Workload mutation on injection mode

3-min read
Page has not been published yet

When you enable metadata-enrichment or OneAgent for application pods, Dynatrace Operator uses a webhook to intercept workload creation events and apply mutations to the resulting pods. These mutations modify the pod specification to enable monitoring capabilities.

Workload mutation on metadata-enrichment mode

In metadata-enrichment mode, Dynatrace Operator enhances pods with additional metadata, environment variables, volume mounts, and initiates an init container.

`metadata`

`annotations`

Name

Example Values

metadata.dynatrace.com/k8s.workload.kind

deployment

metadata.dynatrace.com/k8s.workload.name

example-app

metadata-enrichment.dynatrace.com/injected

true

dynakube.dynatrace.com/injected

true

`spec.containers`

`env`

Name

Example Values

DT_WORKLOAD_KIND

example-app

DT_WORKLOAD_NAME

deployment

METADATA_ENRICHMENT_INJECTED

true

`volumeMounts`

mountPath

name

subPath

/var/lib/dynatrace/enrichment/endpoint

metadata-enrichment-endpoint

/var/lib/dynatrace/enrichment/dt_metadata.properties

metadata-enrichment

dt_metadata_<container-name>.properties

/var/lib/dynatrace/enrichment/dt_metadata.json

metadata-enrichment

dt_metadata_<container-name>.json

`spec.volumes`

name

secret

metadata-enrichment-endpoint

secretName: dynatrace-metadata-enrichment-endpoint

name

emptyDir

metadata-enrichment

{}

`initContainers`

An init container named dynatrace-operator is added to enrich the container with metadata using specific environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.

This configuration combines with the one for the OneAgent initContainer, if OneAgent injection is also enabled.

initContainers:
  - args:
    - init
    env:
    - name: FAILURE_POLICY
      value: fail
    - name: K8S_PODNAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.name
    - name: K8S_PODUID
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.uid
    - name: K8S_BASEPODNAME
      value: php-glibc-meta-58987488f6
    - name: K8S_CLUSTER_ID
      value: 84793b4d-9046-45f9-99da-cf3595cc4440
    - name: K8S_NAMESPACE
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.namespace
    - name: K8S_NODE_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: spec.nodeName
    - name: CONTAINER_INFO
      value: '[{"name":"app","image":"docker.io/php:fpm-stretch"}]'
    - name: METADATA_ENRICHMENT_INJECTED
      value: "true"
    - name: DT_CLUSTER_NAME
      value: example
    - name: DT_ENTITY_ID
      value: KUBERNETES_CLUSTER-D3946527FEB7CAAF
    - name: DT_WORKLOAD_KIND
      value: deployment
    - name: DT_WORKLOAD_NAME
      value: php-glibc-meta
    - name: DT_WORKLOAD_ANNOTATIONS
      value: '{"k8s.namespace.annotation.example":"property"}'
    image: quay.io/dynatrace/dynatrace-operator:snapshot-release-1-6
    imagePullPolicy: IfNotPresent
    name: dynatrace-operator
    resources:
      limits:
        cpu: 100m
        memory: 60Mi
      requests:
        cpu: 30m
        memory: 30Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1001
      runAsNonRoot: true
      runAsUser: 1001
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /tmp/enrichment
      name: metadata-enrichment
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-lv7sc
      readOnly: true

Workload mutation on OneAgent injection mode

In OneAgent injection mode, the mutations focus on enabling full-stack monitoring capabilities. This mode injects the OneAgent into your application pods to provide deep visibility into your application.

`metadata`

`annotations`

Name

Example Values

dynakube.dynatrace.com/injected

true

oneagent.dynatrace.com/injected

true

dynakube.dynatrace.com/injected

true

`spec.containers`

`env`

Name

Example Values

DT_DEPLOYMENT_METADATA

orchestration_tech=Operator-cloud_native_fullstack;script_version=snapshot;orchestrator_id=b9c38fb3-6c0f-45f6-8c25-9eb3b4b5af2a

LD_PRELOAD

/opt/dynatrace/oneagent-paas/agent/lib64/liboneagentproc.so

`volumeMounts`

mountPath

name

subPath

/opt/dynatrace/oneagent-paas

oneagent-bin

/etc/ld.so.preload

oneagent-share

ld.so.preload

/var/lib/dynatrace/oneagent/agent/config/container.conf

oneagent-share

container_app.conf

`spec.volumes`

name

secretName

injection-config

dynatrace-dynakube-config

name

emptyDir

oneagent-share

{}

`csi`

driver

csi.oneagent.dynatrace.com

`initContainers`

An init container named dynatrace-operator is added to inject the OneAgent using specific environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.

This configuration combines with the one for the metadata-enrichment initContainer, if metadata-enrichment is also enabled.

initContainers:
  - args:
    - init
    env:
    - name: FAILURE_POLICY
      value: fail
    - name: K8S_PODNAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.name
    - name: K8S_PODUID
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.uid
    - name: K8S_BASEPODNAME
      value: php-glibc-all-9bcf4dbd6
    - name: K8S_CLUSTER_ID
      value: 84793b4d-9046-45f9-99da-cf3595cc4440
    - name: K8S_NAMESPACE
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.namespace
    - name: K8S_NODE_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: spec.nodeName
    - name: CONTAINER_INFO
      value: '[{"name":"app","image":"docker.io/php:fpm-stretch"}]'
    - name: FLAVOR
    - name: TECHNOLOGIES
      value: php
    - name: INSTALLPATH
      value: /opt/dynatrace/oneagent-paas
    - name: INSTALLER_URL
    - name: VERSION
      value: custom-image
    - name: ONEAGENT_INJECTED
      value: "true"
    image: quay.io/dynatrace/dynatrace-operator:snapshot-release-1-6
    imagePullPolicy: IfNotPresent
    name: dynatrace-operator
    resources:
      limits:
        cpu: 100m
        memory: 60Mi
      requests:
        cpu: 30m
        memory: 30Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /mnt/bin
      name: oneagent-bin
    - mountPath: /mnt/share
      name: oneagent-share
    - mountPath: /mnt/config
      name: injection-config
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-4jm7p
      readOnly: true

Workload mutation on OneAgent injection mode + node-image-pull

In OneAgent injection mode with node-image-pull, Dynatrace Operator combines full-stack monitoring with metadata enrichment while optimizing the volume layout.

`metadata`

`annotations`

For a Deployment with a name of example-app.

Name

Example Values

metadata.dynatrace.com/k8s.workload.kind

deployment

metadata.dynatrace.com/k8s.workload.name

example-app

metadata-enrichment.dynatrace.com/injected

true

oneagent.dynatrace.com/injected

true

dynakube.dynatrace.com/injected

true

`spec.containers`

`env`

Name

Example Values

DT_DEPLOYMENT_METADATA

orchestration_tech=Operator-cloud_native_fullstack;script_version=snapshot;orchestrator_id=b9c38fb3-6c0f-45f6-8c25-9eb3b4b5af2a

LD_PRELOAD

/opt/dynatrace/oneagent-paas/agent/lib64/liboneagentproc.so

`volumeMounts`

mountPath

name

subPath

/opt/dynatrace/oneagent-paas

dynatrace-config

bin

/etc/ld.so.preload

dynatrace-config

config/oneagent/ld.so.preload

/var/lib/dynatrace

dynatrace-config

config/<container-name>

`spec.volumes`

name

secret

dynatrace-input

secretName: dynatrace-bootstrapper-config

name

emptyDir

dynatrace-config

{}

`initContainers`

An init container named dynatrace-operator is added to inject the OneAgent and do metadata-enrichment with specific arguments and environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.

  initContainers:
  - args:
    - --config-directory=/mnt/config
    - --input-directory=/mnt/input
    - --suppress-error
    - --attribute-container={"container_image.registry":"registry.k8s.io","container_image.repository":"ingress-nginx/controller","container_image.tags":"v1.12.1","container_image.digest":"sha256:d2fbc4ec70d8aa2050dd91a91506e998765
e86c96f32cffb56c503c9c34eed5b","k8s.container.name":"controller"}
    - --source=/opt/dynatrace/oneagent
    - --target=/mnt/bin
    - --install-path=/opt/dynatrace/oneagent-paas
    - --fullstack
    - --tenant=zib50933
    - --technology=nginx
    - --attribute=k8s.pod.uid=$(K8S_PODUID)
    - --attribute=k8s.workload.name=ingress-nginx-controller
    - --attribute=k8s.cluster.uid=84793b4d-9046-45f9-99da-cf3595cc4440
    - --attribute=k8s.cluster.name=example
    - --attribute=dt.entity.kubernetes_cluster=KUBERNETES_CLUSTER-D3946527FEB7CAAF
    - --attribute=k8s.pod.name=$(K8S_PODNAME)
    - --attribute=k8s.node.name=$(K8S_NODE_NAME)
    - --attribute=k8s.namespace.name=ingress-nginx
    - --attribute=k8s.workload.kind=deployment
    env:
    - name: K8S_PODNAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.name
    - name: K8S_PODUID
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.uid
    - name: K8S_NODE_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: spec.nodeName
    image: public.ecr.aws/dynatrace/dynatrace-codemodules:1.315.62.20250613-075406
    imagePullPolicy: IfNotPresent
    name: dynatrace-operator
    resources: {}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1001
      runAsNonRoot: true
      runAsUser: 1001
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /mnt/bin
      name: dynatrace-config
      subPath: bin
    - mountPath: /mnt/config
      name: dynatrace-config
      subPath: config
    - mountPath: /mnt/input
      name: dynatrace-input
      readOnly: true
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-p5css
      readOnly: true