Workload mutation on injection mode

When data ingest or OneAgent is enabled for application pods, webhook intercepts workload events and applies mutations to the resulting pods.

This guide outlines the specific mutations applied to application pods under two scenarios: data ingest mode and OneAgent injection mode.

Workload mutation on data ingest mode

In data ingest mode, Dynatrace Operator enhances pods with additional metadata, environment variables, volume mounts, and initiates an init container to inject the OneAgent into the application pod.

`metadata`

`annotations`

Parameter	Data type	Default value
`metadata.dynatrace.com/k8s.workload.kind`	string
`metadata.dynatrace.com/k8s.workload.name`	string
`metadata-enrichment.dynatrace.com/injected`	boolean	`true`

`spec.containers`

`env`

Parameter	Data type	Default value
`DT_WORKLOAD_KIND`	string
`DT_WORKLOAD_NAME`	string
`METADATA_ENRICHMENT_INJECTED`	boolean	`true`

`volumeMounts`

`mountPath`	`name`
`/var/lib/dynatrace/enrichment/endpoint`	`metadata-enrichment-endpoint`
`/var/lib/dynatrace/enrichment`	`metadata-enrichment`

`spec.volumes`

`name`	`secret`
`metadata-enrichment-endpoint`	`secretName`: `dynatrace-metadata-enrichment-endpoint`

`name`	`emptyDir`
`metadata-enrichment`	{}

`initContainers`

An init container named install-oneagent is added to inject the OneAgent with specific environment variables related to the pod and cluster configuration, including the pod name, UID, and cluster ID, among others. This container also specifies resource limits and security context configurations.

initContainers:
  - args:
    - init
    env:
    - name: FAILURE_POLICY
      value: silent
    - name: K8S_PODNAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.name
    - name: K8S_PODUID
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.uid
    - name: K8S_BASEPODNAME
      value: alpine
    - name: K8S_CLUSTER_ID
      value: b9c38fb3-6c0f-45f6-8c25-9eb3b4b5af2a
    - name: K8S_NAMESPACE
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.namespace
    - name: K8S_NODE_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: spec.nodeName
    - name: FLAVOR
    - name: TECHNOLOGIES
      value: all
    - name: INSTALLPATH
      value: /opt/dynatrace/oneagent-paas
    - name: INSTALLER_URL
    - name: VERSION
      value: 1.289.0.20240313-145242
    - name: ONEAGENT_INJECTED
      value: "true"
    - name: CONTAINER_1_NAME
      value: alpine
    - name: CONTAINER_1_IMAGE
      value: alpine:3.2
    - name: CONTAINERS_COUNT
      value: "1"
    - name: DT_WORKLOAD_KIND
      value: Pod
    - name: DT_WORKLOAD_NAME
      value: alpine
    - name: METADATA_ENRICHMENT_INJECTED
      value: "true"
    image: quay.io/dynatrace/dynatrace-operator:snapshot
    imagePullPolicy: IfNotPresent
    name: install-oneagent
    resources:
      limits:
        cpu: 100m
        memory: 60Mi
      requests:
        cpu: 30m
        memory: 30Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1001
      runAsNonRoot: true
      runAsUser: 1001
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /mnt/bin
      name: oneagent-bin
    - mountPath: /mnt/share
      name: oneagent-share
    - mountPath: /mnt/config
      name: injection-config
    - mountPath: /var/lib/dynatrace/enrichment
      name: metadata-enrichment
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-r8mck
      readOnly: true

Workload mutation on OneAgent injection mode

In OneAgent injection mode, the mutations focus on enabling full-stack monitoring through OneAgent.