Datadog Admission Controller

Datadog Admission Controller

Overview

The Datadog admission controller is a component of the Datadog Cluster Agent. The main benefit of the admission controller is to simplify the user’s application pod configuration. For that, It has two main functionalities:

  • Inject environment variables (DD_AGENT_HOST and DD_ENTITY_ID) to configure DogStatsD and APM tracer libraries into the user’s application containers.
  • Inject Datadog standard tags (env, service, version) from application labels into the container environment variables.

Datadog’s admission controller is MutatingAdmissionWebhook type. For more details on admission controllers, see the Kubernetes guide.

Requirements

  • Datadog Cluster Agent v1.7.0+

Configuration

Helm chart

To enable the admission controller for Helm chart, set the parameter clusterAgent.admissionController.enabled to true:

values.yaml

[...]
 clusterAgent:
[...]
  ## @param admissionController - object - required
  ## Enable the admissionController to automatically inject APM and
  ## DogStatsD config and standard tags (env, service, version) into
  ## your pods
  #
  admissionController:
    enabled: true

    ## @param mutateUnlabelled - boolean - optional
    ## Enable injecting config without having the pod label:
    ## admission.datadoghq.com/enabled="true"
    #
    mutateUnlabelled: false
[...]

Datadog operator

To enable the admission controller for the Datadog operator, set the parameter clusterAgent.config.admissionController.enabled to true in the custom resource:

[...]
 clusterAgent:
[...]
    config:
      admissionController:
        enabled: true
        mutateUnlabelled: false
[...]

Manual setup

To enable the admission controller without using Helm or the Datadog operator, add the following to your configuration:

First, download the Cluster Agent RBAC permissions manifest, and add the following under rules:

cluster-agent-rbac.yaml

- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  verbs: ["get", "list", "watch", "update", "create"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch", "update", "create"]
- apiGroups: ["batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["get"]
- apiGroups: ["apps"]
  resources: ["statefulsets", "replicasets", "deployments"]
  verbs: ["get"]

Add the following to the bottom of agent-services.yaml:

agent-services.yaml

apiVersion: v1
kind: Service
metadata:
  name: datadog-cluster-agent-admission-controller
  labels:
    app: "datadog"
    app.kubernetes.io/name: "datadog"
spec:
  selector:
    app: datadog-cluster-agent
  ports:
  - port: 443
    targetPort: 8000

Add environment variables to the Cluster Agent deployment which enable the Admission Controller:

cluster-agent-deployment.yaml

- name: DD_ADMISSION_CONTROLLER_ENABLED
  value: "true"
- name: DD_ADMISSION_CONTROLLER_SERVICE_NAME
  value: "datadog-cluster-agent-admission-controller"

# Uncomment this to configure APM tracers automatically (see below)
# - name: DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED
#   value: "true"

Finally, run the following commands:

  • kubectl apply -f cluster-agent-rbac.yaml
  • kubectl apply -f agent-services.yaml
  • kubectl apply -f cluster-agent-deployment.yaml

APM and DogStatsD

To configure DogstatsD clients and APM tracers automatically, inject the environment variables DD_AGENT_HOST and DD_ENTITY_ID by using one of the following:

  • Add the label admission.datadoghq.com/enabled: "true" to your pod.
  • Configure the Cluster Agent admission controller by setting mutateUnlabelled (or DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED, depending on your configuration method) to true.

To prevent pods from receiving environment variables, add the label admission.datadoghq.com/enabled: "false". This works even if you set mutateUnlabelled: true.

Possible options:

mutateUnlabelled Pod label Injection
true No label Yes
true admission.datadoghq.com/enabled=true Yes
true admission.datadoghq.com/enabled=false No
false No label No
false admission.datadoghq.com/enabled=true Yes
false admission.datadoghq.com/enabled=false No

Notes

  • The admission controller needs to be deployed and configured before the creation of new application pods. It cannot update pods that already exist.
  • The admission controller doesn’t inject the environment variables DD_VERSION, DD_ENV, and DD_SERVICE if they already exist.
  • To disable the admission controller injection feature, use the Cluster Agent configuration: DD_ADMISSION_CONTROLLER_INJECT_CONFIG_ENABLED=false
  • By using the Datadog admission controller, users can skip configuring the application pods using downward API (step 2 in Kubernetes Trace Collection setup).
  • If you are using a private cluster and your configuration is not getting injected into your pods, open a firewall rule for the control plane to talk to the Datadog webhook. In this case, ensure that the firewall rules open port 443 as described in Adding firewall rules in GCP.

Further Reading

Additional helpful documentation, links, and articles:

Running Cluster Checks with AutodiscoveryDOCUMENTATION more more Troubleshooting the Datadog Cluster AgentDOCUMENTATION more more