This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Troubleshooting
Articles about how to solve the most common problems
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

Authorization Error when setting up Public Kubernetes API Manual Connection

jigarjethwani4
Dynatrace Contributor
Dynatrace Contributor

on ‎05 Mar 2026 02:49 PM - edited on ‎06 Mar 2026 07:05 AM by Community Team

Summary

When connecting to a Public Kubernetes endpoint manually, you are facing an "Authorization" error as shown below: 

jigarjethwani4_0-1769990908406.png

 

It can denote there are problems with the Bearer Token that you are using to connect to the Kubernetes Endpoint, or there is a Firewall/Proxy in place that is restricting the traffic.

Problem

This guide applies to the cases where the following documentation is followed:

https://docs.dynatrace.com/docs/ingest-from/setup-on-k8s/guides/deployment-and-configuration/monitor...

When the user tries to connect to their Public Kubernetes endpoint, clicking on "Test Connection" gives 'Authorization Error'. 

If you encounter such an error, follow the steps listed below to isolate/solve your issue. 

Troubleshooting steps

Begin by keeping in mind that the Kubernetes API endpoint is publicly accessible, but any firewall or proxy in the network path can still intercept and evaluate the traffic. Depending on how these systems are configured, they may permit or block communication between your ActiveGate and the Kubernetes API.
To ensure that traffic is reaching the Kubernetes API correctly through your ActiveGate, follow the steps below.

1. Confirm that all prerequisite steps in the Support Documentation have been completed - here 

jigarjethwani4_1-1769992669499.png

2. Generate a new access token and check whether the error continues to occur.
Use the documentation here:

https://docs.dynatrace.com/docs/ingest-from/setup-on-k8s/deployment/tokens-permissions

Choose the token template “Kubernetes: Dynatrace Operator.” 

https://docs.dynatrace.com/docs/ingest-from/setup-on-k8s/deployment/tokens-permissions#operatorToken

3. Verify that the correct ActiveGate group is selected within the Kubernetes Cluster’s Connection Settings.

4. Check the custom properties file of each ActiveGate in that group for any entry referencing [http.client].

This typically indicates proxy settings. A proxy configuration is a common cause of Authorization Errors.
To confirm, run the following command directly from the ActiveGate, using the exact token you entered in the Dynatrace UI: 
curl -k -H "Authorization: Bearer <YOUR_TOKEN_HERE>" https://<your-k8s-api-url>/api/v1/nodes
 

Interpret the result as follows:

A normal JSON response listing nodes indicates that the token is valid.
A 401 Unauthorized response indicates an invalid or expired token, or that a proxy is intercepting the traffic.
A 403 Forbidden response indicates that the token is valid, but the service account does not have the necessary ClusterRoleBinding permissions.

Since these steps focus on resolving Authorization Errors (401), use the curl output to determine whether the ActiveGate’s proxy configuration is interfering with traffic. Proxy routing can vary depending on how the environment is set up.
More information on proxy configuration is available here:
https://docs.dynatrace.com/docs/ingest-from/dynatrace-activegate/configuration/set-up-proxy-authenti...

In most environments, the [http.client] parameter defines proxy settings used for both communication with Dynatrace SaaS and monitored systems. However, if your ActiveGate uses a proxy for SaaS communication, it may unintentionally route Kubernetes API calls through the same proxy. Since the Kubernetes API is often internal, the proxy cannot route this traffic, which leads to Authorization Errors. Some ActiveGate traffic is therefore routed to Dynatrace SaaS via the proxy, while Kubernetes API calls must reach internal systems directly, causing the connection failure.
To correct this behavior, update the proxy configuration in the ActiveGate’s custom properties. The recommended approach is to configure internal traffic using the [http.client.internal] section so that internal Kubernetes API communication bypasses the proxy.
You can also configure a proxy specifically for outgoing monitoring traffic while keeping the Dynatrace Cluster connection direct.
This involves setting the proxy under [http.client] and disabling it under [http.client.internal] as mentioned here.
Coordinate with your Network team to review the current network routing and ensure that the ActiveGate is configured accordingly. After applying updates, rerun the curl command from the ActiveGate to confirm that it successfully retrieves the Kubernetes node list.

What's next

If this troubleshooting guide does not resolve the Authorization Error, you can open a Support Ticket, including a summary of the steps you have already taken and a link to this guide.

Version history
Last update:
‎06 Mar 2026 07:05 AM
Updated by:
Community Team