

privileged
nonroot-v2

Namespace `dynatrace` permissions

Resources accessed

API group

APIs used

Resource names

dynakubes

dynatrace.com

Get/List/Watch/Update

edgeconnects

dynatrace.com

Get/List/Watch/Update

dynakubes/finalizers

dynatrace.com

Update

edgeconnects/finalizers

dynatrace.com

Update

dynakubes/status

dynatrace.com

Update

edgeconnects/status

dynatrace.com

Update

statefulsets

apps

Get/List/Watch/Create/Update/Delete

daemonsets

apps

Get/List/Watch/Create/Update/Delete

replicasets

apps

Get/List/Watch/Create/Update/Delete

deployments

apps

Get/List/Watch/Create/Update/Delete

deployments/finalizers

apps

Update

configmaps

""

Get/List/Watch/Create/Update/Delete

pods

""

Get/List/Watch

secrets

""

Get/List/Watch/Create/Update/Delete

events

""

Create/Get/List

services

""

Create/Update/Delete/Get/List/Watch

serviceentries

networking.istio.io

Get/List/Create/Update/Delete

virtualservices

networking.istio.io

Get/List/Create/Update/Delete

leases

coordination.k8s.io

Get/Update/Create

Dynatrace Operator Webhook Server

Purposes:

Modifies pod definitions to include Dynatrace code modules for application observability
Validates DynaKube custom resources
Handles the DynaKube conversion between versions

Default configuration: 1-replica-per-cluster, can be scaled

RBAC objects:

Service Account dynatrace-webhook
Cluster-Role dynatrace-webhook
Role dynatrace-webhook

Cluster-wide permissions

Resources accessed

API group

APIs used

Resource names

namespaces

""

Get/List/Watch/Update

secrets

""

Create

secrets

""

Get/List/Watch/Update

dynatrace-dynakube-config
dynatrace-bootstrapper-config
dynatrace-metadata-enrichment-endpoint

replicationcontrollers

""

Get

replicasets

apps

Get

statefulsets

apps

Get

daemonsets

apps

Get

deployments

apps

Get

jobs

batch

Get

cronjobs

batch

Get

deploymentconfigs

apps.openshift.io

Get

securitycontextconstraints

security.openshift.io

Use

privileged
nonroot-v2

Namespace `dynatrace` permissions

Resources accessed

API group

APIs used

Resource names

events

""

Create/Patch

secrets

""

Get/List/Watch

pods

""

Get/List/Watch

configmaps

""

Get/List/Watch

dynakubes

dynatrace.com

Get/List/Watch

Dynatrace Operator CSI driver

Purpose:

For applicationMonitoring configurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node.
For hostMonitoring configurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used.
For cloudNativeFullStack, it provides both of the above.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

Service Account dynatrace-oneagent-csi-driver
Cluster-Role dynatrace-oneagent-csi-driver
Role dynatrace-oneagent-csi-driver

Cluster-wide permission

Resources accessed

API group

APIs used

Resource names

securitycontextconstraints

security.openshift.io

Use

privileged

Namespace `dynatrace` permissions

Resources accessed

API group

APIs used

Resource names

dynakubes

dynatrace.com

Get/List/Watch

secrets

""

Get/List/Watch

configmaps

""

Get/List/Watch

dynakubes/finalizers

dynatrace.com

Update

jobs

batch

Get/List/Create/Delete/Watch

events

""

Create/Patch

ActiveGate

Kubernetes Platform Monitoring

Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.

Default configuration: 1-replica-per-cluster, can be scaled

RBAC objects:

Service Account: dynatrace-activegate
Cluster-Role: dynatrace-activegate

Cluster-wide permissions

Resources accessed

API group

APIs used

Resource names

nodes

""

List/Watch/Get

pods

""

List/Watch/Get

namespaces

""

List/Watch/Get

replicationcontrollers

""

List/Watch/Get

events

""

List/Watch/Get

resourcequotas

""

List/Watch/Get

pods/proxy

""

List/Watch/Get

nodes/proxy

""

List/Watch/Get

nodes/metrics

""

List/Watch/Get

services

""

List/Watch/Get

jobs

batch

List/Watch/Get

cronjobs

batch

List/Watch/Get

deployments

apps

List/Watch/Get

replicasets

apps

List/Watch/Get

statefulsets

apps

List/Watch/Get

daemonsets

apps

List/Watch/Get

deploymentconfigs

apps.openshift.io

List/Watch/Get

clusterversions

config.openshift.io

List/Watch/Get

dynakubes

dynatrace.com

List/Watch/Get

securitycontextconstraints

security.openshift.io

Use

privileged
nonroot-v2

Dynatrace Kubernetes Security Posture Management (KSPM)

Purposes: Kubernetes Security Posture Management detects, analyzes, and continuously watches for misconfigurations, security hardening guidelines, and potential compliance violations in Kubernetes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

Service Account dynatrace-node-config-collector
Cluster-Role dynatrace-kubernetes-monitoring-kspm

Cluster-wide permissions

Resources accessed

API group

APIs used

Resource names

events

""

Get/List/Watch

namespaces

""

Get/List/Watch

nodes

""

Get/List/Watch

nodes/metrics

""

Get/List/Watch

nodes/proxy

""

Get/List/Watch

pods

""

Get/List/Watch

pods/proxy

""

Get/List/Watch

replicationcontrollers

""

Get/List/Watch

resourcequotas

""

Get/List/Watch

serviceaccounts

""

Get/List/Watch

services

""

Get/List/Watch

cronjobs

batch

Get/List/Watch

jobs

batch

Get/List/Watch

daemonsets

apps

Get/List/Watch

deployments

apps

Get/List/Watch

replicasets

apps

Get/List/Watch

statefulsets

apps

Get/List/Watch

networkpolicies

networking.k8s.io

Get/List/Watch

clusterrolebindings

rbac.authorization.k8s.io

Get/List/Watch

clusterroles

rbac.authorization.k8s.io

Get/List/Watch

rolebindings

rbac.authorization.k8s.io

Get/List/Watch

roles

rbac.authorization.k8s.io

Get/List/Watch

OneAgent

Purposes:

Collects host metrics from Kubernetes nodes.
Detects new containers and injects Dynatrace code modules into application pods using classic full-stack injection. optional
Collects container logs from Kubernetes nodes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

Service Account dynatrace-dynakube-oneagent
Cluster-Role dynatrace-dynakube-oneagent
Cluster-Role dynatrace-logmonitoring

Policy settings: Allows HostNetwork, HostPID, to use any volume types.

Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE

Cluster-wide permissions

Resources accessed

API group

APIs used

Resource names

nodes/proxy

""

Get

securitycontextconstraints

security.openshift.io

Use

privileged

Dynatrace Log Module

Purposes:

Collects container logs from Kubernetes nodes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

Service Account dynatrace-logmonitoring
Cluster-Role dynatrace-logmonitoring

Cluster-wide permissions

Log monitoring requires the same cluster-wide permissions as OneAgent.

Cluster-wide permissions

Resources accessed

API group

APIs used

Resource names

pods

""

Get/Watch/List

namespaces

""

Get/Watch/List

nodes

""

Get/Watch/List

replicasets

apps

Get/List/Watch

securitycontextconstraints

security.openshift.io

Use

privileged

Security Controls of Dynatrace Operator components

The following table presents a detailed analysis of the security controls for Kubernetes components: Dynatrace Operator, Dynatrace Operator webhook, and Dynatrace Operator CSI driver. This report is based on:

CIS Benchmark, a globally recognized standard for securing Kubernetes deployments.
POD Security Standard policies.
Best practices.

Security Control

Standard (*)

Dynatrace Operator

Webhook

CSI driver

Disallow privileged Containers

CIS ¹ 5.2.2 / PSSB ²

Satisfied

Satisfied

Works as designed ⁵

Disallow privilege escalation

CIS ¹ 5.2.6 / PSSR ³

Satisfied

Satisfied

Works as designed ⁵

Disallow containers running as root

CIS ¹ 5.2.7 / PSSR ³

Satisfied

Satisfied

Works as designed ⁶

Disallow usage of too many or insecure capabilities

CIS ¹ 5.2.8 / 5.2.9 / 5.2.10 / PSSR ³

Satisfied

Satisfied

Satisfied

Disallow usage of HostPath volumes

CIS ¹ 5.2.12 / PSSB ²

Satisfied

Satisfied

Works as designed ⁷

Disallow usage of HostPorts

CIS ¹ 5.2.13 / PSSB ²

Satisfied

Satisfied

Satisfied

Disallow access to host network

CIS ¹ 5.2.5 / PSSB ²

Satisfied

Satisfied

Satisfied

Disallow usage of host PID

CIS ¹ 5.2.3 / PSSB ²

Satisfied

Satisfied

Satisfied

Disallow usage of host IPC

CIS ¹ 5.2.4 / PSSB ²

Satisfied

Satisfied

Satisfied

Require readOnlyRootFilesystem

Best practice

Satisfied

Satisfied

Satisfied

Require Resource limits

Best practice

Satisfied

Satisfied

Satisfied

Demand seccomp to be used (at least default/runtime)

CIS ¹ 5.7.2 / PSSR ³

Satisfied

Satisfied

Satisfied

Disallow Secrets mounted as env variable

CIS ¹ 5.4.1

Satisfied

Satisfied

Satisfied

Restrict sysctls

PSSB ²

Satisfied

Satisfied

Satisfied

Restrict AppArmor

PSSB ²

Satisfied

Satisfied

Satisfied

Disallow SELinux

PSSB ²

Satisfied

Satisfied

Works as designed ⁸

Restrict automounting of service account token

CIS ¹ 5.1.6

Works as designed ⁴

Works as designed ⁴

Works as designed ⁴

/proc Mount Type

PSSB ²

Satisfied

Satisfied

Satisfied

Standard:

¹

Center for Internet Security (CIS) Kubernetes benchmark.

²

POD Security Standards Baseline profile.

³

POD Security Standards Restricted profile.

General:

⁴

Component needs to communicate with the Kubernetes API.

CSI:

⁵

CSI driver requires elevated permissions to create and manage mounts on the host system. For more details, see CSI driver privileges.

⁶

CSI driver communicates with kubelet using a socket on the host, to access this socket the CSI driver needs to run as root.

⁷

CSI driver stores/caches the OneAgent binaries on the host's filesystem, in order to do that it needs a hostVolume mount.

⁸

CSI driver needs seLinux level s0 for the application pods to see files from the volume created by the CSI driver.

Security Controls of components managed by Dynatrace Operator

The following table presents a detailed analysis of the security controls for Kubernetes components managed by Dynatrace Operator: ActiveGate, OneAgent (CloudNative), LogAgent. This report is based on:

CIS Benchmark, a globally recognized standard for securing Kubernetes deployments.
POD Security Standard policies.
Best practices.

Security Control

Standard (*)

ActiveGate

OneAgent CloudNative

OneAgent Log Module

Disallow privileged Containers

CIS ¹ 5.2.2 / PSSB ²

Satisfied

Satisfied

Works as designed ¹⁵

Disallow privilege escalation

CIS ¹ 5.2.6 / PSSR ³

Satisfied

Works as designed ⁶

Works as designed ¹⁶

Disallow containers running as root

CIS ¹ 5.2.7 / PSSR ³

Satisfied

Satisfied

Satisfied

Disallow usage of too many or insecure capabilities

CIS ¹ 5.2.8 / 5.2.9 / 5.2.10 / PSSR ³

Satisfied

Works as designed ⁷

Works as designed ¹⁷

Disallow usage of HostPath volumes

CIS ¹ 5.2.12 / PSSB ²

Satisfied

Works as designed ⁸

Works as designed ¹⁸

Disallow usage of HostPorts

CIS ¹ 5.2.13 / PSSB ²

Satisfied

Satisfied

Satisfied

Disallow access to host network

CIS ¹ 5.2.5 / PSSB ²

Satisfied

Works as designed ⁹

Satisfied

Disallow usage of host PID

CIS ¹ 5.2.3 / PSSB ²

Satisfied

Works as designed ¹⁰

Satisfied

Disallow usage of host IPC

CIS ¹ 5.2.4 / PSSB ²

Satisfied

Satisfied

Satisfied

Require readOnlyRootFilesystem

Best practice

Satisfied

Satisfied

Satisfied

Require Resource limits

Best practice

Configurable ⁵

Configurable ¹¹

Configurable ¹⁹

Demand seccomp to be used (at least default/runtime)

CIS ¹ 5.7.2 / PSSR ³

Satisfied

Works as designed ¹²

Works as designed ²⁰

Disallow Secrets mounted as env variable

CIS ¹ 5.4.1

Satisfied

Satisfied

Satisfied

Restrict sysctls

PSSB ²

Satisfied

Satisfied

Satisfied

Restrict AppArmor

PSSB ²

Satisfied

Works as designed ¹³

Satisfied

Disallow SELinux

PSSB ²

Satisfied

Satisfied

Satisfied

Restrict automounting of service account token

CIS ¹ 5.1.6

Works as designed ⁴

Configurable ¹⁴

Works as designed ⁴

/proc Mount Type

PSSB ²

Satisfied

Satisfied

Satisfied

Standard:

¹

Center for Internet Security (CIS) Kubernetes benchmark.

²

POD Security Standards Baseline profile.

³

POD Security Standards Restricted profile.

General:

⁴

Component needs to communicate with the Kubernetes API.

ActiveGate

⁵

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

OneAgent

⁶

Privilege escalation is needed for processes inside OneAgent container to get Linux capabilities.

⁷

Monitoring actions executed by OneAgent processes need the following capabilities.

⁸

Mounted host's root filesystem is accessed by all OneAgent modules and allows for log files access, disk metrics, and other host and process monitoring capabilities.

⁹

OneAgent needs access to host network namespace to provide host-level and process-level network health monitoring.

¹⁰

OneAgent needs access to host process table to collect performance metrics for all processes running on the host.

¹¹

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

¹²

OneAgent needs access to kernel syscalls beyond the RuntimeDefault set for monitoring purposes.

¹³

OneAgent needs access to the mount command which is blocked by the default AppArmor profile.

¹⁴

OneAgent component needs to communicate with the kubelet /pods endpoint. The K8s token is not mounted to the Pod if LogMonitoring is turned off via Helm values.

OneAgent Log Module:

¹⁵

LogAgent needs to run as privileged container on OCP cluster to access its persistent storage. OCP persistent storage using hostPath.

¹⁶

AllowPrivilegeEscalation is always true when the container is run as privileged. Configure a Security Context for a Pod or Container.

¹⁷

LogAgent needs additional capability to get access to all monitored log files.

¹⁸

Needs access to log files on the host's filesystem.

¹⁹

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

²⁰

The seccomp profile can be set via DynaKube in order to run in secure computing mode.

Pod security policies

These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:

Dynatrace Operator version 0.2.2
LEGACY Dynatrace OneAgent Operator version 0.11.0
Corresponding Helm charts

Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:

If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.

Dynatrace Operator security context constraints

Dynatrace Operator version 0.12.0+

Starting with Dynatrace Operator version 0.12.0, the built-in creation of custom security context constraints (SCCs) has been removed for Dynatrace Operator and Dynatrace Operator–managed components. This change was made to reduce complications caused by custom SCCs in unique OpenShift setups.

Despite this update, the components maintain the same permissions and security requirements as before.

The following tables show the SCCs used in different versions of Dynatrace Operator and OpenShift.

Resources accessed

Custom SCC used in Dynatrace Operator versions earlier than 0.12.0

SCC in Dynatrace Operator version 0.12.0+ and OpenShift earlier than 4.11

Dynatrace Operator

dynatrace-operator

privileged¹

Dynatrace Operator Webhook Server

dynatrace-webhook

privileged¹

Dynatrace Operator CSI driver

dynatrace-oneagent-csi-driver

privileged¹

ActiveGate

dynatrace-activegate

privileged¹

OneAgent

dynatrace-dynakube-oneagent-privileged
dynatrace-dynakube-oneagent-unprivileged

privileged¹

Resources accessed

Custom SCC used in Dynatrace Operator versions earlier than 0.12.0

SCC in Dynatrace Operator version 0.12.0+ and OpenShift 4.11+

Dynatrace Operator

dynatrace-operator

nonroot-v2

Dynatrace Operator Webhook Server

dynatrace-webhook

nonroot-v2

Dynatrace Operator CSI driver

dynatrace-oneagent-csi-driver

privileged¹

ActiveGate

dynatrace-activegate

nonroot-v2

OneAgent

dynatrace-dynakube-oneagent-privileged
dynatrace-dynakube-oneagent-unprivileged

privileged¹

¹

This SCC is the only built-in OpenShift SCC that allows usage of seccomp, which our components have set by default, and also the usage of CSI volumes.

It is still possible to create your own more permissive or restrictive SCCs that take your specific setup into consideration. You can safely remove the old SCCs that were created by a previous Dynatrace Operator version.

To remove the old SCCs, use the following command:

oc delete scc <scc-name>