29 Nov 2024 08:07 AM - edited 16 Dec 2024 06:58 AM
This article of type Full-Self-Service gives an overview about Kubernetes monitoring modes and helps with known false positive scan results for Dynatrace on Kubernetes.
Issues |
Solution |
Alternatives |
You'd like to understand the architecture of supported Kubernetes monitoring options. Your security team or scanner is reporting Kubernetes security control violations. |
Check below [1] deployment methods including architecture diagrams and [2] security requirements. |
Report a security vulnerability Start a chat with Dynatrace Customer Success for installation questions |
Features: Immediate insights into Kubernetes health (see Kubernetes Observability below) and out-of-the-box distributed tracing and analytics for workloads (see Application Observability below).
Features: Understand and troubleshoot the health of your cluster including dashboards, root-causes analysis with DAVIS Causal AI, alerting, resource optimization, and log analytics.
Deploy Dynatrace Operator for Kubernetes observability
Architecture: Kubernetes Platform Monitoring
Features: Automated distributed tracing and code-level visibility including memory, thread and process metrics, application logs, user sessions for web and mobile, vulnerability detection.
Alternatively, you can also deploy OneAgent on the Docker host on Linux. In this scenario, OneAgent does not run in a container but directly on the host, so there is no Linux namespace isolation. For more information, see OneAgent on Linux.
Architecture: Host monitoring
Customer reported Kubernetes security control violations and vulnerabilities include:
Dynatrace Full-Stack Monitoring for container platforms from the application down to the infrastructure layer requires elevated privileges to get container-level metrics and perform deep-code host monitoring, including OneAgent injection into processes. The above scan results can be considered as false positives.
Security requirements:
However, if you don't want to grant elevated privileges to OneAgent, or you don't have access to the infrastructure layer, you can go with application-only monitoring.