cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

automatic Istio Service Entries with dynatrace-operator in Kubernetes

olaf_ochsenfahr
Visitor

- we have deployed Dynatrace in Kubernetes (with Istio) using the dynatrace-operator (after removing oneagent-operator like recommended by Dynatrace)

- in the following documentation https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernet... is described that the oneagent-operator creates automatically the istio service entries

 

Is this done also automatically with the dynatrace-operator? If so, will the proxy parameter also be passed into the Istio service entry?

5 REPLIES 5

ChadTurner
DynaMight Guru
DynaMight Guru

@olaf_ochsenfahr have you had any progress with this? 

-Chad

Peter_Ralston
Advisor

I'll Save you time,

It will create the Istio service entries for Dynatrace K8S Pods to communicate to the Active Gate, however it will not create the Namespace / Application Pods Istio Service entries. 

You will be required to create Namespace / Application Pods Istio Service entries that allow communication from the Agents to Active Gate.

 

Suggest that you look at something like Terraform to manage that side of it, if your not already doing Infra as code. 

olaf_ochsenfahr
Visitor

Hi Peter,

thanks for the clarification, so we have to see if we can automate the creation of Namespace / Application Pod Istio Service entries or if we can create it as global cluster service entry.

best regards, Olaf

Peter_Ralston
Advisor

Hi Olaf,

 

I would recommend using something like Terraform (or equivalent managed infra code), where you can easily do this along side your namespace / pod deployment, it's pretty much a default to drop in where you want monitoring.  

In Terraform, this can be handled like so, you just need to set the Active Gate CIDR variable as the Ingress address to where your Active Gate is deployed & has an Ingress / Egress flow (even if on the same cluster).  

## Allow egress traffic to Dynatrace ActiveGate
resource "kubernetes_network_policy" "allow-dynatrace-traffic" {
 
  metadata {
    name      = "allow-dynatrace-traffic-network-policy"
    namespace = var.name
  }
 
  spec {
    pod_selector {}
    egress {
      ports {
        port     = "9999"
        protocol = "TCP"
      }
      to {
        ip_block {
          cidr = var.dynatrace_cidr
        }
      }
    }
    policy_types = [
      "Egress",
    ]
  }
}

The above is a NetworkPolicy. It is not specific to Istio. And usually, most clusters by default will have NetworkPolicy disabled at creation. So this is specific to customer setup.

 

For Istio, the OneAgent/Dynatrace Operator can do this automatically with enableIstio: true

 

OneAgent Operator version 0.4+ automatically manages Istio service entries and virtual services for your Dynatrace environment when enableIstio is set to true in the custom resource. The Dynatrace OneAgent code modules can then send monitoring information to your Dynatrace environment.

 

Regards,
Andrew M.