VOOZH about

URL: https://docs.datadoghq.com/containers/cluster_agent/admission_controller/

⇱ Datadog Admission Controller

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/containers/cluster_agent/admission_controller.md. A documentation index is available at /llms.txt.

Datadog Admission Controller

Overview

The Datadog Admission Controller is a component of the Datadog Cluster Agent. The main benefit of the Admission Controller is to simplify your application Pod configuration. For that, it has two main functionalities:

  • Inject environment variables (DD_AGENT_HOST, DD_TRACE_AGENT_URL, DD_ENTITY_ID and DD_EXTERNAL_ENV) to configure DogStatsD and Datadog SDKs into the user’s application containers.
  • Inject Datadog standard tags (env, service, version) from application labels into the container environment variables.

Datadog’s Admission Controller is MutatingAdmissionWebhook type. For more details on admission controllers, see the Kubernetes guide on admission controllers.

Requirements

  • Datadog Cluster Agent v7.40+

Configuration

The Datadog Operator enables the Datadog Admission Controller by default. No extra configuration is needed to enable the Admission Controller.

If you disabled Admission Controller, you can re-enable it by setting the parameter features.admissionController.enabled to true in your DatadogAgent configuration:

datadog-agent.yaml

apiVersion:datadoghq.com/v2alpha1kind:DatadogAgentmetadata:name:datadogspec:#(...)features:admissionController:enabled:truemutateUnlabelled:false

Starting from Helm chart v2.35.0, Datadog Admission Controller is enabled by default. No extra configuration is needed to enable the Admission Controller.

To enable the Admission Controller for Helm chart v2.34.6 and earlier, set the parameter clusterAgent.admissionController.enabled to true:

datadog-values.yaml

#(...)clusterAgent:#(...)## @param admissionController - object - required## Enable the admissionController to automatically inject APM and## DogStatsD config and standard tags (env, service, version) into## your pods#admissionController:enabled:true## @param mutateUnlabelled - boolean - optional## Enable injecting config without having the pod label:## admission.datadoghq.com/enabled="true"#mutateUnlabelled:false

To enable the Admission Controller without using Helm or the Datadog operator, add the following to your configuration:

First, download the Cluster Agent RBAC permissions manifest, and add the following under rules:

cluster-agent-rbac.yaml

- apiGroups:- admissionregistration.k8s.ioresources:- mutatingwebhookconfigurationsverbs:["get","list","watch","update","create"]- apiGroups:[""]resources:["secrets"]verbs:["get","list","watch","update","create"]- apiGroups:["batch"]resources:["jobs","cronjobs"]verbs:["get"]- apiGroups:["apps"]resources:["statefulsets","replicasets","deployments"]verbs:["get"]

Add the following to the bottom of agent-services.yaml:

agent-services.yaml

apiVersion:v1kind:Servicemetadata:name:datadog-cluster-agent-admission-controllerlabels:app:"datadog"app.kubernetes.io/name:"datadog"spec:selector:app:datadog-cluster-agentports:- port:443targetPort:8000

Add environment variables to the Cluster Agent deployment which enable the Admission Controller:

cluster-agent-deployment.yaml

- name:DD_ADMISSION_CONTROLLER_ENABLEDvalue:"true"- name:DD_ADMISSION_CONTROLLER_SERVICE_NAMEvalue:"datadog-cluster-agent-admission-controller"# Uncomment this to configure Datadog SDKs automatically (see below)# - name: DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED# value: "true"

Finally, run the following commands:

  • kubectl apply -f cluster-agent-rbac.yaml
  • kubectl apply -f agent-services.yaml
  • kubectl apply -f cluster-agent-deployment.yaml

APM Instrumentation library injection

You can configure the Cluster Agent (version 7.39 and higher) to inject instrumentation libraries using Single Step Instrumentation. Read Single Step APM Instrumentation for more information.

If you do not want to use Single Step Instrumentation, the Datadog Admission Controller can be used to inject Datadog SDKs directly as a manual, pod-level alternative. Read Local SDK Injection for more information.

APM and DogStatsD environment variable injection

To configure DogStatsD clients or other APM libraries that do not support library injection, inject the environment variables DD_AGENT_HOST and DD_ENTITY_ID by doing one of the following:

  • Add the label admission.datadoghq.com/enabled: "true" to your Pod.
  • Configure the Cluster Agent admission controller by setting mutateUnlabelled (or DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED, depending on your configuration method) to true.

Adding a mutateUnlabelled: true Agent config in the Helm chart causes the Cluster Agent to attempt to intercept every unlabelled Pod.

To prevent Pods from receiving environment variables, add the label admission.datadoghq.com/enabled: "false". This works even if you set mutateUnlabelled: true.

If mutateUnlabelled is set to false, the Pod label must be set to admission.datadoghq.com/enabled: "true".

Possible options:

mutateUnlabelledPod labelInjection
trueNo labelYes
trueadmission.datadoghq.com/enabled=trueYes
trueadmission.datadoghq.com/enabled=falseNo
falseNo labelNo
falseadmission.datadoghq.com/enabled=trueYes
falseadmission.datadoghq.com/enabled=falseNo

Order of priority

The Datadog Admission Controller does not inject the environment variables DD_VERSION, DD_ENV, or DD_SERVICE if they already exist.

When these environment variables are not set, the Admission Controller uses standard tags value in the following order (highest first):

  • Labels on the Pod
  • Labels on the ownerReference (ReplicaSets, DaemonSets, Deployments, etc.)

Configure APM and DogstatsD communication mode

Starting from Datadog Cluster Agent v1.20.0, the Datadog Admission Controller can be configured to inject different modes of communication between the application and Datadog agent.

This feature can be configured by setting admission_controller.inject_config.mode or by defining a Pod-specific mode using the admission.datadoghq.com/config.mode Pod label.

Starting from Helm chart v3.22.0 and Datadog Operator v1.1.0, the communication mode is automatically set to socket if either APM socket or DSD socket is enabled.

Possible options:

ModeDescription
hostip (Default)Inject the host IP in DD_AGENT_HOST environment variable
serviceInject Datadog’s local-service DNS name in DD_AGENT_HOST environment variable (available with Kubernetes v1.22+)
socketInject Unix Domain Socket path in DD_TRACE_AGENT_URL environment variable and the volume definition to access the corresponding path. Inject URL to use to connect the Datadog Agent for DogStatsD metrics in DD_DOGSTATSD_URL.
csiInject Unix Domain Socket paths in DD_TRACE_AGENT_URL and DD_DOGSTATSD_URL environment variables and the Datadog CSI volume definition to access the corresponding paths. This mode is available for Datadog Cluster Agent v7.67+.

Note: Pod-specific mode takes precedence over the global mode defined at the Admission Controller level.

Troubleshooting

See Admission Controller Troubleshooting.

Further Reading