Network configurations
Configure Dynatrace in network-restricted environments with network configurations, proxy settings, and URL exclusions.
For details on setting up and managing network zones, initial endpoint setup, and advanced configurations in restricted environments, see Using network zones in Kubernetes.
Configure proxy
For Kubernetes monitoring with Dynatrace, you might need to configure a proxy, which facilitates all outgoing connections for Dynatrace Operator components (such as csi-driver
and operator
), OneAgent, and ActiveGate.
Depending on your proxy configuration, especially regarding credentials, there are two options for configuring your proxy in a DynaKube:
Dynatrace Operator version 1.0.0+ The connection between OneAgent and ActiveGate will always bypass the proxy, ensuring direct communication for these components.
If you need to bypass the proxy for specific components, use the feature.dynatrace.com/oneagent-ignore-proxy
feature flag for the OneAgent and the feature.dynatrace.com/activegate-ignore-proxy
feature flag for the ActiveGate.
Exclude selected URLs from proxy configuration
To set the list of URLs to exclude from the proxy configuration, add the following annotation to the DynaKube custom resource.
apiVersion: dynatrace.com/v1beta1kind: DynaKubemetadata:annotations:feature.dynatrace.com/no-proxy: "some.url.com,other.url.com"
Dynatrace Operator then excludes the listed URLs from the proxy settings. This exclusion applies specifically to Dynatrace Operator and the CSI driver. It doesn't affect the proxy settings for other components managed by Dynatrace Operator, such as OneAgent or ActiveGate.
Add trusted CA certificates
ActiveGate
You might consider importing trusted CA certificates to establish a trusted chain of communication. By default, ActiveGate uses a self-signed certificate, which can be replaced by a self-managed certificate as described in Trusted root certificates for ActiveGate.
OneAgent and Dynatrace Operator components
To add trusted CA certificates to OneAgent and/or Dynatrace Operator, the certificates must be provided via a Kubernetes ConfigMap referenced in your DynaKube configuration.
-
Create a ConfigMap (replace
<ca-certificates>
with the CA certificates to be trusted).apiVersion: v1kind: ConfigMapmetadata:name: mycaconfigmapnamespace: dynatracedata:certs: |<ca-certificates> -
Apply the ConfigMap to your cluster.
kubectl apply -f my-ca-configmap.yaml -
In your DynaKube, reference the ConfigMap in the
trustedCAs
field.apiVersion: dynatrace.com/v1beta1kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:apiUrl: https://<activegate-host>:9999/e/<environment-id>/apitrustedCAs: mycaconfigmap -
Apply the DynaKube configuration to your cluster.
kubectl apply -f dynakube-config.yaml
Use skipCertCheck
to bypass certificate verification
To ignore certificate verification for Dynatrace Operator components (operator
and csi-driver
), set skipCertCheck
in your DynaKube configuration. This setting should only be used if the custom certificate authority is unknown or can't be provided to Dynatrace Operator via the trustedCAs
field.
In Dynatrace Operator version 1.0.0 and earlier, the skipCertCheck
setting was not applied during the image pulling process.
apiVersion: dynatrace.com/v1beta1kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:apiUrl: https://<activegate-host>:9999/e/<environment-id>/apiskipCertCheck: true
Configure a server TLS certificate for ActiveGate
To configure a server TLS certificate for the ActiveGate, provide the name of the Kubernetes TLS secret holding the certificate to be used via the tlsSecretName
field.
apiVersion: dynatrace.com/v1beta1kind: DynaKubemetadata:name: dynakubenamespace: dynatracespec:...activeGate:tlsSecretName: <dynakube-custom-certificate>...
HTTP clients connecting to the ActiveGate REST endpoint must trust the provided certificates.