Network traffic
To ensure Dynatrace Operator components work correctly in a Kubernetes cluster, they need to be able to communicate with both the Dynatrace Cluster and the Kubernetes cluster.
Dynatrace Operator components are accessible through specific ports and access various resources inside and outside the Kubernetes cluster. For more details on which resources are accessed within the Kubernetes cluster, see the Operator RBAC permissions reference page.
Ingress traffic
Source | Destination | Port | Note |
---|---|---|---|
kubelet | Dynatrace Operator |
| Liveness probe 1 |
Prometheus metrics scraper optional | Dynatrace Operator |
| Metrics address 2 |
kubelet | Dynatrace Webhook |
| Liveness/Readiness probe 1 |
kube-apiserver | Dynatrace Webhook |
| Dynamic Admission Controller |
Prometheus metrics scraperoptional | Dynatrace Webhook |
| Metrics address 2 |
kubelet | Dynatrace CSI Driver |
| Liveness probe 1 |
Dynatrace CSI Driver |
| Liveness probe 1 | |
Prometheus metrics scraper optional | Dynatrace CSI Driver |
| Metrics address 2 |
Dynatrace CSI Driver |
| Metrics address 2 | |
kubelet | ActiveGate |
| Readiness probe 1 |
Application pods | ActiveGate |
| Default |
ActiveGate |
| Default |
Liveness probes are used by Kubernetes to verify the container is running properly. If the request fails, the container will be restarted. Readiness probes are used by Kubernetes to verify the pod is ready to accept traffic.
Metrics endpoints emit additional metrics in Prometheus format.
No ingress traffic is accepted for EdgeConnect and OneAgent.
Egress traffic
Dynatrace Operator components have to access both the Kubernetes cluster and resources outside the Cluster to function properly. All resources in the namespace of Dynatrace Operator, with the default namespace being dynatrace
, need to be able to resolve DNS requests.
Depending on your setup, the default port may be different from TCP 443
.
Source | Destination | Port | Note |
---|---|---|---|
Dynatrace Operator, Dynatrace Webhook, Dynatrace CSI Driver, Activegate | kube-dns |
| Host name resolution for service discovery |
Dynatrace Operator | Dynatrace server |
| Server-side configuration 2 |
kube-apiserver |
| Lifecycle management of components | |
Dynatrace Webhook | kube-apiserver |
| Mutating/Validating/Conversion requests |
Dynatrace CSI Driver | Dynatrace server |
| Default location for code module binaries 2 |
kube-apiserver |
| CSI volume handling | |
private registry |
| optional Communication with private registry to access code modules 3 | |
ActiveGate | Communication endpoints 4 |
| Observability information 2 |
kube-apiserver |
| Collect resources | |
Application pods | Prometheus Exporter port 1 | Collect metrics | |
OneAgent | Communication endpoints 4 |
| Observability information 2 |
EdgeConnect | Dynatrace server |
| Server-side configuration 2 |
kube-apiserver |
| optional Workflow interactions 5 |
Depending on your setup, the port may differ from the default.
Communication with hosts must be allowed as configured in Dynakube (apiUrl
) or Edgeconnect (apiServer
) custom resources. Different communication endpoints may be used as fallback to ensure proper connection.
Only required when codeModulesImage
field is used.
Only required when Kubernetes Automation is enabled.