The Datadog admission controller is a component of the Datadog Cluster Agent. The main benefit of the admission controller is to simplify the user’s application pod configuration. For that, It has two main functionalities:
DD_AGENT_HOST and DD_ENTITY_ID) to configure DogStatsD and APM tracer libraries into the user’s application containers.env, service, version) from application labels into the container environment variables.Datadog’s admission controller is MutatingAdmissionWebhook type. For more details on admission controllers, see the Kubernetes guide.
To enable the admission controller for Helm chart, set the parameter clusterAgent.admissionController.enabled to true:
values.yaml
[...]
clusterAgent:
[...]
## @param admissionController - object - required
## Enable the admissionController to automatically inject APM and
## DogStatsD config and standard tags (env, service, version) into
## your pods
#
admissionController:
enabled: true
## @param mutateUnlabelled - boolean - optional
## Enable injecting config without having the pod label:
## admission.datadoghq.com/enabled="true"
#
mutateUnlabelled: false
[...]To enable the admission controller for the Datadog operator, set the parameter clusterAgent.config.admissionController.enabled to true in the custom resource:
[...]
clusterAgent:
[...]
config:
admissionController:
enabled: true
mutateUnlabelled: false
[...]
To enable the admission controller without using Helm or the Datadog operator, you’ll need to add a few things to your configuration:
First, download the Cluster Agent RBAC permissions manifest, and add the following under rules:
cluster-agent-rbac.yaml
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs: ["get", "list", "watch", "update", "create"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "update", "create"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["statefulsets", "replicasets", "deployments"]
verbs: ["get"]Add the following to the bottom of agent-services.yaml:
agent-services.yaml
---
apiVersion: v1
kind: Service
metadata:
name: datadog-cluster-agent-admission-controller
labels:
app: "datadog"
app.kubernetes.io/name: "datadog"
spec:
selector:
app: datadog-cluster-agent
ports:
- port: 443
targetPort: 8000Add environment variables to the Cluster Agent deployment which enable the Admission Controller:
cluster-agent-deployment.yaml
- name: DD_ADMISSION_CONTROLLER_ENABLED
value: "true"
- name: DD_ADMISSION_CONTROLLER_SERVICE_NAME
value: "datadog-cluster-agent-admission-controller"
# Uncomment this to configure APM tracers automatically (see below)
# - name: DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED
# value: "true"Finally, run the following commands:
kubectl apply -f cluster-agent-rbac.yamlkubectl apply -f agent-services.yamlkubectl apply -f cluster-agent-deployment.yamlTo configure DogstatsD clients and APM tracers automatically, inject the environment variables DD_AGENT_HOST and DD_ENTITY_ID by using one of the following:
admission.datadoghq.com/enabled: "true" to your pod.mutateUnlabelled (or DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED, depending on your configuration method) to true.To prevent pods from receiving environment variables, add the label admission.datadoghq.com/enabled: "false". This works even if you set mutateUnlabelled: true.
Possible options:
| mutateUnlabelled | Pod label | Injection |
|---|---|---|
true | No label | Yes |
true | admission.datadoghq.com/enabled=true | Yes |
true | admission.datadoghq.com/enabled=false | No |
false | No label | No |
false | admission.datadoghq.com/enabled=true | Yes |
false | admission.datadoghq.com/enabled=false | No |
DD_VERSION, DD_ENV, and DD_SERVICE if they already exist.DD_ADMISSION_CONTROLLER_INJECT_CONFIG_ENABLED=falseAdditional helpful documentation, links, and articles:
On this Page
