Enable AppArmor for enhanced security

Enable AppArmor for Dynatrace Operator

You can make Dynatrace Operator more secure by enabling AppArmor. Depending on whether you set up monitoring using Manifest or Helm, select one of the options below.

Enable a custom AppArmor profile for OneAgent

You can restrict the OneAgent access to a desired set of features. See below for how to enable a custom AppArmor profile and apply it to the OneAgent pods.

Step 1

Create a custom OneAgent AppArmor profile

Step 2

Install the profile on all worker nodes

Step 3

Enforce the profile on all OneAgent pods

Step 1 Create a custom OneAgent AppArmor profile

See Run OneAgent as a Docker container for details on how to create a custom AppArmor profile.

Step 2 Install the profile on all worker nodes

OneAgent is deployed as a daemonset by default, which means pods that use the AppArmor profile will be used on every node. You therefore need to install the OneAgent AppArmor profile on all nodes.

Depending on the environment, this can be done in several ways, such as by using the kube-apparmor-manager or the security-profiles-operator. Please refer to the official documentation of these tools on how to apply them in your cluster.

Step 3 Enforce the profile on all OneAgent pods

To enable AppArmor for all the OneAgent pods, add the container.apparmor.security.beta.kubernetes.io/dynatrace-oneagent: localhost/oneagent annotation to one of the following fields, depending on your deployment:

  • oneAgent.classicFullStack.annotations
  • oneAgent.cloudNativeFullStack.annotations
  • oneAgent.hostMonitoring.annotations

Example for cloudNativeFullStack deployment:

apiVersion: dynatrace.com/v1beta2
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://ENVIRONMENTID.live.dynatrace.com/api
  oneAgent:
    cloudNativeFullStack:
      annotations:
        container.apparmor.security.beta.kubernetes.io/dynatrace-oneagent: localhost/oneagent