Enable AppArmor for enhanced security
As part of getting started with Kubernetes monitoring, you might want to enable AppArmor for enhanced security.
Enable AppArmor for Dynatrace Operator
You can make Dynatrace Operator more secure by enabling AppArmor. Depending on whether you set up monitoring using Manifest or Helm, select one of the options below.
Enable a custom AppArmor profile for OneAgent
You can restrict the OneAgent access to a desired set of features. See below for how to enable a custom AppArmor profile and apply it to the OneAgent pods.
Create a custom OneAgent AppArmor profile
Install the profile on all worker nodes
Enforce the profile on all OneAgent pods
Create a custom OneAgent AppArmor profile
See Run OneAgent as a Docker container for details on how to create a custom AppArmor profile.
Install the profile on all worker nodes
OneAgent is deployed as a daemonset by default, which means pods that use the AppArmor profile will be used on every node. You therefore need to install the OneAgent AppArmor profile on all nodes.
Depending on the environment, this can be done in several ways, such as by using the kube-apparmor-manager or the security-profiles-operator. Please refer to the official documentation of these tools on how to apply them in your cluster.
Enforce the profile on all OneAgent pods
To enable AppArmor for all the OneAgent pods, add the container.apparmor.security.beta.kubernetes.io/dynatrace-oneagent: localhost/oneagent annotation to one of the following fields, depending on your deployment:
oneAgent.classicFullStack.annotationsoneAgent.cloudNativeFullStack.annotationsoneAgent.hostMonitoring.annotations
Example for cloudNativeFullStack deployment:
apiVersion: dynatrace.com/v1beta2kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:apiUrl: https://ENVIRONMENTID.live.dynatrace.com/apioneAgent:cloudNativeFullStack:annotations:container.apparmor.security.beta.kubernetes.io/dynatrace-oneagent: localhost/oneagent