Network traffic

To ensure Dynatrace Operator components work correctly in a Kubernetes cluster, they need to be able to communicate with both the Dynatrace Cluster and the Kubernetes cluster.

Dynatrace Operator components are accessible through specific ports and access various resources inside and outside the Kubernetes cluster. For more details on which resources are accessed within the Kubernetes cluster, see the Operator RBAC permissions reference page.

Ingress traffic

SourceDestinationPortNote

kubelet

Dynatrace Operator /healthz

TCP 10080

Liveness probe 1

Prometheus metrics scraper optional

Dynatrace Operator /metrics

TCP 8080

Metrics address 2

kubelet

Dynatrace Webhook /healthz

TCP 10080

Liveness/Readiness probe 1

kube-apiserver

Dynatrace Webhook /inject, /label-ns, /validate*

TCP 8443

Dynamic Admission Controller

Prometheus metrics scraperoptional

Dynatrace Webhook /metrics

TCP 8080

Metrics address 2

kubelet

Dynatrace CSI Driver server container /healthz

TCP 9808

Liveness probe 1

Dynatrace CSI Driver provisioner container /healthz

TCP 10090

Liveness probe 1

Prometheus metrics scraper optional

Dynatrace CSI Driver server container /metrics

TCP 8080

Metrics address 2

Dynatrace CSI Driver provisioner container /metrics

TCP 8090

Metrics address 2

kubelet

ActiveGate /rest/health

TCP 9999

Readiness probe 1

Application pods

ActiveGate /*

TCP 9999

Default HTTPS port

ActiveGate /*

TCP 9998

Default HTTP port, Data ingest, API access

1

Liveness probes are used by Kubernetes to verify the container is running properly. If the request fails, the container will be restarted. Readiness probes are used by Kubernetes to verify the pod is ready to accept traffic.

2

Metrics endpoints emit additional metrics in Prometheus format.

No ingress traffic is accepted for EdgeConnect and OneAgent.

Egress traffic

Dynatrace Operator components have to access both the Kubernetes cluster and resources outside the Cluster to function properly. All resources in the namespace of Dynatrace Operator, with the default namespace being dynatrace, need to be able to resolve DNS requests.

Depending on your setup, the default port may be different from TCP 443.

SourceDestinationPortNote

Dynatrace Operator, Dynatrace Webhook, Dynatrace CSI Driver, Activegate

kube-dns

TCP 53, UDP 53 1

Host name resolution for service discovery

Dynatrace Operator

Dynatrace server

TCP 443 1

Server-side configuration 2

kube-apiserver

TCP 443 1

Lifecycle management of components

Dynatrace Webhook

kube-apiserver

TCP 443 1

Mutating/Validating/Conversion requests

Dynatrace CSI Driver

Dynatrace server

TCP 443 1

Default location for code module binaries 2

kube-apiserver

TCP 443 1

CSI volume handling

private registry

TCP 443 1

optional Communication with private registry to access code modules 3

ActiveGate

Communication endpoints 4

TCP 443, TCP 9999 1

Observability information 2

kube-apiserver

TCP 443 1

Collect resources

Application pods

Prometheus Exporter port 1

Collect metrics

OneAgent

Communication endpoints 4

TCP 443, TCP 9999 1

Observability information 2

EdgeConnect

Dynatrace server

TCP 443 1

Server-side configuration 2

kube-apiserver

TCP 443 1

optional Workflow interactions 5

1

Depending on your setup, the port may differ from the default.

2

Communication with hosts must be allowed as configured in Dynakube (apiUrl) or Edgeconnect (apiServer) custom resources. Different communication endpoints may be used as fallback to ensure proper connection.

3

Only required when codeModulesImage field is used.

5

Only required when Kubernetes Automation is enabled.