this tutorial will also utilize the OpenTelemetry Operator with:
- the OpenTelemetry Demo
- the hipster-shop
- istio All the observability data generated by the environment would be sent to Dynatrace.
The following tools need to be install on your machine :
- jq
- kubectl
- git
- gcloud ( if you are using GKE)
- Helm
PROJECT_ID="<your-project-id>"
gcloud services enable container.googleapis.com --project ${PROJECT_ID}
gcloud services enable monitoring.googleapis.com \
cloudtrace.googleapis.com \
clouddebugger.googleapis.com \
cloudprofiler.googleapis.com \
--project ${PROJECT_ID}ZONE=europe-west3-a
NAME=isitobservable-gatekeeper
gcloud container clusters create ${NAME} --zone=${ZONE} --machine-type=e2-standard-4 --num-nodes=2If you don't have any Dynatrace tenant , then I suggest to create a trial using the following link : Dynatrace Trial
Once you have your Tenant save the Dynatrace tenant url in the variable DT_TENANT_URL (for example : https://dedededfrf.live.dynatrace.com)
DT_TENANT_URL=<YOUR TENANT Host>
The dynatrace operator will require to have several tokens:
- Token to deploy and configure the various components
- Token to ingest metrics and Traces
One for the operator having the following scope:
- Create ActiveGate tokens
- Read entities
- Read Settings
- Write Settings
- Access problem and event feed, metrics and topology
- Read configuration
- Write configuration
- Paas integration - installer downloader
Save the value of the token . We will use it later to store in a k8S secret
API_TOKEN=<YOUR TOKEN VALUE>Create a Dynatrace token with the following scope:
- Ingest metrics (metrics.ingest)
- Ingest logs (logs.ingest)
- Ingest events (events.ingest)
- Ingest OpenTelemetry
- Read metrics
DATA_INGEST_TOKEN=<YOUR TOKEN VALUE>- Download Istioctl
curl -L https://istio.io/downloadIstio | sh -This command download the latest version of istio compatible with our operating system. 2. Add istioctl to you PATH
cd istio-1.22.0this directory contains samples with addons . We will refer to it later.
export PATH=$PWD/bin:$PATHgit clone https://github.com/isitobservable/OPA_Gatekeeper
cd OPA_GatekeeperThe application will deploy the entire environment:
chmod 777 deployment.sh
./deployment.sh --clustername "${NAME}" --dturl "${DT_TENANT_URL}" --dtingesttoken "${DATA_INGEST_TOKEN}" --dtoperatortoken "${API_TOKEN}" - Create a namespace for vulnerable workload
kubectl create ns goat-app
kubectl label ns goat-app type=app
- Deploy the General Constraints
kubectl apply -k opa_gatekeeper/general- Deploy pod security policies
kubectl apply -k opa gatekeeper/podsecurity- Deploy unsafe workload
kubectl apply -f k8sGoat/hunger_check.yaml
kubectl apply -f k8sGoat/health_check.yaml -n goat-app
kubectl apply -f k8sGoat/internal_proxy.yaml -n goat-app
kubectl apply -f k8sGoat/kube_bench_node.yaml -n goat-app
kubectl apply -f k8sGoat/kube_bench_security.yaml -n goat-app
kubectl apply -f k8sGoat/system-monitor.yaml -n goat-appThe OpenTelemetry Collectors are configured to collect the logs and traces from OPA Gatekeeper.
Let's deploy the dashboard located : dynatrace/Gatekeeper.json
This dashboard will keep track on the behavior of OPA Gatekeeper and the various violation.
kubectl delete -f k8sGoat/hunger_check.yaml
kubectl delete -f k8sGoat/health_check.yaml -n goat-app
kubectl delete -f k8sGoat/internal_proxy.yaml -n goat-app
kubectl delete -f k8sGoat/kube_bench_node.yaml -n goat-app
kubectl delete -f k8sGoat/kube_bench_security.yaml -n goat-app
kubectl delete -f k8sGoat/system-monitor.yaml -n goat-app