Network traffic

To ensure Dynatrace Operator components work correctly in a Kubernetes cluster, they need to be able to communicate with both the Dynatrace Cluster and the Kubernetes cluster.

Dynatrace Operator components are accessible through specific ports and access various resources inside and outside the Kubernetes cluster. For more details on which resources are accessed within the Kubernetes cluster, see the Operator RBAC permissions reference page.

Ingress traffic

Source	Destination	Port	Note
kubelet	Dynatrace Operator `/healthz`	`TCP 10080`	Liveness probe ¹
Prometheus metrics scraper optional	Dynatrace Operator `/metrics`	`TCP 8080`	Metrics address ²
kubelet	Dynatrace Webhook `/healthz`	`TCP 10080`	Liveness/Readiness probe ¹
kube-apiserver	Dynatrace Webhook `/inject`, `/label-ns`, `/validate*`	`TCP 8443`	Dynamic Admission Controller
Prometheus metrics scraperoptional	Dynatrace Webhook `/metrics`	`TCP 8080`	Metrics address ²
kubelet	Dynatrace CSI Driver `server` container `/healthz`	`TCP 9808`	Liveness probe ¹
kubelet	Dynatrace CSI Driver `provisioner` container `/healthz`	`TCP 10090`	Liveness probe ¹
Prometheus metrics scraper optional	Dynatrace CSI Driver `server` container `/metrics`	`TCP 8080`	Metrics address ²
Prometheus metrics scraper optional	Dynatrace CSI Driver `provisioner` container `/metrics`	`TCP 8090`	Metrics address ²
kubelet	ActiveGate `/rest/health`	`TCP 9999`	Readiness probe ¹
Application pods	ActiveGate `/*`	`TCP 9999`	Default `HTTPS` port
Application pods	ActiveGate `/*`	`TCP 9998`	Default `HTTP` port, Data ingest, API access

Liveness probes are used by Kubernetes to verify the container is running properly. If the request fails, the container will be restarted. Readiness probes are used by Kubernetes to verify the pod is ready to accept traffic.

Metrics endpoints emit additional metrics in Prometheus format.

No ingress traffic is accepted for EdgeConnect and OneAgent.

Egress traffic

Dynatrace Operator components have to access both the Kubernetes cluster and resources outside the Cluster to function properly. All resources in the namespace of Dynatrace Operator, with the default namespace being dynatrace, need to be able to resolve DNS requests.

Depending on your setup, the default port may be different from TCP 443.

Source	Destination	Port	Note
Dynatrace Operator, Dynatrace Webhook, Dynatrace CSI Driver, Activegate	kube-dns	`TCP 53`, `UDP 53` ¹	Host name resolution for service discovery
Dynatrace Operator	Dynatrace server	`TCP 443` ¹	Server-side configuration ²
Dynatrace Operator	kube-apiserver	`TCP 443` ¹	Lifecycle management of components
Dynatrace Webhook	kube-apiserver	`TCP 443` ¹	Mutating/Validating/Conversion requests
Dynatrace CSI Driver	Dynatrace server	`TCP 443` ¹	Default location for code module binaries ²
	kube-apiserver	`TCP 443` ¹	CSI volume handling
	private registry	`TCP 443` ¹	optional Communication with private registry to access code modules ³
ActiveGate	Communication endpoints ⁴	`TCP 443`, `TCP 9999` ¹	Observability information ²
	kube-apiserver	`TCP 443` ¹	Collect resources
	Application pods	Prometheus Exporter port ¹	Collect metrics
OneAgent	Communication endpoints ⁴	`TCP 443`, `TCP 9999` ¹	Observability information ²
EdgeConnect	Dynatrace server	`TCP 443` ¹	Server-side configuration ²
EdgeConnect	kube-apiserver	`TCP 443` ¹	optional Workflow interactions ⁵

Depending on your setup, the port may differ from the default.

Communication with hosts must be allowed as configured in Dynakube (apiUrl) or Edgeconnect (apiServer) custom resources. Different communication endpoints may be used as fallback to ensure proper connection.

Only required when codeModulesImage field is used.

⁴

Supported connectivity schemes for ActiveGates

⁵

Only required when Kubernetes Automation is enabled.