29 Nov 2024 08:07 AM - edited 03 Dec 2024 10:54 AM
This article of type Full-Self-Service helps with known false positive scan results for Dynatrace on Kubernetes and gives an overview about Kubernetes monitoring modes.
Issues |
Solution |
Alternatives |
Your security team or scanner is reporting Kubernetes security control violations. You'd like to understand available Kubernetes monitoring options. |
Check below security requirements [1] and deployment methods [2] including architecture diagrams. |
Report a security vulnerability Start a chat with Dynatrace Customer Success for installation questions |
Customer reported Kubernetes security control violations and vulnerabilities include:
Dynatrace Full-Stack Monitoring for container platforms from the application down to the infrastructure layer requires elevated privileges to get container-level metrics and perform deep-code host monitoring, including OneAgent injection into processes. The above scan results can be considered as false positives.
Security requirements:
However, if you don't want to grant elevated privileges to OneAgent, or you don't have access to the infrastructure layer, you can go with application-only monitoring. See a list of available monitoring modes below.
Features: Immediate insights into Kubernetes health (see Kubernetes Observability below) and out-of-the-box distributed tracing and analytics for workloads (see Application Observability below).
Features: Understand and troubleshoot the health of your cluster including dashboards, root-causes analysis with DAVIS Causal AI, alerting, resource optimization, and log analytics.
Deploy Dynatrace Operator for Kubernetes observability
Architecture: Kubernetes Platform Monitoring
Features: Automated distributed tracing and code-level visibility including memory, thread and process metrics, application logs, user sessions for web and mobile, vulnerability detection.
Alternatively, you can also deploy OneAgent on the Docker host on Linux. In this scenario, OneAgent does not run in a container but directly on the host, so there is no Linux namespace isolation. For more information, see OneAgent on Linux.
Architecture: Host monitoring