cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
stefanie_pachne
Dynatrace Helper
Dynatrace Helper

Self Service Summary

This article of type Full-Self-Service helps with known false positive scan results for Dynatrace on Kubernetes and gives an overview about Kubernetes monitoring modes.

Issues

Solution

Alternatives

Your security team or scanner is reporting Kubernetes security control violations.

You'd like to understand available Kubernetes monitoring options.

Check below security requirements [1] and deployment methods [2] including architecture diagrams.

Report a security vulnerability

Start a chat with Dynatrace Customer Success for installation questions

 

[1] Security controls

Issue

Customer reported Kubernetes security control violations and vulnerabilities include:

  • Running containers as root user should be avoided
  • Least privileged Linux capabilities should be enforced for containers
  • Immutable (read-only) root filesystem should be enforced for containers
  • Kubernetes clusters should not grant CAPSYSADMIN security capabilities
  • Containers should only use allowed AppArmor profiles
  • Kubernetes clusters should disable automounting API credentials

Solution

Dynatrace Full-Stack Monitoring for container platforms from the application down to the infrastructure layer requires elevated privileges to get container-level metrics and perform deep-code host monitoring, including OneAgent injection into processes. The above scan results can be considered as false positives.

Security requirements:

However, if you don't want to grant elevated privileges to OneAgent, or you don't have access to the infrastructure layer, you can go with application-only monitoring. See a list of available monitoring modes below.

 

[2] Monitoring modes

 

Full Kubernetes Observability (recommended)

Features: Immediate insights into Kubernetes health (see Kubernetes Observability below) and out-of-the-box distributed tracing and analytics for workloads (see Application Observability below).

Deployment options

 

Kubernetes Observability

Features: Understand and troubleshoot the health of your cluster including dashboards, root-causes analysis with DAVIS Causal AI, alerting, resource optimization, and log analytics.

Deployment

Deploy Dynatrace Operator for Kubernetes observability
Architecture: Kubernetes Platform Monitoring 

 

Application Observability

Features: Automated distributed tracing and code-level visibility including memory, thread and process metrics, application logs, user sessions for web and mobile, vulnerability detection.

Deployment options

 

Alternative

Deploy OneAgent on Docker host

Alternatively, you can also deploy OneAgent on the Docker host on Linux. In this scenario, OneAgent does not run in a container but directly on the host, so there is no Linux namespace isolation. For more information, see OneAgent on Linux.

ArchitectureHost monitoring 

Version history
Last update:
‎03 Dec 2024 10:54 AM
Updated by: