When you enable metadata-enrichment or OneAgent for application pods, Dynatrace Operator uses a webhook to intercept workload creation events and apply mutations to the resulting pods. These mutations modify the pod specification to enable monitoring capabilities.
In metadata-enrichment mode, Dynatrace Operator enhances pods with additional metadata, environment variables, volume mounts, and initiates an init container.
metadata
annotations
metadata.dynatrace.com/k8s.workload.kind
deployment
metadata.dynatrace.com/k8s.workload.name
example-app
metadata-enrichment.dynatrace.com/injected
true
dynakube.dynatrace.com/injected
true
spec.containers
env
DT_WORKLOAD_KIND
example-app
DT_WORKLOAD_NAME
deployment
METADATA_ENRICHMENT_INJECTED
true
volumeMounts
mountPath
name
subPath
/var/lib/dynatrace/enrichment/endpoint
metadata-enrichment-endpoint
/var/lib/dynatrace/enrichment/dt_metadata.properties
metadata-enrichment
dt_metadata_<container-name>.properties
/var/lib/dynatrace/enrichment/dt_metadata.json
metadata-enrichment
dt_metadata_<container-name>.json
spec.volumes
name
secret
metadata-enrichment-endpoint
secretName
: dynatrace-metadata-enrichment-endpoint
name
emptyDir
metadata-enrichment
initContainers
An init container named dynatrace-operator
is added to enrich the container with metadata using specific environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.
initContainer
, if OneAgent injection is also enabled.initContainers:- args:- initenv:- name: FAILURE_POLICYvalue: fail- name: K8S_PODNAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.name- name: K8S_PODUIDvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.uid- name: K8S_BASEPODNAMEvalue: php-glibc-meta-58987488f6- name: K8S_CLUSTER_IDvalue: 84793b4d-9046-45f9-99da-cf3595cc4440- name: K8S_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespace- name: K8S_NODE_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: spec.nodeName- name: CONTAINER_INFOvalue: '[{"name":"app","image":"docker.io/php:fpm-stretch"}]'- name: METADATA_ENRICHMENT_INJECTEDvalue: "true"- name: DT_CLUSTER_NAMEvalue: example- name: DT_ENTITY_IDvalue: KUBERNETES_CLUSTER-D3946527FEB7CAAF- name: DT_WORKLOAD_KINDvalue: deployment- name: DT_WORKLOAD_NAMEvalue: php-glibc-meta- name: DT_WORKLOAD_ANNOTATIONSvalue: '{"k8s.namespace.annotation.example":"property"}'image: quay.io/dynatrace/dynatrace-operator:snapshot-release-1-6imagePullPolicy: IfNotPresentname: dynatrace-operatorresources:limits:cpu: 100mmemory: 60Mirequests:cpu: 30mmemory: 30MisecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLprivileged: falsereadOnlyRootFilesystem: truerunAsGroup: 1001runAsNonRoot: truerunAsUser: 1001terminationMessagePath: /dev/termination-logterminationMessagePolicy: FilevolumeMounts:- mountPath: /tmp/enrichmentname: metadata-enrichment- mountPath: /var/run/secrets/kubernetes.io/serviceaccountname: kube-api-access-lv7screadOnly: true
In OneAgent injection mode, the mutations focus on enabling full-stack monitoring capabilities. This mode injects the OneAgent into your application pods to provide deep visibility into your application.
metadata
annotations
dynakube.dynatrace.com/injected
true
oneagent.dynatrace.com/injected
true
dynakube.dynatrace.com/injected
true
spec.containers
env
DT_DEPLOYMENT_METADATA
orchestration_tech=Operator-cloud_native_fullstack;script_version=snapshot;orchestrator_id=b9c38fb3-6c0f-45f6-8c25-9eb3b4b5af2a
LD_PRELOAD
/opt/dynatrace/oneagent-paas/agent/lib64/liboneagentproc.so
volumeMounts
mountPath
name
subPath
/opt/dynatrace/oneagent-paas
oneagent-bin
/etc/ld.so.preload
oneagent-share
ld.so.preload
/var/lib/dynatrace/oneagent/agent/config/container.conf
oneagent-share
container_app.conf
spec.volumes
name
secretName
injection-config
dynatrace-dynakube-config
name
emptyDir
oneagent-share
csi
driver
csi.oneagent.dynatrace.com
initContainers
An init container named dynatrace-operator
is added to inject the OneAgent using specific environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.
initContainer
, if metadata-enrichment is also enabled.initContainers:- args:- initenv:- name: FAILURE_POLICYvalue: fail- name: K8S_PODNAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.name- name: K8S_PODUIDvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.uid- name: K8S_BASEPODNAMEvalue: php-glibc-all-9bcf4dbd6- name: K8S_CLUSTER_IDvalue: 84793b4d-9046-45f9-99da-cf3595cc4440- name: K8S_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespace- name: K8S_NODE_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: spec.nodeName- name: CONTAINER_INFOvalue: '[{"name":"app","image":"docker.io/php:fpm-stretch"}]'- name: FLAVOR- name: TECHNOLOGIESvalue: php- name: INSTALLPATHvalue: /opt/dynatrace/oneagent-paas- name: INSTALLER_URL- name: VERSIONvalue: custom-image- name: ONEAGENT_INJECTEDvalue: "true"image: quay.io/dynatrace/dynatrace-operator:snapshot-release-1-6imagePullPolicy: IfNotPresentname: dynatrace-operatorresources:limits:cpu: 100mmemory: 60Mirequests:cpu: 30mmemory: 30MisecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLprivileged: falsereadOnlyRootFilesystem: truerunAsGroup: 0runAsNonRoot: falserunAsUser: 0terminationMessagePath: /dev/termination-logterminationMessagePolicy: FilevolumeMounts:- mountPath: /mnt/binname: oneagent-bin- mountPath: /mnt/sharename: oneagent-share- mountPath: /mnt/configname: injection-config- mountPath: /var/run/secrets/kubernetes.io/serviceaccountname: kube-api-access-4jm7preadOnly: true
In OneAgent injection mode with node-image-pull, Dynatrace Operator combines full-stack monitoring with metadata enrichment while optimizing the volume layout.
metadata
annotations
For a Deployment
with a name of example-app
.
metadata.dynatrace.com/k8s.workload.kind
deployment
metadata.dynatrace.com/k8s.workload.name
example-app
metadata-enrichment.dynatrace.com/injected
true
oneagent.dynatrace.com/injected
true
dynakube.dynatrace.com/injected
true
spec.containers
env
DT_DEPLOYMENT_METADATA
orchestration_tech=Operator-cloud_native_fullstack;script_version=snapshot;orchestrator_id=b9c38fb3-6c0f-45f6-8c25-9eb3b4b5af2a
LD_PRELOAD
/opt/dynatrace/oneagent-paas/agent/lib64/liboneagentproc.so
volumeMounts
mountPath
name
subPath
/opt/dynatrace/oneagent-paas
dynatrace-config
bin
/etc/ld.so.preload
dynatrace-config
config/oneagent/ld.so.preload
/var/lib/dynatrace
dynatrace-config
config/<container-name>
spec.volumes
name
secret
dynatrace-input
secretName
: dynatrace-bootstrapper-config
name
emptyDir
dynatrace-config
initContainers
An init container named dynatrace-operator
is added to inject the OneAgent and do metadata-enrichment with specific arguments and environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.
initContainers:- args:- --config-directory=/mnt/config- --input-directory=/mnt/input- --suppress-error- --attribute-container={"container_image.registry":"registry.k8s.io","container_image.repository":"ingress-nginx/controller","container_image.tags":"v1.12.1","container_image.digest":"sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b","k8s.container.name":"controller"}- --source=/opt/dynatrace/oneagent- --target=/mnt/bin- --install-path=/opt/dynatrace/oneagent-paas- --fullstack- --tenant=zib50933- --technology=nginx- --attribute=k8s.pod.uid=$(K8S_PODUID)- --attribute=k8s.workload.name=ingress-nginx-controller- --attribute=k8s.cluster.uid=84793b4d-9046-45f9-99da-cf3595cc4440- --attribute=k8s.cluster.name=example- --attribute=dt.entity.kubernetes_cluster=KUBERNETES_CLUSTER-D3946527FEB7CAAF- --attribute=k8s.pod.name=$(K8S_PODNAME)- --attribute=k8s.node.name=$(K8S_NODE_NAME)- --attribute=k8s.namespace.name=ingress-nginx- --attribute=k8s.workload.kind=deploymentenv:- name: K8S_PODNAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.name- name: K8S_PODUIDvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.uid- name: K8S_NODE_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: spec.nodeNameimage: public.ecr.aws/dynatrace/dynatrace-codemodules:1.315.62.20250613-075406imagePullPolicy: IfNotPresentname: dynatrace-operatorresources: {}securityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLprivileged: falsereadOnlyRootFilesystem: truerunAsGroup: 1001runAsNonRoot: truerunAsUser: 1001terminationMessagePath: /dev/termination-logterminationMessagePolicy: FilevolumeMounts:- mountPath: /mnt/binname: dynatrace-configsubPath: bin- mountPath: /mnt/configname: dynatrace-configsubPath: config- mountPath: /mnt/inputname: dynatrace-inputreadOnly: true- mountPath: /var/run/secrets/kubernetes.io/serviceaccountname: kube-api-access-p5cssreadOnly: true