cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

automatic Istio Service Entries with dynatrace-operator in Kubernetes

olaf_ochsenfahr
Newcomer

- we have deployed Dynatrace in Kubernetes (with Istio) using the dynatrace-operator (after removing oneagent-operator like recommended by Dynatrace)

- in the following documentation https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernet... is described that the oneagent-operator creates automatically the istio service entries

 

Is this done also automatically with the dynatrace-operator? If so, will the proxy parameter also be passed into the Istio service entry?

4 REPLIES 4

ChadTurner
DynaMight Guru
DynaMight Guru

@olaf_ochsenfahr have you had any progress with this? 

-Chad

Peter_Ralston
Contributor

I'll Save you time,

It will create the Istio service entries for Dynatrace K8S Pods to communicate to the Active Gate, however it will not create the Namespace / Application Pods Istio Service entries. 

You will be required to create Namespace / Application Pods Istio Service entries that allow communication from the Agents to Active Gate.

 

Suggest that you look at something like Terraform to manage that side of it, if your not already doing Infra as code. 

olaf_ochsenfahr
Newcomer

Hi Peter,

thanks for the clarification, so we have to see if we can automate the creation of Namespace / Application Pod Istio Service entries or if we can create it as global cluster service entry.

best regards, Olaf

Peter_Ralston
Contributor

Hi Olaf,

 

I would recommend using something like Terraform (or equivalent managed infra code), where you can easily do this along side your namespace / pod deployment, it's pretty much a default to drop in where you want monitoring.  

In Terraform, this can be handled like so, you just need to set the Active Gate CIDR variable as the Ingress address to where your Active Gate is deployed & has an Ingress / Egress flow (even if on the same cluster).  

## Allow egress traffic to Dynatrace ActiveGate
resource "kubernetes_network_policy" "allow-dynatrace-traffic" {
 
  metadata {
    name      = "allow-dynatrace-traffic-network-policy"
    namespace = var.name
  }
 
  spec {
    pod_selector {}
    egress {
      ports {
        port     = "9999"
        protocol = "TCP"
      }
      to {
        ip_block {
          cidr = var.dynatrace_cidr
        }
      }
    }
    policy_types = [
      "Egress",
    ]
  }
}