Workload mutation on injection mode

  • 3-min read
  • Page has not been published yet

When you enable metadata-enrichment or OneAgent for application pods, Dynatrace Operator uses a webhook to intercept workload creation events and apply mutations to the resulting pods. These mutations modify the pod specification to enable monitoring capabilities.

Workload mutation on metadata-enrichment mode

In metadata-enrichment mode, Dynatrace Operator enhances pods with additional metadata, environment variables, volume mounts, and initiates an init container.

metadata

annotations

Name
Example Values
metadata.dynatrace.com/k8s.workload.kind
deployment
metadata.dynatrace.com/k8s.workload.name
example-app
metadata-enrichment.dynatrace.com/injected
true
dynakube.dynatrace.com/injected
true

spec.containers

env

Name
Example Values
DT_WORKLOAD_KIND
example-app
DT_WORKLOAD_NAME
deployment
METADATA_ENRICHMENT_INJECTED
true

volumeMounts

mountPath
name
subPath
/var/lib/dynatrace/enrichment/endpoint
metadata-enrichment-endpoint
/var/lib/dynatrace/enrichment/dt_metadata.properties
metadata-enrichment
dt_metadata_<container-name>.properties
/var/lib/dynatrace/enrichment/dt_metadata.json
metadata-enrichment
dt_metadata_<container-name>.json

spec.volumes

name
secret
metadata-enrichment-endpoint
secretName: dynatrace-metadata-enrichment-endpoint
name
emptyDir
metadata-enrichment
{}

initContainers

An init container named dynatrace-operator is added to enrich the container with metadata using specific environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.

  • This configuration combines with the one for the OneAgent initContainer, if OneAgent injection is also enabled.
initContainers:
- args:
- init
env:
- name: FAILURE_POLICY
value: fail
- name: K8S_PODNAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: K8S_PODUID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: K8S_BASEPODNAME
value: php-glibc-meta-58987488f6
- name: K8S_CLUSTER_ID
value: 84793b4d-9046-45f9-99da-cf3595cc4440
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CONTAINER_INFO
value: '[{"name":"app","image":"docker.io/php:fpm-stretch"}]'
- name: METADATA_ENRICHMENT_INJECTED
value: "true"
- name: DT_CLUSTER_NAME
value: example
- name: DT_ENTITY_ID
value: KUBERNETES_CLUSTER-D3946527FEB7CAAF
- name: DT_WORKLOAD_KIND
value: deployment
- name: DT_WORKLOAD_NAME
value: php-glibc-meta
- name: DT_WORKLOAD_ANNOTATIONS
value: '{"k8s.namespace.annotation.example":"property"}'
image: quay.io/dynatrace/dynatrace-operator:snapshot-release-1-6
imagePullPolicy: IfNotPresent
name: dynatrace-operator
resources:
limits:
cpu: 100m
memory: 60Mi
requests:
cpu: 30m
memory: 30Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /tmp/enrichment
name: metadata-enrichment
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-lv7sc
readOnly: true

Workload mutation on OneAgent injection mode

In OneAgent injection mode, the mutations focus on enabling full-stack monitoring capabilities. This mode injects the OneAgent into your application pods to provide deep visibility into your application.

metadata

annotations

Name
Example Values
dynakube.dynatrace.com/injected
true
oneagent.dynatrace.com/injected
true
dynakube.dynatrace.com/injected
true

spec.containers

env

Name
Example Values
DT_DEPLOYMENT_METADATA
orchestration_tech=Operator-cloud_native_fullstack;script_version=snapshot;orchestrator_id=b9c38fb3-6c0f-45f6-8c25-9eb3b4b5af2a
LD_PRELOAD
/opt/dynatrace/oneagent-paas/agent/lib64/liboneagentproc.so

volumeMounts

mountPath
name
subPath
/opt/dynatrace/oneagent-paas
oneagent-bin
/etc/ld.so.preload
oneagent-share
ld.so.preload
/var/lib/dynatrace/oneagent/agent/config/container.conf
oneagent-share
container_app.conf

spec.volumes

name
secretName
injection-config
dynatrace-dynakube-config
name
emptyDir
oneagent-share
{}

csi

driver
csi.oneagent.dynatrace.com

initContainers

An init container named dynatrace-operator is added to inject the OneAgent using specific environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.

  • This configuration combines with the one for the metadata-enrichment initContainer, if metadata-enrichment is also enabled.
initContainers:
- args:
- init
env:
- name: FAILURE_POLICY
value: fail
- name: K8S_PODNAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: K8S_PODUID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: K8S_BASEPODNAME
value: php-glibc-all-9bcf4dbd6
- name: K8S_CLUSTER_ID
value: 84793b4d-9046-45f9-99da-cf3595cc4440
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CONTAINER_INFO
value: '[{"name":"app","image":"docker.io/php:fpm-stretch"}]'
- name: FLAVOR
- name: TECHNOLOGIES
value: php
- name: INSTALLPATH
value: /opt/dynatrace/oneagent-paas
- name: INSTALLER_URL
- name: VERSION
value: custom-image
- name: ONEAGENT_INJECTED
value: "true"
image: quay.io/dynatrace/dynatrace-operator:snapshot-release-1-6
imagePullPolicy: IfNotPresent
name: dynatrace-operator
resources:
limits:
cpu: 100m
memory: 60Mi
requests:
cpu: 30m
memory: 30Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /mnt/bin
name: oneagent-bin
- mountPath: /mnt/share
name: oneagent-share
- mountPath: /mnt/config
name: injection-config
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-4jm7p
readOnly: true

Workload mutation on OneAgent injection mode + node-image-pull

In OneAgent injection mode with node-image-pull, Dynatrace Operator combines full-stack monitoring with metadata enrichment while optimizing the volume layout.

metadata

annotations

For a Deployment with a name of example-app.

Name
Example Values
metadata.dynatrace.com/k8s.workload.kind
deployment
metadata.dynatrace.com/k8s.workload.name
example-app
metadata-enrichment.dynatrace.com/injected
true
oneagent.dynatrace.com/injected
true
dynakube.dynatrace.com/injected
true

spec.containers

env

Name
Example Values
DT_DEPLOYMENT_METADATA
orchestration_tech=Operator-cloud_native_fullstack;script_version=snapshot;orchestrator_id=b9c38fb3-6c0f-45f6-8c25-9eb3b4b5af2a
LD_PRELOAD
/opt/dynatrace/oneagent-paas/agent/lib64/liboneagentproc.so

volumeMounts

mountPath
name
subPath
/opt/dynatrace/oneagent-paas
dynatrace-config
bin
/etc/ld.so.preload
dynatrace-config
config/oneagent/ld.so.preload
/var/lib/dynatrace
dynatrace-config
config/<container-name>

spec.volumes

name
secret
dynatrace-input
secretName: dynatrace-bootstrapper-config
name
emptyDir
dynatrace-config
{}

initContainers

An init container named dynatrace-operator is added to inject the OneAgent and do metadata-enrichment with specific arguments and environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.

initContainers:
- args:
- --config-directory=/mnt/config
- --input-directory=/mnt/input
- --suppress-error
- --attribute-container={"container_image.registry":"registry.k8s.io","container_image.repository":"ingress-nginx/controller","container_image.tags":"v1.12.1","container_image.digest":"sha256:d2fbc4ec70d8aa2050dd91a91506e998765
e86c96f32cffb56c503c9c34eed5b","k8s.container.name":"controller"}
- --source=/opt/dynatrace/oneagent
- --target=/mnt/bin
- --install-path=/opt/dynatrace/oneagent-paas
- --fullstack
- --tenant=zib50933
- --technology=nginx
- --attribute=k8s.pod.uid=$(K8S_PODUID)
- --attribute=k8s.workload.name=ingress-nginx-controller
- --attribute=k8s.cluster.uid=84793b4d-9046-45f9-99da-cf3595cc4440
- --attribute=k8s.cluster.name=example
- --attribute=dt.entity.kubernetes_cluster=KUBERNETES_CLUSTER-D3946527FEB7CAAF
- --attribute=k8s.pod.name=$(K8S_PODNAME)
- --attribute=k8s.node.name=$(K8S_NODE_NAME)
- --attribute=k8s.namespace.name=ingress-nginx
- --attribute=k8s.workload.kind=deployment
env:
- name: K8S_PODNAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: K8S_PODUID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: public.ecr.aws/dynatrace/dynatrace-codemodules:1.315.62.20250613-075406
imagePullPolicy: IfNotPresent
name: dynatrace-operator
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /mnt/bin
name: dynatrace-config
subPath: bin
- mountPath: /mnt/config
name: dynatrace-config
subPath: config
- mountPath: /mnt/input
name: dynatrace-input
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-p5css
readOnly: true