Network traffic

  • Latest Dynatrace
  • 3-min read
  • Published Oct 11, 2023

To ensure Dynatrace Operator components work correctly in a Kubernetes cluster, they need to be able to communicate with both the Dynatrace Cluster and the Kubernetes cluster.

Dynatrace Operator components are accessible through specific ports and access various resources inside and outside the Kubernetes cluster. For more details on which resources are accessed within the Kubernetes cluster, see the Operator RBAC permissions reference page.

Ingress traffic

Source

Destination

Port

Note

kubelet

Dynatrace Operator /healthz

TCP 10080

Liveness probe 1

Prometheus metrics scraper Optional

Dynatrace Operator /metrics

TCP 8080

Metrics address 2

kubelet

Dynatrace Webhook /healthz

TCP 10080

Liveness/Readiness probe 1

kube-apiserver

Dynatrace Webhook /inject, /label-ns, /validate*

TCP 8443

Dynamic Admission Controller

Prometheus metrics scraperOptional

Dynatrace Webhook /metrics

TCP 8080

Metrics address 2

kubelet

Dynatrace Operator CSI driver server container /healthz

TCP 9808

Liveness probe 1

kubelet

Dynatrace Operator CSI driver provisioner container /healthz

TCP 10090

Liveness probe 1

Prometheus metrics scraper Optional

Dynatrace Operator CSI driver server container /metrics

TCP 8080

Metrics address 2

Prometheus metrics scraper Optional

Dynatrace Operator CSI driver provisioner container /metrics

TCP 8090

Metrics address 2

kubelet

ActiveGate /rest/health

TCP 9999

Readiness probe 1

Application pods

ActiveGate /*

TCP 9999

Default HTTPS port

Application pods

ActiveGate /*

TCP 9998

Default HTTP port, Data ingest, API access

Application pods

OpenTelemetry collector

1

Liveness probes are used by Kubernetes to verify the container is running properly. If the request fails, the container will be restarted. Readiness probes are used by Kubernetes to verify the Pod is ready to accept traffic.

2

Metrics endpoints emit additional metrics in Prometheus format.

No ingress traffic is accepted for EdgeConnect and OneAgent.

Egress traffic

Dynatrace Operator components have to access both the Kubernetes cluster and resources outside the Cluster to function properly. All resources in the namespace of Dynatrace Operator, with the default namespace being dynatrace, need to be able to resolve DNS requests.

Depending on your setup, the default port may be different from TCP 443.

Source

Destination

Port

Note

Dynatrace Operator, Dynatrace Webhook, Dynatrace Operator CSI driver, Activegate

kube-dns

TCP 53, UDP 53 1

Host name resolution for service discovery

Dynatrace Operator

Dynatrace server

TCP 443 1

Server-side configuration 2

Dynatrace Operator

kube-apiserver

TCP 443 1

Lifecycle management of components

Dynatrace Webhook

kube-apiserver

TCP 443 1

Mutating/Validating/Conversion requests

Dynatrace Operator CSI driver

Dynatrace server

TCP 443 1

Default location for code module binaries 2

Dynatrace Operator CSI driver

kube-apiserver

TCP 443 1

CSI volume handling

Dynatrace Operator CSI driver

private registry

TCP 443 1

Optional Communication with private registry to access code modules 3

ActiveGate

Communication endpoints 4

TCP 443, TCP 9999 1

Observability information 2

ActiveGate

kube-apiserver

TCP 443 1

Collect resources

ActiveGate

Application Pods

Prometheus Exporter port 1

Collect metrics

OneAgent

Communication endpoints 4

TCP 443, TCP 9999 1

Observability information 2

EdgeConnect

Dynatrace server

TCP 443 1

Server-side configuration 2

EdgeConnect

kube-apiserver

TCP 443 1

Optional Workflow interactions 5

1

Depending on your setup, the port may differ from the default.

2

Communication with hosts must be allowed as configured in DynaKube (apiUrl) or EdgeConnect (apiServer) custom resources. Different communication endpoints may be used as fallback to ensure proper connection.

3

Only required when codeModulesImage field is used.

5

Only required when Kubernetes Automation is enabled.