Network configurations

Configure Dynatrace in network-restricted environments with network configurations, proxy settings, and URL exclusions.

Network zones

For details on setting up and managing network zones, initial endpoint setup, and advanced configurations in restricted environments, see Using network zones in Kubernetes.

Configure proxy

For Kubernetes monitoring with Dynatrace, you might need to configure a proxy, which facilitates all outgoing connections for Dynatrace Operator components (such as csi-driver and operator), OneAgent, and ActiveGate.

Depending on your proxy configuration, especially regarding credentials, there are two options for configuring your proxy in a DynaKube:

Dynatrace Operator version 1.0.0+ The connection between OneAgent and ActiveGate will always bypass the proxy, ensuring direct communication for these components.

If you need to bypass the proxy for specific components, use the feature.dynatrace.com/oneagent-ignore-proxy feature flag for the OneAgent and the feature.dynatrace.com/activegate-ignore-proxy feature flag for the ActiveGate.

Exclude selected URLs from proxy configuration

To set the list of URLs to exclude from the proxy configuration, add the following annotation to the DynaKube custom resource.

apiVersion: dynatrace.com/v1beta1
kind: DynaKube
metadata:
  annotations:
    feature.dynatrace.com/no-proxy: "some.url.com,other.url.com"

Dynatrace Operator then excludes the listed URLs from the proxy settings. This exclusion applies specifically to Dynatrace Operator and the CSI driver. It doesn't affect the proxy settings for other components managed by Dynatrace Operator, such as OneAgent or ActiveGate.

Add trusted CA certificates

ActiveGate

You might consider importing trusted CA certificates to establish a trusted chain of communication. By default, ActiveGate uses a self-signed certificate, which can be replaced by a self-managed certificate as described in Trusted root certificates for ActiveGate.

OneAgent and Dynatrace Operator components

To add trusted CA certificates to OneAgent and/or Dynatrace Operator, the certificates must be provided via a Kubernetes ConfigMap referenced in your DynaKube configuration.

Create a ConfigMap (replace <ca-certificates> with the CA certificates to be trusted).

apiVersion: v1
kind: ConfigMap
metadata:
  name: mycaconfigmap
  namespace: dynatrace
data:
  certs: |
    <ca-certificates>

Apply the ConfigMap to your cluster.
```
kubectl apply -f my-ca-configmap.yaml
```

In your DynaKube, reference the ConfigMap in the trustedCAs field.

apiVersion: dynatrace.com/v1beta1
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://<activegate-host>:9999/e/<environment-id>/api
  trustedCAs: mycaconfigmap

Apply the DynaKube configuration to your cluster.
```
kubectl apply -f dynakube-config.yaml
```

Use `skipCertCheck` to bypass certificate verification

To ignore certificate verification for Dynatrace Operator components (operator and csi-driver), set skipCertCheck in your DynaKube configuration. This setting should only be used if the custom certificate authority is unknown or can't be provided to Dynatrace Operator via the trustedCAs field.

In Dynatrace Operator version 1.0.0 and earlier, the skipCertCheck setting was not applied during the image pulling process.

apiVersion: dynatrace.com/v1beta1
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://<activegate-host>:9999/e/<environment-id>/api
  skipCertCheck: true

Configure a server TLS certificate for ActiveGate

To configure a server TLS certificate for the ActiveGate, provide the name of the Kubernetes TLS secret holding the certificate to be used via the tlsSecretName field.

apiVersion: dynatrace.com/v1beta1
kind: DynaKube
metadata:
  name: dynakube
   namespace: dynatrace
spec:
  ...
  activeGate:
    tlsSecretName: <dynakube-custom-certificate>
    ...

HTTP clients connecting to the ActiveGate REST endpoint must trust the provided certificates.