Dynatrace Operator security

Kubernetes observability relies on components with different purposes, default configurations, and permissions. These different components need permissions to perform and maintain operational function of Dynatrace within your cluster.

While Dynatrace permissions adhere to the principle of least privilege, make sure to secure the dynatrace namespace and limit access to a closed group of administrators and operators.

Permission list

Dynatrace Operator

Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.

Default configuration: 1-replica-per-cluster

Cluster-wide permissions

Resources accessed
API group
APIs used
Resource names
nodes
""
Get/List/Watch
namespaces
""
Get/List/Watch/Update
secrets
""
Create
secrets
""
Get/Update/Delete/List
dynatrace-dynakube-config
dynatrace-metadata-enrichment-endpoint
mutatingwebhookconfigurations
admissionregistration.k8s.io
Get/Update
dynatrace-webhook
validatingwebhookconfigurations
admissionregistration.k8s.io
Get/Update
dynatrace-webhook
customresourcedefinitions
apiextensions.k8s.io
Get/Update
dynakubes.dynatrace.com
edgeconnects.dynatrace.com
securitycontextconstraints
security.openshift.io
Use
privileged
nonroot-v2

Namespace dynatrace permissions

Resources accessed
API group
APIs used
Resource names
dynakubes
dynatrace.com
Get/List/Watch/Update/Create
edgeconnects
dynatrace.com
Get/List/Watch/Update/Create
dynakubes/finalizers
dynatrace.com
Update
dynakubes/status
dynatrace.com
Update
edgeconnects/finalizers
dynatrace.com
Update
edgeconnects/status
dynatrace.com
Update
statefulsets
apps
Get/List/Watch/Create/Update/Delete
daemonsets
apps
Get/List/Watch/Create/Update/Delete
replicasets
apps
Get/List/Watch/Create/Update/Delete
deployments
apps
Get/List/Watch/Create/Update/Delete
deployments/finalizers
apps
Update
configmaps
""
Get/List/Watch/Create/Update/Delete
pods
""
Get/List/Watch
secrets
""
Get/List/Watch/Create/Update/Delete
events
""
Create/Get/List
services
""
Create/Update/Delete/Get/List/Watch
pods/log
""
Get
serviceentries
networking.istio.io
Get/List/Create/Update/Delete
virtualservices
networking.istio.io
Get/List/Create/Update/Delete
leases
coordination.k8s.io
Get/Update/Create

OneAgent

Purposes:

  • Collects host metrics from Kubernetes nodes.
  • Detects new containers and injects OneAgent code modules into application pods using classic full-stack injection. optional

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

Policy settings: Allows HostNetwork, HostPID, to use any volume types.

Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE

Resources accessed
API group
APIs used
Resource names
securitycontextconstraints
security.openshift.io
Use
privileged

Dynatrace CSI driver

Purpose:

  • For applicationMonitoring configurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node.
  • For hostMonitoring configurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used.
  • For cloudNativeFullStack, it provides both of the above.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

Cluster-wide permission

Resources accessed
API group
APIs used
Resource names
securitycontextconstraints
security.openshift.io
Use
privileged

Namespace dynatrace permissions

Resources accessed
API group
APIs used
Resource names
dynakubes
dynatrace.com
Get/List/Watch
secrets
""
Get/List/Watch
configmaps
""
Get/List/Watch
events
""
Create/Patch

Dynatrace webhook server

Purposes:

  • Modifies pod definitions to include Dynatrace code modules for application observability
  • Validates DynaKube custom resources
  • Handles the DynaKube conversion between versions

Default configuration: 1-replica-per-cluster, can be scaled

Cluster-wide permissions

Resources accessed
API group
APIs used
Resource names
namespaces
""
Get/List/Watch/Update
secrets
""
Create
secrets
""
Get/List/Watch/Update
dynatrace-dynakube-config
dynatrace-metadata-enrichment-endpoint
replicationcontrollers
""
Get
replicasets
apps
Get
statefulsets
apps
Get
daemonsets
apps
Get
deployments
apps
Get
jobs
batch
Get
cronjobs
batch
Get
deploymentconfigs
apps.openshift.io
Get
securitycontextconstraints
security.openshift.io
Use
privileged
nonroot-v2

Namespace dynatrace permissions

Resources accessed
API group
APIs used
Resource names
events
""
Create/Patch
secrets
""
Get/List/Watch
pods
""
Get/List/Watch
configmaps
""
Get/List/Watch
dynakubes
dynatrace.com
Get/List/Watch
daemonsets
apps
Get/List/Watch

Dynatrace ActiveGate (Kubernetes Platform Monitoring)

Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.

Default configuration: 1-replica-per-cluster, can be scaled

Cluster-wide permissions

Resources accessed
API group
APIs used
Resource names
nodes
""
List/Watch/Get
pods
""
List/Watch/Get
namespaces
""
List/Watch/Get
replicationcontrollers
""
List/Watch/Get
events
""
List/Watch/Get
resourcequotas
""
List/Watch/Get
pods/proxy
""
List/Watch/Get
nodes/proxy
""
List/Watch/Get
nodes/metrics
""
List/Watch/Get
services
""
List/Watch/Get
jobs
batch
List/Watch/Get
cronjobs
batch
List/Watch/Get
deployments
apps
List/Watch/Get
replicasets
apps
List/Watch/Get
statefulsets
apps
List/Watch/Get
daemonsets
apps
List/Watch/Get
deploymentconfigs
apps.openshift.io
List/Watch/Get
clusterversions
config.openshift.io
List/Watch/Get
dynakubes
dynatrace.com
List/Watch/Get
securitycontextconstraints
security.openshift.io
Use
privileged
nonroot-v2

CIS Benchmark of Dynatrace Operator components

The following table presents a detailed analysis of the security controls for Kubernetes components: Dynatrace Operator, Webhook, and CSI. This report is based on the CIS Benchmark, a globally recognized standard for securing Kubernetes deployments.

Security Control
Dynatrace Operator
Webhook
CSI
Disallow privileged Containers
Satisfied
Satisfied
Works as designed 2
Disallow privilege escalation
Satisfied
Satisfied
Works as designed 2
Disallow containers running as root
Satisfied
Satisfied
Works as designed 3
Disallow usage of too many or insecure capabilities
Satisfied
Satisfied
Satisfied
Disallow usage of hostPath volumes
Satisfied
Satisfied
Works as designed 4
Disallow usage of HostPorts
Satisfied
Satisfied
Satisfied
Disallow access to host network
Satisfied
Satisfied
Satisfied
Disallow usage of Host PID and Host IPC
Satisfied
Satisfied
Satisfied
Require readOnlyRootFilesystem
Satisfied
Satisfied
Satisfied
Require Resource limits
Satisfied
Satisfied
Satisfied
Demand seccomp to be used (at least default/runtime)
Satisfied
Satisfied
Satisfied
Disallow Secrets mounted as env variable
Satisfied
Satisfied
Satisfied
Restrict sysctls
Satisfied
Satisfied
Satisfied
Restrict AppArmor
Satisfied
Satisfied
Satisfied
Disallow SELinux
Satisfied
Satisfied
Works as designed 5
Restrict automounting of service account token
Works as designed 1
Works as designed 1
Works as designed 1

General:

1

component needs to communicate with the Kubernetes API

CSI:

2

CSI driver requires elevated permissions to create and manage mounts on the host system. For more details, see CSI driver privileges.

3

CSI driver communicates with kubelet using a socket on the host, to access this socket the CSI driver needs to run as root.

4

CSI driver stores/caches the OneAgent binaries on the host's filesystem, in order to do that it needs a hostVolume mount.

5

CSI driver needs seLinux level s0 for the application pods to see files from the volume created by the CSI driver.

Pod security policies

These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:

Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:

If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.

Dynatrace Operator security context constraints

Dynatrace Operator version 0.12.0+

Starting with Dynatrace Operator version 0.12.0, the built-in creation of custom security context constraints (SCCs) has been removed for Dynatrace Operator and Dynatrace Operator–managed components. This change was made to reduce complications caused by custom SCCs in unique OpenShift setups.

Despite this update, the components maintain the same permissions and security requirements as before.

The following tables show the SCCs used in different versions of Dynatrace Operator and OpenShift.

Resources accessed
Custom SCC used in Dynatrace Operator versions earlier than 0.12.0
SCC in Dynatrace Operator version 0.12.0+ and OpenShift earlier than 4.11
Dynatrace Operator
dynatrace-operator
privileged1
Webhook
dynatrace-webhook
privileged1
CSI Driver
dynatrace-oneagent-csi-driver
privileged1
OneAgent
dynatrace-dynakube-oneagent-privileged
dynatrace-dynakube-oneagent-unprivileged
privileged1
ActiveGate
dynatrace-activegate
privileged1
Resources accessed
Custom SCC used in Dynatrace Operator versions earlier than 0.12.0
SCC in Dynatrace Operator version 0.12.0+ and OpenShift 4.11+
Dynatrace Operator
dynatrace-operator
nonroot-v2
Webhook
dynatrace-webhook
nonroot-v2
CSI Driver
dynatrace-oneagent-csi-driver
privileged1
OneAgent
dynatrace-dynakube-oneagent-privileged
dynatrace-dynakube-oneagent-unprivileged
privileged1
ActiveGate
dynatrace-activegate
nonroot-v2
1

This SCC is the only built-in OpenShift SCC that allows usage of seccomp, which our components have set by default, and also the usage of CSI volumes.

It is still possible to create your own more permissive or restrictive SCCs that take your specific setup into consideration. You can safely remove the old SCCs that were created by a previous Dynatrace Operator version.

To remove the old SCCs, use the following command:

oc delete scc <scc-name>