Kubernetes observability relies on components with different purposes, default configurations, and permissions. These different components need permissions to perform and maintain operational function of Dynatrace within your cluster.
While Dynatrace permissions adhere to the principle of least privilege, make sure to secure the dynatrace namespace and limit access to a closed group of administrators and operators.
Installing and upgrading Dynatrace Operator require administrative privileges. If you don't use the cluster-admin cluster role, ensure the deploying subject has the permissions listed in this section. The required permissions also include patch to support helm upgrade and permissions to manage DynaKube and EdgeConnect custom resources.
These permissions are required only for deploying (installing) the Operator. For the permissions required during runtime refer to Permission list.
The deploying user or service account must be able to create, update, patch, and delete the following cluster-scoped resource types:
| Resource type | API group | Verbs | Resource names | Notes |
|---|---|---|---|---|
|
|
|
| Required to install Dynatrace CRDs |
|
|
| Important: Requires | |
|
|
| ||
|
|
|
| |
|
|
|
| |
|
|
| Required for CSI driver | |
|
|
| Required for CSI driver | |
|
|
| Required for |
The deploying user or service account must be able to create, update, patch, and delete the following resource types in the operator namespace:
| Resource type | API group | Verbs |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For links to ClusterRole manifests for deploying Dynatrace Operator, see Deployer RBAC verbs.
Depending on the target platform, the Helm chart creates additional resources that require extra deployer permissions.
On GKE Autopilot clusters, the Helm chart automatically detects the auto.gke.io/v1/AllowlistSynchronizer API and creates an AllowlistSynchronizer resource as a Helm pre-install hook. This allowlists the CSI driver, log monitoring, and CSI job workloads required by the Operator.
The deploying user or service account needs the following additional permission:
| API group | Resource | Verbs |
|---|---|---|
|
|
|
On OpenShift clusters (detected via the security.openshift.io/v1 API or --set platform=openshift), the Helm chart creates additional ClusterRoles that grant use access to SecurityContextConstraints (privileged, nonroot, nonroot-v2). No additional deployer permissions are required if you use the recommended escalate approach described in Deployer RBAC verbs.
bind and escalate Kubernetes enforces privilege escalation prevention: you can't create a ClusterRole granting permissions you don't already hold, and you can't create a ClusterRoleBinding referencing a ClusterRole whose permissions you don't hold.
The Dynatrace Operator Helm chart creates several ClusterRoles (for example, reading nodes, pods, and metrics). The deployer account needs to be able to create these ClusterRoles and their bindings. There are two approaches:
The sample deployer ClusterRole manifests below include permissions to manage DynaKube and EdgeConnect custom resources. This assumes the same service account used for deploying the Operator is also used to deploy the custom resources that configure it. The samples also include platform-specific resources for GKE Autopilot and OpenShift.
These sample manifests match the permissions for the current Operator version. When upgrading to a new Operator version, use the manifests from the corresponding release tag.
escalate and bind Grant the escalate and bind verbs on RBAC resources to the deployer. This is a low-maintenance approach because the deployer's permissions don't need to be updated when the Operator's ClusterRoles change across versions.
escalate on clusterroles allows creating or updating ClusterRole objects that contain permissions the deployer doesn't hold. It does not grant those permissions to the deployer itself—it only allows managing ClusterRole resources.bind on clusterroles and clusterrolebindings allows creating ClusterRoleBindings that reference ClusterRoles with permissions the deployer doesn't hold.Granting escalate and bind disables Kubernetes privilege escalation prevention for the deployer, meaning it can create ClusterRoles with any permissions and bind them to any subject. These risks can be mitigated by using admission control policies that restrict which ClusterRoles and ClusterRoleBindings the deployer can create.
Sample deployer ClusterRole manifest (includes CSI driver, GKE Autopilot, and OpenShift permissions):
If you don't deploy the CSI driver, use Without CSI driver instead — it omits the CSIDriver and PriorityClass permissions.
escalate or bind are prohibited If your security policies prohibit the escalate or bind verbs, the deployer must already hold every permission that the Operator's runtime ClusterRoles grant. This means enumerating all Dynatrace Operator permissions in the deployer ClusterRole so that Kubernetes escalation prevention is never triggered.
The no-escalate ClusterRole directly grants all runtime permissions—secrets read/write, pods/exec, webhook mutation, DaemonSet management, and more. This makes the deployer itself a high-privilege principal with broad cluster access. Admission control is still recommended to limit what RBAC resources the deployer can create.
Sample deployer ClusterRole manifest (no escalate, includes CSI driver, GKE Autopilot, and OpenShift permissions):
If you don't deploy the CSI driver, use Without CSI driver instead — it omits the CSIDriver and PriorityClass permissions.
Purpose: Maintains the lifecycle of Dynatrace components. Replaces OneAgent Operator.
Default configuration: 1-replica-per-cluster
RBAC objects:
dynatrace-operatordynatrace-operatordynatrace-operator| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, List, Watch | |
|
| Get, List, Watch, Update | |
|
| Create | |
|
| Get, Update, Delete, List |
|
|
| Get, Update |
|
|
| Get, Update |
|
|
| Get, Update |
|
|
| Get, Update |
|
|
| Use |
|
dynatrace permissions| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, List, Watch, Update | |
|
| Get, List, Watch, Update | |
|
| Update | |
|
| Update | |
|
| Update | |
|
| Update | |
|
| Get, List, Watch, Create, Update, Delete | |
|
| Get, List, Watch, Create, Update, Delete | |
|
| Get, List, Watch, Create, Update, Delete | |
|
| Get, List, Watch, Create, Update, Delete | |
|
| Update | |
|
| Get, List, Watch, Create, Update, Delete | |
|
| Get, List, Watch | |
|
| Get, List, Watch, Create, Update, Delete | |
|
| Create, Get, List, Patch | |
|
| Create, Update, Delete, Get, List, Watch | |
|
| Get, List, Create, Update, Delete | |
|
| Get, List, Create, Update, Delete | |
|
| Get, Update, Create |
Purposes:
Default configuration: 1-replica-per-cluster, can be scaled
RBAC objects:
dynatrace-webhookdynatrace-webhookdynatrace-webhook| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, List, Watch, Update | |
|
| Create | |
|
| Get, List, Watch, Update |
|
|
| Get | |
|
| Get | |
|
| Get | |
|
| Get | |
|
| Get | |
|
| Get | |
|
| Get | |
|
| Get | |
|
| Use |
|
dynatrace permissions| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Create, Patch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch |
Purpose:
applicationMonitoring configurations, it provides the necessary OneAgent binary for application monitoring to the pods on each node.hostMonitoring configurations, it provides a writable folder for the OneAgent configurations when a read-only host file system is used.cloudNativeFullStack, it provides both of the above.Default configuration: 1-replica-per-node (deployed via a DaemonSet)
RBAC objects:
dynatrace-oneagent-csi-driverdynatrace-oneagent-csi-driverdynatrace-oneagent-csi-driver| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Use |
|
dynatrace permissions| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Update | |
|
| Get, List, Create, Delete, Watch | |
|
| Create, Patch |
Purpose: collects cluster and workload metrics, events, and status from the Kubernetes API.
Default configuration: 1-replica-per-cluster, can be scaled
RBAC objects:
dynatrace-kubernetesdynatrace-kubernetes-monitoringIn Dynatrace Operator version 1.8, dynatrace-kubernetes-monitoring was an aggregated ClusterRole. For details, see ClusterRole aggregation.
| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| List, Watch, Get | |
|
| Use |
|
Purposes: Kubernetes Security Posture Management detects, analyzes, and continuously watches for misconfigurations, security hardening guidelines, and potential compliance violations in Kubernetes.
Default configuration: 1-replica-per-node (deployed via a DaemonSet)
RBAC objects:
dynatrace-node-config-collectordynatrace-kubernetes-monitoring-kspmIn Dynatrace Operator version 1.8, dynatrace-kubernetes-monitoring-kspm was aggregated by the dynatrace-kubernetes-monitoring ClusterRole. For details, see ClusterRole aggregation.
| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch |
Purposes:
Default configuration: 1-replica-per-node (deployed via a DaemonSet)
RBAC objects:
dynatrace-dynakube-oneagentdynatrace-dynakube-oneagentdynatrace-logmonitoringPolicy settings: Allows HostNetwork, HostPID, to use any volume types.
Necessary capabilities: CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, KILL, NET_ADMIN, NET_RAW, SETFCAP, SETGID, SETUID, SYS_ADMIN, SYS_CHROOT, SYS_PTRACE, SYS_RESOURCE
| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get | |
|
| Use |
|
Purposes:
Default configuration: 1-replica-per-node (deployed via a DaemonSet)
RBAC objects:
dynatrace-logmonitoringdynatrace-logmonitoringLog monitoring requires the same cluster-wide permissions as OneAgent.
Purposes:
RBAC objects:
dynatrace-otel-collectordynatrace-telemetry-ingest| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, Watch, List | |
|
| Get, Watch, List | |
|
| Get, Watch, List | |
|
| Get, List, Watch | |
|
| Use |
|
Purposes:
Default configuration:
The following components are required, regardless of which extensions are used:
1-replica-per-clusterRBAC objects:
Depending on the used extension, the following RBAC objects are required.
dynatrace-extension-controllerdynatrace-extension-controllerdynatrace-extension-controller-prometheusdynatrace-extension-controller-database| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| List, Watch | |
|
| List, Watch |
dynatrace permissionsPrometheus extension
| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Use |
|
Database extension
| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| List | |
|
| Use |
|
Purpose:
Default configuration:
replicas-set-in-dynakube (no default, replicas set in the DynaKube)RBAC objects:
dynatrace-otel-collectordynatrace-extensions-prometheus| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Get, List, Watch | |
|
| Use |
|
Purpose:
Default configuration:
replicas-set-in-dynakube (no default, replicas set in the DynaKube)RBAC objects:
dynatrace-sql-ext-execdynatrace-sql-ext-execdynatrace permissions| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| List |
Purposes:
RBAC objects:
dynatrace-operator-supportabilityOpt-out:
rbac.supportability to false.Disabling this feature will make it harder to provide the necessary information when opening support cases regarding Dynatrace Operator.
dynatrace permissions| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get | |
|
| Create | |
|
| Get, List |
Purposes:
dynatrace-operator-crd-storage-migration Job for automatic cleanup of removed Dynakube API versions in pre-upgrade Helm hook.RBAC objects:
dynatrace-crd-storage-migrationdynatrace-crd-storage-migrationdynatrace-crd-storage-migrationOpt-in:
crdStorageMigrationJob to false.| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, Update |
|
|
| Get, Update |
|
|
| Use |
|
dynatrace permissions| Resources accessed | API group | Verbs | Resource names |
|---|---|---|---|
|
| Get, List, Watch, Update | |
|
| Get, List, Watch, Update |
The following table presents a detailed analysis of the security controls for Kubernetes components: Dynatrace Operator, Dynatrace Operator webhook, and Dynatrace Operator CSI driver. This report is based on:
Standards and abbreviations:
The Standard column references these abbreviations.
Satisfied
Exception (see expand below)
Planned improvement (see expand below)
| Security control | Standard | Operator | Webhook | CSI driver |
|---|---|---|---|---|
Disallow privileged containers1 | CIS 5.2.2 / PSS Baseline |
|
|
|
Disallow privilege escalation1 | CIS 5.2.6 / PSS Restricted |
|
|
|
Disallow containers running as root2 | CIS 5.2.7 / PSS Restricted |
|
|
|
Limit access to secrets (RBAC) | CIS 5.1.4 | |||
Disallow use of HostPath volumes3 | CIS 5.2.12 / PSS Baseline |
|
|
|
Restrict automounting of service account token4 | CIS 5.1.6 |
|
|
|
Disallow use of too many or insecure capabilities | CIS 5.2.8 / 5.2.9 / 5.2.10 / PSS Restricted |
|
|
|
Disallow use of HostPorts | CIS 5.2.13 / PSS Baseline |
|
|
|
Disallow access to host network | CIS 5.2.5 / PSS Baseline |
|
|
|
Disallow use of host PID | CIS 5.2.3 / PSS Baseline |
|
|
|
Disallow use of host IPC | CIS 5.2.4 / PSS Baseline |
|
|
|
Require readOnlyRootFilesystem | Best practice |
|
|
|
Require resource limits5 | Best practice |
|
|
|
Demand seccomp (at least default/runtime) | CIS 5.7.2 / PSS Restricted |
|
|
|
Disallow secrets mounted as env variable | CIS 5.4.1 |
|
|
|
Restrict sysctls | PSS Baseline |
|
|
|
Restrict AppArmor | PSS Baseline |
|
|
|
Disallow SELinux6 | PSS Baseline |
|
|
|
/proc mount type | PSS Baseline |
|
|
|
CSI driver requires elevated permissions to create and manage mounts on the host system. For more details, see CSI driver privileges.
CSI driver communicates with kubelet using a socket on the host, to access this socket the CSI driver needs to run as root.
CSI driver stores/caches the OneAgent binaries on the host's filesystem, in order to do that it needs a hostVolume mount.
Dynatrace Operator, Webhook, and CSI driver components need to communicate with the Kubernetes API.
CSI driver provisioner has no resources limits by default in order to provide the best performance during provisioning; limits can be set via Helm chart values.
CSI driver needs seLinux level s0 for the application pods to see files from the volume created by the CSI driver.
Planned improvement:
Namespace-scoped Roles for the Operator, Webhook, and CSI driver currently allow access to all secrets within their namespace. Improvement planned to restrict these Roles to specific secret names, consistent with ClusterRole configuration.
Satisfied
Exception (see expand below)
Planned improvement (see expand below)
| Security control | Standard | OneAgent | Extensions controller | Dynatrace Collector | ActiveGate | EdgeConnect | KSPM | OneAgent Log Module |
|---|---|---|---|---|---|---|---|---|
Disallow privileged containers1 | CIS 5.2.2 / PSSB |
|
|
|
|
|
|
|
Disallow privilege escalation2 | CIS 5.2.6 / PSSR |
|
|
|
|
|
|
|
Disallow containers running as root3 | CIS 5.2.7 / PSSR |
|
|
|
|
|
|
|
Disallow use of too many or insecure capabilities4 | CIS 5.2.8 / 5.2.9 / 5.2.10 / PSSR |
|
|
|
|
|
|
|
Limit access to secrets (RBAC) | CIS 5.1.4 |
|
|
|
|
|
|
|
Disallow use of HostPath volumes5 | CIS 5.2.12 / PSSB |
|
|
|
|
|
|
|
Disallow use of HostPorts | CIS 5.2.13 / PSSB |
|
|
|
|
|
|
|
Disallow access to host network6 | CIS 5.2.5 / PSSB |
|
|
|
|
|
|
|
Disallow use of host PID7 | CIS 5.2.3 / PSSB |
|
|
|
|
|
|
|
Disallow use of host IPC | CIS 5.2.4 / PSSB |
|
|
|
|
|
|
|
Require readOnlyRootFilesystem | Best practice |
|
|
|
|
|
|
|
Require Resource limits10 | Best practice |
|
|
|
|
|
| |
Demand seccomp to be used (at least default/runtime)8 | CIS 5.7.2 / PSSR |
|
|
|
|
|
|
|
Disallow Secrets mounted as env variable | CIS 5.4.1 |
|
|
|
|
|
| |
Restrict sysctls | PSSB |
|
|
|
|
|
|
|
Restrict AppArmor | PSSB |
|
|
|
|
|
|
|
Disallow SELinux | PSSB |
|
|
|
|
|
|
|
Restrict automounting of service account token9 | CIS 5.1.6 |
|
|
|
|
|
|
|
/proc Mount Type | PSSB |
|
|
|
|
|
|
|
OneAgent: OneAgent DaemonSet runs with host-level privileges for full-stack visibility (network, processes, file system).
OneAgent Log Module: LogAgent needs to run as privileged container on OCP cluster to access its persistent storage. OCP persistent storage using hostPath.
OneAgent: Required for init containers that instrument processes before startup.
OneAgent Log Module: AllowPrivilegeEscalation is always true when the container is run as privileged. Configure a Security Context for a Pod or Container.
OneAgent: OneAgent DaemonSet runs with host-level privileges for full-stack visibility (network, processes, file system).
KSPM: KSPM mounts the host root filesystem / to perform configuration and security scans; hostPath restriction evaluation is planned.
OneAgent: Requires limited Linux capabilities (for example, NET_RAW) for network observability.
KSPM: KSPM requires specific Linux capabilities to scan and collect system configuration and security data; this is by design and cannot be removed.
OneAgent Log Module: LogAgent needs additional capability to get access to all monitored log files.
OneAgent: OneAgent DaemonSet runs with host-level privileges for full-stack visibility (network, processes, file system).
KSPM: KSPM mounts the host root filesystem / for node-level scanning; improvement under review to restrict mounted paths.
OneAgent Log Module: Needs access to log files on the host's filesystem.
OneAgent: Uses host network namespace to monitor network traffic.
OneAgent: Uses host PID namespace to correlate process metrics.
KSPM: KSPM requires host PID namespace access for the node collector to gather process-level data. This requirement will be documented.
OneAgent: Uses default runtime seccomp profile; explicit setting planned.
ActiveGate: ActiveGate runs with minimal elevated privileges to manage inbound connections.
EdgeConnect: EdgeConnect currently lacks an explicit seccomp profile; addition is planned in future releases. This control is being addressed in upcoming releases.
KSPM: KSPM mounts the host root filesystem / to perform configuration and security scans; hostPath restriction evaluation is planned.
OneAgent Log Module: The seccomp profile can be set via DynaKube in order to run in secure computing mode.
OneAgent, Extensions Controller, Dynatrace Collector, ActiveGate, EdgeConnect, and KSPM components need to communicate with the Kubernetes API.
OneAgent Log Module: The limits are highly dependent on the amount of data processed. Can be set via DynaKube.
Planned improvement:
Disallow Secrets mounted as env variable: Dynatrace Collector currently uses environment variables for tokens; migrating to secret files is planned.
These permissions used to be managed using a PodSecurityPolicy (PSP), but in Kubernetes version 1.25 PSPs will be removed from the following components:
Dynatrace Operator version 0.2.1 is the last version in which PSPs are applied by default, so it's up to you to enforce these rules. As PSP alternatives, you can use other policy enforcement tools such as:
If you choose to use a PSP alternative, be sure to provide the necessary permissions to the Dynatrace components.
Dynatrace Operator version 0.12.0+
Starting with Dynatrace Operator version 0.12.0, the built-in creation of custom security context constraints (SCCs) has been removed for Dynatrace Operator and Dynatrace Operator–managed components. This change was made to reduce complications caused by custom SCCs in unique OpenShift setups.
Despite this update, the components maintain the same permissions and security requirements as before.
The following tables show the SCCs used in different versions of Dynatrace Operator and OpenShift.
| Resources accessed | Custom SCC used in Dynatrace Operator versions earlier than 0.12.0 | SCC in Dynatrace Operator version 0.12.0+ and OpenShift earlier than 4.11 |
|---|---|---|
Dynatrace Operator |
|
|
Dynatrace Operator Webhook Server |
|
|
Dynatrace Operator CSI driver |
|
|
ActiveGate |
|
|
OneAgent |
|
|
| Resources accessed | Custom SCC used in Dynatrace Operator versions earlier than 0.12.0 | SCC in Dynatrace Operator version 0.12.0+ and OpenShift 4.11+ |
|---|---|---|
Dynatrace Operator |
|
|
Dynatrace Operator Webhook Server |
|
|
Dynatrace Operator CSI driver |
|
|
ActiveGate |
|
|
OneAgent |
|
|
This SCC is the only built-in OpenShift SCC that allows usage of seccomp, which our components have set by default, and also the usage of CSI volumes.
It is still possible to create your own more permissive or restrictive SCCs that take your specific setup into consideration. You can safely remove the old SCCs that were created by a previous Dynatrace Operator version.
To remove the old SCCs, use the following command:
oc delete scc <scc-name>