Dynatrace Operator security

  • 16-min read

Kubernetes observability relies on components with different purposes, default configurations, and permissions. These different components need permissions to perform and maintain operational function of Dynatrace within your cluster.

While Dynatrace permissions adhere to the principle of least privilege, make sure to secure the dynatrace namespace and limit access to a closed group of administrators and operators.

Permission list

Dynatrace Operator

Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.

Default configuration: 1-replica-per-cluster

RBAC objects:

  • Service Account dynatrace-operator
  • Cluster-Role dynatrace-operator
  • Role dynatrace-operator

Cluster-wide permissions

Resources accessedAPI groupAPIs usedResource names
nodes""Get/List/Watch
namespaces""Get/List/Watch/Update
secrets""Create
secrets""Get/Update/Delete/Listdynatrace-bootstrapper-config
dynatrace-dynakube-config
dynatrace-metadata-enrichment-endpoint
mutatingwebhookconfigurationsadmissionregistration.k8s.ioGet/Updatedynatrace-webhook
validatingwebhookconfigurationsadmissionregistration.k8s.ioGet/Updatedynatrace-webhook
customresourcedefinitionsapiextensions.k8s.ioGet/Updatedynakubes.dynatrace.com
edgeconnects.dynatrace.com
securitycontextconstraintssecurity.openshift.ioUseprivileged
nonroot-v2

Namespace dynatrace permissions

Resources accessedAPI groupAPIs usedResource names
dynakubesdynatrace.comGet/List/Watch/Update
edgeconnectsdynatrace.comGet/List/Watch/Update
dynakubes/finalizersdynatrace.comUpdate
edgeconnects/finalizersdynatrace.comUpdate
dynakubes/statusdynatrace.comUpdate
edgeconnects/statusdynatrace.comUpdate
statefulsetsappsGet/List/Watch/Create/Update/Delete
daemonsetsappsGet/List/Watch/Create/Update/Delete
replicasetsappsGet/List/Watch/Create/Update/Delete
deploymentsappsGet/List/Watch/Create/Update/Delete
deployments/finalizersappsUpdate
configmaps""Get/List/Watch/Create/Update/Delete
pods""Get/List/Watch
secrets""Get/List/Watch/Create/Update/Delete
events""Create/Get/List
services""Create/Update/Delete/Get/List/Watch
serviceentriesnetworking.istio.ioGet/List/Create/Update/Delete
virtualservicesnetworking.istio.ioGet/List/Create/Update/Delete
leasescoordination.k8s.ioGet/Update/Create

Dynatrace Operator Webhook Server

Purposes:

  • Modifies pod definitions to include Dynatrace code modules for application observability
  • Validates DynaKube custom resources
  • Handles the DynaKube conversion between versions

Default configuration: 1-replica-per-cluster, can be scaled

RBAC objects:

  • Service Account dynatrace-webhook
  • Cluster-Role dynatrace-webhook
  • Role dynatrace-webhook

Cluster-wide permissions

Resources accessedAPI groupAPIs usedResource names
namespaces""Get/List/Watch/Update
secrets""Create
secrets""Get/List/Watch/Updatedynatrace-dynakube-config
dynatrace-bootstrapper-config
dynatrace-metadata-enrichment-endpoint
replicationcontrollers""Get
replicasetsappsGet
statefulsetsappsGet
daemonsetsappsGet
deploymentsappsGet
jobsbatchGet
cronjobsbatchGet
deploymentconfigsapps.openshift.ioGet
securitycontextconstraintssecurity.openshift.ioUseprivileged
nonroot-v2

Namespace dynatrace permissions

Resources accessedAPI groupAPIs usedResource names
events""Create/Patch
secrets""Get/List/Watch
pods""Get/List/Watch
configmaps""Get/List/Watch
dynakubesdynatrace.comGet/List/Watch

Dynatrace Operator CSI driver

Purpose:

  • For applicationMonitoring configurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node.
  • For hostMonitoring configurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used.
  • For cloudNativeFullStack, it provides both of the above.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

  • Service Account dynatrace-oneagent-csi-driver
  • Cluster-Role dynatrace-oneagent-csi-driver
  • Role dynatrace-oneagent-csi-driver

Cluster-wide permission

Resources accessedAPI groupAPIs usedResource names
securitycontextconstraintssecurity.openshift.ioUseprivileged

Namespace dynatrace permissions

Resources accessedAPI groupAPIs usedResource names
dynakubesdynatrace.comGet/List/Watch
secrets""Get/List/Watch
configmaps""Get/List/Watch
dynakubes/finalizersdynatrace.comUpdate
jobsbatchGet/List/Create/Delete/Watch
events""Create/Patch

ActiveGate

Kubernetes Platform Monitoring

Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.

Default configuration: 1-replica-per-cluster, can be scaled

RBAC objects:

  • Service Account: dynatrace-kubernetes-monitoring
  • Cluster-Role: dynatrace-kubernetes-monitoring
Cluster-wide permissions
Resources accessedAPI groupAPIs usedResource names
nodes""List/Watch/Get
pods""List/Watch/Get
namespaces""List/Watch/Get
replicationcontrollers""List/Watch/Get
events""List/Watch/Get
resourcequotas""List/Watch/Get
pods/proxy""List/Watch/Get
nodes/proxy""List/Watch/Get
nodes/metrics""List/Watch/Get
services""List/Watch/Get
persistentvolumeclaims""List/Watch/Get
persistentvolumes""List/Watch/Get
jobsbatchList/Watch/Get
cronjobsbatchList/Watch/Get
deploymentsappsList/Watch/Get
replicasetsappsList/Watch/Get
statefulsetsappsList/Watch/Get
daemonsetsappsList/Watch/Get
deploymentconfigsapps.openshift.ioList/Watch/Get
clusterversionsconfig.openshift.ioList/Watch/Get
dynakubesdynatrace.comList/Watch/Get
edgeconnectsdynatrace.comList/Watch/Get
customresourcedefinitionsapiextensions.k8s.ioList/Watch/Get
ingressesnetworking.k8s.ioList/Watch/Get
networkpoliciesnetworking.k8s.ioList/Watch/Get
securitycontextconstraintssecurity.openshift.ioUseprivileged
nonroot-v2

Dynatrace Kubernetes Security Posture Management (KSPM)

Purposes: Kubernetes Security Posture Management detects, analyzes, and continuously watches for misconfigurations, security hardening guidelines, and potential compliance violations in Kubernetes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

  • Service Account dynatrace-node-config-collector
  • Cluster-Role dynatrace-kubernetes-monitoring-kspm
Cluster-wide permissions
Resources accessedAPI groupAPIs usedResource names
events""Get/List/Watch
namespaces""Get/List/Watch
nodes""Get/List/Watch
nodes/metrics""Get/List/Watch
nodes/proxy""Get/List/Watch
pods""Get/List/Watch
pods/proxy""Get/List/Watch
replicationcontrollers""Get/List/Watch
resourcequotas""Get/List/Watch
serviceaccounts""Get/List/Watch
services""Get/List/Watch
cronjobsbatchGet/List/Watch
jobsbatchGet/List/Watch
daemonsetsappsGet/List/Watch
deploymentsappsGet/List/Watch
replicasetsappsGet/List/Watch
statefulsetsappsGet/List/Watch
networkpoliciesnetworking.k8s.ioGet/List/Watch
clusterrolebindingsrbac.authorization.k8s.ioGet/List/Watch
clusterrolesrbac.authorization.k8s.ioGet/List/Watch
rolebindingsrbac.authorization.k8s.ioGet/List/Watch
rolesrbac.authorization.k8s.ioGet/List/Watch

OneAgent

Purposes:

  • Collects host metrics from Kubernetes nodes.
  • Detects new containers and injects Dynatrace code modules into application pods using classic full-stack injection. optional
  • Collects container logs from Kubernetes nodes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

  • Service Account dynatrace-dynakube-oneagent
  • Cluster-Role dynatrace-dynakube-oneagent
  • Cluster-Role dynatrace-logmonitoring

Policy settings: Allows HostNetwork, HostPID, to use any volume types.

Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE

Cluster-wide permissions

Resources accessedAPI groupAPIs usedResource names
nodes/proxy""Get
securitycontextconstraintssecurity.openshift.ioUseprivileged

Dynatrace Log Module

Purposes:

  • Collects container logs from Kubernetes nodes.

Default configuration: 1-replica-per-node (deployed via a DaemonSet)

RBAC objects:

  • Service Account dynatrace-logmonitoring
  • Cluster-Role dynatrace-logmonitoring

Cluster-wide permissions

Log monitoring requires the same cluster-wide permissions as OneAgent.

Dynatrace telemetry ingest

Purposes:

Cluster-wide permissions

Resources accessedAPI groupAPIs usedResource names
pods""Get/Watch/List
namespaces""Get/Watch/List
nodes""Get/Watch/List
replicasetsappsGet/List/Watch
securitycontextconstraintssecurity.openshift.ioUseprivileged

Security Controls of Dynatrace Operator components

The following table presents a detailed analysis of the security controls for Kubernetes components: Dynatrace Operator, Dynatrace Operator webhook, and Dynatrace Operator CSI driver. This report is based on:

Security ControlStandard (*)Dynatrace OperatorWebhookCSI driver
Disallow privileged containersCIS 1 5.2.2 / PSSB 2SatisfiedSatisfiedRequired 5
Disallow privilege escalationCIS 1 5.2.6 / PSSR 3SatisfiedSatisfiedRequired 5
Disallow containers running as rootCIS 1 5.2.7 / PSSR 3SatisfiedSatisfiedRequired 6
Disallow usage of too many or insecure capabilitiesCIS 1 5.2.8 / 5.2.9 / 5.2.10 / PSSR 3SatisfiedSatisfiedSatisfied
Disallow usage of HostPath volumesCIS 1 5.2.12 / PSSB 2SatisfiedSatisfiedRequired 7
Disallow usage of HostPortsCIS 1 5.2.13 / PSSB 2SatisfiedSatisfiedSatisfied
Disallow access to host networkCIS 1 5.2.5 / PSSB 2SatisfiedSatisfiedSatisfied
Disallow usage of host PIDCIS 1 5.2.3 / PSSB 2SatisfiedSatisfiedSatisfied
Disallow usage of host IPCCIS 1 5.2.4 / PSSB 2SatisfiedSatisfiedSatisfied
Require readOnlyRootFilesystemBest practiceSatisfiedSatisfiedSatisfied
Require Resource limitsBest practiceSatisfiedSatisfiedSatisfied
Demand seccomp to be used (at least default/runtime)CIS 1 5.7.2 / PSSR 3SatisfiedSatisfiedSatisfied
Disallow Secrets mounted as env variableCIS 1 5.4.1SatisfiedSatisfiedSatisfied
Restrict sysctlsPSSB 2SatisfiedSatisfiedSatisfied
Restrict AppArmorPSSB 2SatisfiedSatisfiedSatisfied
Disallow SELinuxPSSB 2SatisfiedSatisfiedRequired 8
Restrict automounting of service account tokenCIS 1 5.1.6Required 4Required 4Required 4
/proc Mount TypePSSB 2SatisfiedSatisfiedSatisfied

Standard:

General:

4

Component needs to communicate with the Kubernetes API.

CSI:

5

CSI driver requires elevated permissions to create and manage mounts on the host system. For more details, see CSI driver privileges.

6

CSI driver communicates with kubelet using a socket on the host, to access this socket the CSI driver needs to run as root.

7

CSI driver stores/caches the OneAgent binaries on the host's filesystem, in order to do that it needs a hostVolume mount.

8

CSI driver needs seLinux level s0 for the application pods to see files from the volume created by the CSI driver.

Security Controls of components managed by Dynatrace Operator

The following table presents a detailed analysis of the security controls for Kubernetes components managed by Dynatrace Operator: ActiveGate, OneAgent (CloudNative), LogAgent. This report is based on:

Security ControlStandard (*)ActiveGateOneAgent CloudNativeOneAgent Log Module
Disallow privileged containersCIS 1 5.2.2 / PSSB 2SatisfiedSatisfiedRequired 15
Disallow privilege escalationCIS 1 5.2.6 / PSSR 3SatisfiedRequired 6Required 16
Disallow containers running as rootCIS 1 5.2.7 / PSSR 3SatisfiedSatisfiedSatisfied
Disallow usage of too many or insecure capabilitiesCIS 1 5.2.8 / 5.2.9 / 5.2.10 / PSSR 3SatisfiedRequired 7Required 17
Disallow usage of HostPath volumesCIS 1 5.2.12 / PSSB 2SatisfiedRequired 8Required 18
Disallow usage of HostPortsCIS 1 5.2.13 / PSSB 2SatisfiedSatisfiedSatisfied
Disallow access to host networkCIS 1 5.2.5 / PSSB 2SatisfiedRequired 9Satisfied
Disallow usage of host PIDCIS 1 5.2.3 / PSSB 2SatisfiedRequired 10Satisfied
Disallow usage of host IPCCIS 1 5.2.4 / PSSB 2SatisfiedSatisfiedSatisfied
Require readOnlyRootFilesystemBest practiceSatisfiedSatisfiedSatisfied
Require Resource limitsBest practiceConfigurable 5Configurable 11Configurable 19
Demand seccomp to be used (at least default/runtime)CIS 1 5.7.2 / PSSR 3SatisfiedRequired 12Required 20
Disallow Secrets mounted as env variableCIS 1 5.4.1SatisfiedSatisfiedSatisfied
Restrict sysctlsPSSB 2SatisfiedSatisfiedSatisfied
Restrict AppArmorPSSB 2SatisfiedRequired 13Satisfied
Disallow SELinuxPSSB 2SatisfiedSatisfiedSatisfied
Restrict automounting of service account tokenCIS 1 5.1.6Required 4Configurable 14Required 4
/proc Mount TypePSSB 2SatisfiedSatisfiedSatisfied

Standard:

General:

4

Component needs to communicate with the Kubernetes API.

ActiveGate

5

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

OneAgent

6

Privilege escalation is needed for processes inside OneAgent container to get Linux capabilities.

7

Monitoring actions executed by OneAgent processes need the following capabilities.

8

Mounted host's root filesystem is accessed by all OneAgent modules and allows for log files access, disk metrics, and other host and process monitoring capabilities.

9

OneAgent needs access to host network namespace to provide host-level and process-level network health monitoring.

10

OneAgent needs access to host process table to collect performance metrics for all processes running on the host.

11

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

12

OneAgent needs access to kernel syscalls beyond the RuntimeDefault set for monitoring purposes.

13

OneAgent needs access to the mount command which is blocked by the default AppArmor profile.

14

OneAgent component needs to communicate with the kubelet /pods endpoint. The K8s token is not mounted to the Pod if LogMonitoring is turned off via Helm values.

OneAgent Log Module:

15

LogAgent needs to run as privileged container on OCP cluster to access its persistent storage. OCP persistent storage using hostPath.

16

AllowPrivilegeEscalation is always true when the container is run as privileged. Configure a Security Context for a Pod or Container.

17

LogAgent needs additional capability to get access to all monitored log files.

18

Needs access to log files on the host's filesystem.

19

The limits are highly dependent on the amount of data processed. Can be set via DynaKube.

20

The seccomp profile can be set via DynaKube in order to run in secure computing mode.

Pod security policies

These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:

Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:

If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.

Dynatrace Operator security context constraints

Dynatrace Operator version 0.12.0+

Starting with Dynatrace Operator version 0.12.0, the built-in creation of custom security context constraints (SCCs) has been removed for Dynatrace Operator and Dynatrace Operator–managed components. This change was made to reduce complications caused by custom SCCs in unique OpenShift setups.

Despite this update, the components maintain the same permissions and security requirements as before.

The following tables show the SCCs used in different versions of Dynatrace Operator and OpenShift.

Resources accessedCustom SCC used in Dynatrace Operator versions earlier than 0.12.0SCC in Dynatrace Operator version 0.12.0+ and OpenShift earlier than 4.11
Dynatrace Operatordynatrace-operatorprivileged1
Dynatrace Operator Webhook Serverdynatrace-webhookprivileged1
Dynatrace Operator CSI driverdynatrace-oneagent-csi-driverprivileged1
ActiveGatedynatrace-activegateprivileged1
OneAgentdynatrace-dynakube-oneagent-privileged
dynatrace-dynakube-oneagent-unprivileged
privileged1
Resources accessedCustom SCC used in Dynatrace Operator versions earlier than 0.12.0SCC in Dynatrace Operator version 0.12.0+ and OpenShift 4.11+
Dynatrace Operatordynatrace-operatornonroot-v2
Dynatrace Operator Webhook Serverdynatrace-webhooknonroot-v2
Dynatrace Operator CSI driverdynatrace-oneagent-csi-driverprivileged1
ActiveGatedynatrace-activegatenonroot-v2
OneAgentdynatrace-dynakube-oneagent-privileged
dynatrace-dynakube-oneagent-unprivileged
privileged1
1

This SCC is the only built-in OpenShift SCC that allows usage of seccomp, which our components have set by default, and also the usage of CSI volumes.

It is still possible to create your own more permissive or restrictive SCCs that take your specific setup into consideration. You can safely remove the old SCCs that were created by a previous Dynatrace Operator version.

To remove the old SCCs, use the following command:

oc delete scc <scc-name>