Single Step APM Instrumentation on Kubernetes

문서 > APM > 애플리케이션 계측 > 자동 계측 > Single Step APM Instrumentation > Single Step APM Instrumentation on Kubernetes

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Overview

In a Kubernetes environment, use Single Step Instrumentation (SSI) for APM to install the Datadog Agent and instrument your applications with the Datadog APM SDKs in one step.

Requirements

Kubernetes v1.20+
Helm for deploying the Datadog Operator.
Kubectl CLI for installing the Datadog Agent.

Enable APM on your applications

Single Step Instrumentation does not instrument applications in the namespace where the Datadog Agent is installed. Install the Agent in a separate namespace where you do not run your applications.

Follow these steps to enable Single Step Instrumentation across your entire cluster. This automatically sends traces from all applications written in supported languages.

Note: To instrument only specific namespaces or pods, see workload targeting in Advanced options.

In Datadog, go to the Install the Datadog Agent on Kubernetes page.
Follow the on-screen instructions to choose your installation method, select an API key, and set up the Operator or Helm repository.
In the Configure datadog-agent.yaml section, go to Additional configuration > Application Observability, and turn on APM Instrumentation.
Deploy the Agent using the generated configuration file.
Restart your applications.

Configure Unified Service Tags

Unified Service Tags (USTs) apply consistent tags across traces, metrics, and logs, making it easier to navigate and correlate your observability data.

Recommended: Configure USTs with ddTraceConfigs as part of workload targeting.

With SSI, you can automatically extract UST values from pod labels and metadata without modifying individual deployments: To use the recommended ddTraceConfigs approach, ensure you have the following software components:

Component	Minimum Version	Notes
datadog-agent	7.66+	Required for valueFrom support
datadog-operator	1.16.0+	1.13.0+ works with Agent version override
datadog-helm-chart	3.120.0+	Added valueFrom support

Note: Replace app-name with any label that contains your service name (e.g., service, app, component). You can configure multiple labels this way.

datadog:
  # Make pod labels available as tags in Datadog
  kubernetesResourcesLabelsAsTags:
    pods:
      app-name: service
    deployments.apps:
      app-name: service
    replicasets.apps:
      app-name: service

  # Set environment globally for the entire cluster
  tags:
    - "env:production"

  apm:
    instrumentation:
      enabled: true
      targets:
        - name: my-services
          podSelector:
            matchExpressions:
            - key: app-name           # Target pods with this label
              operator: Exists
          ddTraceConfigs:
            - name: DD_SERVICE      # Extract service name from pod label
              valueFrom:
                fieldRef:
                  fieldPath: metadata.labels['app-name']
            # DD_VERSION automatically extracted from image tags
            # DD_ENV inherited from cluster-level tags above

Configure USTs in deployment manifests

If your setup doesn’t use labels suitable for UST extraction, you can set USTs directly in your deployment manifests using environment variables. This approach requires modifying each deployment individually, but offers precise control.

For complete instructions, see setting USTs for Kubernetes services.

Enable SDK-dependent products and features

After SSI loads the Datadog SDK into your applications and enables distributed tracing, you can configure additional products that rely on the SDK. These include capabilities such as Continuous Profiler, Application Security Monitoring, and trace ingestion controls.

Use one of the following setup methods:

Configure with workload targeting (recommended):
By default, Single Step Instrumentation instruments all services in all namespaces. Use workload targeting to limit instrumentation to specific namespaces, pods, or workloads, and apply custom configurations.
Set environment variables:
Enable products by setting environment variables directly in your application configuration.

Advanced options

Use the following advanced options to customize how Single Step Instrumentation behaves in your environment. These settings are optional and typically only needed in specialized setups.

Target specific workloads

By default, SSI instruments all services in all namespaces in your cluster. Depending on your Agent version, use one of the following configuration methods to refine which services are instrumented and how.

Create targeting blocks with the targets label to specify which workloads to instrument and what configurations to apply.

Each target block has the following keys:

Key	Description
`name`	The name of the target block. This has no effect on monitoring state and is used only as metadata.
`namespaceSelector`	The namespace(s) to instrument. Specify using one or more of: - `matchNames`: A list of one or more namespace name(s). - `matchLabels`: A list of one or more label(s) defined in `{key,value}` pairs. - `matchExpressions`: A list of namespace selector requirements. Namespaces must meet all criteria to match. For more details, see the Kubernetes selector documentation.
`podSelector`	The pod(s) to instrument. Specify using one or more of: - `matchLabels`: A list of one or more label(s) defined in `{key,value}` pairs. - `matchExpressions`: A list of pod selector requirements. Pods must meet all criteria to match. For more details, see the Kubernetes selector documentation.
`ddTraceVersions`	The Datadog APM SDK version to use for each language.
`ddTraceConfigs`	APM SDK configs that allow setting Unified Service Tags, enabling Datadog products beyond tracing, and customizing other APM settings. See full list of options.

The file you need to configure depends on how you enabled Single Step Instrumentation:

If you enabled SSI with Datadog Operator, edit datadog-agent.yaml.
If you enabled SSI with Helm, edit datadog-values.yaml.

Note: Targets are evaluated in order; the first match takes precedence.

Example configurations

Review the following examples demonstrating how to select specific services:

Example 1: Enable all namespaces except one

This configuration:

enables APM for all namespaces except the jenkins namespace.
instructs Datadog to instrument the Java applications with the default Java APM SDK and Python applications with v.3.1.0 of the Python APM SDK.

   apm:
     instrumentation:
       enabled: true
       disabledNamespaces:
         - "jenkins"
       targets:
         - name: "all-remaining-services"
           ddTraceVersions:
             java: "default"
             python: "3.1.0"

Example 2: Instrument a subset of namespaces, matching on names and labels

This configuration creates two targets blocks:

The first block (named login-service_namespace):
- enables APM for services in the namespace login-service.
- instructs Datadog to instrument services in this namespace with the default version of the Java APM SDK.
- sets environment variable DD_PROFILING_ENABLED for this target group
The second block (named billing-service_apps)
- enables APM for services in the namespace(s) with label app:billing-service.
- instructs Datadog to instrument this set of services with v3.1.0 of the Python APM SDK.

  apm:
    instrumentation:
      enabled: true
      targets:
        - name: "login-service_namespace"
          namespaceSelector:
            matchNames:
              - "login-service"
          ddTraceVersions:
            java: "default"
          ddTraceConfigs:
            - name: "DD_PROFILING_ENABLED"  ## profiling is enabled for all services in this namespace
              value: "auto"
        - name: "billing-service_apps"
          namespaceSelector:
            matchLabels:
              app: "billing-service"
          ddTraceVersions:
            python: "3.1.0"

Example 3: Instrument different workloads with different tracers

This configuration does the following:

enables APM for pods with the following labels:
- app:db-user, which marks pods running the db-user application.
- webserver:routing, which marks pods running the request-router application.
instructs Datadog to use the default versions of the Datadog Tracer SDKs.
sets Datadog environment variables to apply to each target group and configure the SDKs.

   apm:
     instrumentation:
       enabled: true
       targets:
         - name: "db-user"
           podSelector:
             matchLabels:
               app: "db-user"
           ddTraceVersions:
             java: "default"
           ddTraceConfigs:   ## trace configs set for services in matching pods
             - name: "DD_DATA_STREAMS_ENABLED"
               value: "true"
         - name: "user-request-router"
           podSelector:
             matchLabels:
               webserver: "user"
           ddTraceVersions:
             php: "default"

Example 4: Instrument a pod within a namespace

This configuration:

enables APM for pods labeled app:password-resolver inside the login-service namespace.
instructs Datadog to use the default version of the Datadog Java Tracer SDK.
sets Datadog environment variables to apply to this target.

   apm:
     instrumentation:
       enabled: true
       targets:
         - name: "login-service-namespace"
           namespaceSelector:
             matchNames:
               - "login-service"
           podSelector:
             matchLabels:
               app: "password-resolver"
           ddTraceVersions:
             java: "default"
           ddTraceConfigs:
             - name: "DD_PROFILING_ENABLED"
               value: "auto"

Example 5: Instrument a subset of pods using `matchExpressions`

This configuration enables APM for all pods except those that have either of the labels app=app1 or app=app2.

   apm:
     instrumentation:
       enabled: true
       targets:
         - name: "default-target"
           podSelector:
               matchExpressions:
                 - key: app
                   operator: NotIn
                   values:
                   - app1
                   - app2

Enable or disable instrumentation for namespaces

You can choose to enable or disable instrumentation for applications in specific namespaces. You can only set enabledNamespaces or disabledNamespaces, not both.

The file you need to configure depends on if you enabled Single Step Instrumentation with Datadog Operator or Helm:

Datadog Operator

To enable instrumentation for specific namespaces, add enabledNamespaces configuration to datadog-agent.yaml:

   features:
     apm:
       instrumentation:
         enabled: true
         enabledNamespaces: # Add namespaces to instrument
           - default
           - applications

To disable instrumentation for specific namespaces, add disabledNamespaces configuration to datadog-agent.yaml:

   features:
     apm:
       instrumentation:
         enabled: true
         disabledNamespaces: # Add namespaces to not instrument
           - default
           - applications

Helm

To enable instrumentation for specific namespaces, add enabledNamespaces configuration to datadog-values.yaml:

   datadog:
      apm:
        instrumentation:
          enabled: true
          enabledNamespaces: # Add namespaces to instrument
             - namespace_1
             - namespace_2

To disable instrumentation for specific namespaces, add disabledNamespaces configuration to datadog-values.yaml:

   datadog:
      apm:
        instrumentation:
          enabled: true
          disabledNamespaces: # Add namespaces to not instrument
            - namespace_1
            - namespace_2

Specify tracing library versions

Starting with Datadog Cluster Agent v7.52.0+, you can automatically instrument a subset of your applications, based on the tracing libraries you specify.

Specify Datadog tracing libraries and their versions to automatically instrument applications written in those languages. You can configure this in two ways, which are applied in the following order of precedence:

Specify at the service level, or
Specify at the cluster level.

Default: If you don’t specify any library versions, applications written in supported languages are automatically instrumented using the latest tracing library versions.

Specify at the service level

To automatically instrument applications in specific pods, add the appropriate language annotation and library version for your application in your pod spec:

Language	Pod annotation
Java	`admission.datadoghq.com/java-lib.version: "<CONTAINER IMAGE TAG>"`
Node.js	`admission.datadoghq.com/js-lib.version: "<CONTAINER IMAGE TAG>"`
Python	`admission.datadoghq.com/python-lib.version: "<CONTAINER IMAGE TAG>"`
.NET	`admission.datadoghq.com/dotnet-lib.version: "<CONTAINER IMAGE TAG>"`
Ruby	`admission.datadoghq.com/ruby-lib.version: "<CONTAINER IMAGE TAG>"`
PHP	`admission.datadoghq.com/php-lib.version: "<CONTAINER IMAGE TAG>"`

Replace <CONTAINER IMAGE TAG> with the desired library version. Available versions are listed in the Datadog container registries and tracer source repositories for each language:

Exercise caution when using the latest tag, as major library releases may introduce breaking changes.

For example, to automatically instrument Java applications:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    # ...
spec:
  template:
    metadata:
      annotations:
        admission.datadoghq.com/java-lib.version: "<CONTAINER IMAGE TAG>"
    spec:
      containers:
        - # ...

Specify at the cluster level

If you don’t enable automatic instrumentation for specific pods using annotations, you can specify which languages to instrument across the entire cluster using the SSI configuration. When apm.instrumentation.libVersions is set, only applications written in the specified languages are instrumented, using the specified library versions.

The file you need to configure depends on if you enabled Single Step Instrumentation with Datadog Operator or Helm:

Datadog Operator

For example, to instrument .NET, Python, and Node.js applications, add the following configuration to your datadog-agent.yaml file:

   features:
     apm:
       instrumentation:
         enabled: true
         libVersions: # Add any libraries and versions you want to set
            dotnet: "x.x.x"
            python: "x.x.x"
            js: "x.x.x"

Helm

For example, to instrument .NET, Python, and Node.js applications, add the following configuration to your datadog-values.yaml file:

   datadog:
     apm:
       instrumentation:
         enabled: true
         libVersions: # Add any libraries and versions you want to set
            dotnet: "x.x.x"
            python: "x.x.x"
            js: "x.x.x"

Change the default image registry

Datadog publishes instrumentation libraries images on gcr.io, Docker Hub, and Amazon ECR:

Language	gcr.io	hub.docker.com	gallery.ecr.aws
Java	gcr.io/datadoghq/dd-lib-java-init	hub.docker.com/r/datadog/dd-lib-java-init	gallery.ecr.aws/datadog/dd-lib-java-init
Node.js	gcr.io/datadoghq/dd-lib-js-init	hub.docker.com/r/datadog/dd-lib-js-init	gallery.ecr.aws/datadog/dd-lib-js-init
Python	gcr.io/datadoghq/dd-lib-python-init	hub.docker.com/r/datadog/dd-lib-python-init	gallery.ecr.aws/datadog/dd-lib-python-init
.NET	gcr.io/datadoghq/dd-lib-dotnet-init	hub.docker.com/r/datadog/dd-lib-dotnet-init	gallery.ecr.aws/datadog/dd-lib-dotnet-init
Ruby	gcr.io/datadoghq/dd-lib-ruby-init	hub.docker.com/r/datadog/dd-lib-ruby-init	gallery.ecr.aws/datadog/dd-lib-ruby-init
PHP	gcr.io/datadoghq/dd-lib-php-init	hub.docker.com/r/datadog/dd-lib-php-init	gallery.ecr.aws/datadog/dd-lib-php-init

The DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_CONTAINER_REGISTRY environment variable in the Datadog Cluster Agent configuration specifies the registry used by the Admission Controller. The default value is gcr.io/datadoghq.

You can pull the tracing library from a different registry by changing it to docker.io/datadog, public.ecr.aws/datadog, or another URL if you are hosting the images in a local container registry.

For instructions on changing your container registry, see Changing Your Container Registry.

Use a private container registry

If your organization does not allow direct pulls from public registries (such as gcr.io, docker.io, or public.ecr.aws), you can host the required Datadog images internally and configure the Admission Controller to use them.

To use SSI with a private container registry:

Follow these instructions to mirror Datadog’s container images to your private registry.
You only need the images for the languages you are instrumenting. If you’re not sure which ones you need, here’s a baseline that covers most use cases:
- apm-inject
- dd-lib-java-init
- dd-lib-python-init
- dd-lib-dotnet-init
- dd-lib-php-init
- dd-lib-ruby-init
- dd-lib-js-init
You can find these images on gcr.io, Docker Hub, or Amazon ECR Public Gallery.
Tag the images according to your configuration.
The versions you mirror must match the versions configured in your workloads, which might be set in one of the following ways:
- globally in the Agent config using ddTraceVersions, or
- per-pod using annotations like admission.datadoghq.com/java-lib.version.
If no version is explicitly configured, the default version (0) is used.
For example:
```
apm:
  instrumentation:
    enabled: true
    targets:
      - name: "default-target"
        ddTraceVersions:
          java: "1"
          python: "3"
```
This configuration requires the following image tags:
- apm-inject:0
- dd-lib-java-init:1
- dd-lib-python-init:3
Update the Cluster Agent configuration to use your private registry.
Set the DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_CONTAINER_REGISTRY environment variable in your Cluster Agent config to use your private registry.

For more details on changing your container registry, see Changing Your Container Registry.

Remove Single Step APM instrumentation from your Agent

If you don’t want to collect trace data for a particular service, host, VM, or container, complete the following steps:

Remove instrumentation for specific services

To remove APM instrumentation and stop sending traces from a specific service, you can do one of the following:

Use workload selection (recommended)

With workload selection (available for Agent v7.64+), you can enable and disable tracing for specific applications. See configuration details here.

Use the Datadog Admission Controller

As an alternative, or for a version of the agent that does not support workload selection, you can also disable pod mutation by adding a label to your pod.

In addition to disabling SSI, the following steps disable other mutating webhooks. Use with caution.

Set the admission.datadoghq.com/enabled: label to "false" for the pod spec:

spec:
  template:
    metadata:
      labels:
        admission.datadoghq.com/enabled: "false"

Apply the configuration:

kubectl apply -f /path/to/your/deployment.yaml

Restart the services you want to remove instrumentation for.

Remove APM for all services on the infrastructure

To stop producing traces, uninstall APM and restart the infrastructure:

The file you need to configure depends on if you enabled Single Step Instrumentation with Datadog Operator or Helm:

Set instrumentation.enabled=false in datadog-agent.yaml:

features:
  apm:
    instrumentation:
      enabled: false

Deploy the Datadog Agent with the updated configuration file:
```
kubectl apply -f /path/to/your/datadog-agent.yaml
```

Set instrumentation.enabled=false in datadog-values.yaml:

datadog:
  apm:
    instrumentation:
      enabled: false

Run the following command:

helm upgrade datadog-agent -f datadog-values.yaml datadog/datadog

Best practices

After you enable SSI, all supported processes in the cluster are automatically instrumented and begin producing traces within minutes.

To control where APM is activated and reduce overhead, consider the following best practices.

Use opt-in labels for controlled APM rollout

Default vs. opt-in instrumentation

Mode	Behavior	When to use
Default	All supported processes in the cluster are instrumented.	Small clusters or prototypes.
Opt-in	Use workload selection to restrict instrumentation to specific namespaces or pods.	Production clusters, staged rollouts, or cost‑sensitive use cases.

Example: Enable instrumentation for specific pods

Add a meaningful label (for example, datadoghq.com/apm-instrumentation: "enabled") to both the deployment metadata and the pod template.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: checkout-api
  labels:
    app: checkout-api
    datadoghq.com/apm-instrumentation: "enabled"   # opt-in label (cluster-wide)
spec:
  replicas: 3
  selector:
    matchLabels:
      app: checkout-api
  template:
    metadata:
      labels:
        app: checkout-api
        datadoghq.com/apm-instrumentation: "enabled"   # opt-in label must be on *template*, too
        # Unified Service Tags (recommended)
        tags.datadoghq.com/service: "checkout-api"
        tags.datadoghq.com/env:     "prod"
        tags.datadoghq.com/version: "2025-06-10"
    spec:
      containers:
        - name: api
          image: my-registry/checkout:latest
          ports:
            - containerPort: 8080

In your Datadog Agent Helm config, enable SSI and use podSelector to inject only into pods with the matching opt-in label.

  apm:
    instrumentation:
      enabled: true
      targets:
        - name: apm-instrumented
          podSelector:
            matchLabels:
              datadoghq.com/apm-instrumentation: "enabled"

See workload selection for additional examples.

Control which APM SDKs are loaded

Use ddTraceVersions in your Agent Helm config to control both the language and the version of the APM SDK. This prevents unnecessary SDKs from being downloaded, which minimizes init-container footprint, reduces image size, and allows for more deliberate tracer upgrades (for example, to meet compliance requirements or simplify debugging).

Example: Specify a Java APM SDK for a namespace

Only Java applications run in the login-service namespace. To avoid downloading other SDKs, configure the Agent to target that namespace and inject only the Java SDK version 1.48.2.

targets:
  - name: login-service
    namespaceSelector:
      matchNames: ["login-service"]
    ddTraceVersions:
      java: "1.48.2"    # pin version

Default configuration

If a pod doesn’t match any ddTraceVersions rule, the default target applies.

targets:
  - name: default-target          # tag any pod *without* an override
    ddTraceVersions:
      java:   "1"   # stay on latest v1.x
      python: "3"   # stay on latest v3.x
      js:     "5"   # NodeJS
      php:    "1"
      dotnet: "3"