cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GKE Autopilot DTO Cloud-native installation

dcinciripini
Participant

Hi everyone 🙂
we encountered a issue installing DTO 1.1 on Cloud-Native mode on GKE w autopilot when tryied to install CSI-driver:

Error from server (GKE Warden constraints violations): error when creating "https://github.com/Dynatrace/dynatrace-operator/releases/download/v1.1.0/kubernetes-csi.yaml": admission webhook "warden-validating.common-webhooks.networking.gke.io" denied the request: GKE Warden rejected the request because it violates one or more constraints. Violations details: {"[denied by autogke-disallow-privilege]":["container server is privileged; not allowed in Autopilot","container provisioner is privileged; not allowed in Autopilot"],"[denied by autogke-no-write-mode-hostpath]":["hostPath volume plugin-dir in container server is accessed in write mode; disallowed in Autopilot.","hostPath volume mountpoint-dir in container server is accessed in write mode; disallowed in Autopilot.","hostPath volume data-dir in container server is accessed in write mode; disallowed in Autopilot.","hostPath volume data-dir in container provisioner is accessed in write mode; disallowed in Autopilot.","hostPath volume plugin-dir in container registrar is accessed in write mode; disallowed in Autopilot.","hostPath volume registration-dir in container registrar is accessed in write mode; disallowed in Autopilot.","hostPath volume plugin-dir in container liveness-probe is accessed in write mode; disallowed in Autopilot.","hostPath volume data-dir in container csi-init is accessed in write mode; disallowed in Autopilot."]}

reading Dynatrace and GKE documentation about Autopilot Pod Security I found this links:
https://docs.dynatrace.com/docs/shortlink/pod-security-standards#configure-pod-security-for-the-name...

 
where seems to be impossible installing pods with privileged permission: autopilot GKE doesn't allow setting privileged criterion on namespace.
This means that we can't install OA and CSI-driver (pod w privileged permission required) on GKE autopilot except using this workaround (v0.12)?
https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/CSI-Driver-pods-with-Dynatrace-Operator-0...

Thanks everyone,
Davide
1 REPLY 1

dcinciripini
Participant

Searching again we found this article where:
- is explained that GKE autopilot installation is possible using Helm

- is linked Dynatrace documentation about application observability (by Helm)

So I suppose that, for the installation:
- We need to use "Installation with additional configuration of the Helm chart" using values.yaml where we can specify platform: gke-autopilot

- We can install only in application observability mode

Featured Posts