---
title: Setting up Workload Protection on Kubernetes
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Workload Protection > Setting up Workload Protection
  > Deploying Workload Protection on the Agent > Setting up Workload Protection
  on Kubernetes
---

# Setting up Workload Protection on Kubernetes

Use the following instructions to enable Workload Protection.

{% alert level="info" %}
Collecting events using Workload Protection will affect your billing. For more information, see [Datadog Pricing](https://www.datadoghq.com/pricing/?product=cloud-security-management#products).
{% /alert %}

## Prerequisites{% #prerequisites %}

- Latest Datadog Agent version. For installation instructions, see [Getting Started with the Agent](https://docs.datadoghq.com/getting_started/agent) or install the Agent from the [Datadog UI](https://app.datadoghq.com/account/settings/agent/latest).

**Note**: SBOM collection is not compatible with the image streaming feature in Google Kubernetes Engine (GKE). To disable it, see the [Disable Image streaming](https://cloud.google.com/kubernetes-engine/docs/how-to/image-streaming#disable) section of the GKE docs.

## Installation{% #installation %}

{% tab title="Datadog Operator" %}

1. Add the following to the `spec` section of the `datadog-agent.yaml` file:

   ```yaml
   # datadog-agent.yaml file
   apiVersion: datadoghq.com/v2alpha1
   kind: DatadogAgent
   metadata:
     name: datadog
   spec:
     features:
       # (Optional) Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
       admissionController:
         enabled: true
         cwsInstrumentation:
           enabled: true
   
       remoteConfiguration:
         enabled: true
       # Enables Threat Detection
       cws:
         enabled: true
       # Enables Misconfigurations
       cspm:
         enabled: true
         hostBenchmarks:
           enabled: true
       # Enables the image metadata collection and Software Bill of Materials (SBOM) collection
       sbom:
         enabled: true
         # Enables Container Vulnerability Management
         # Image collection is enabled by default with Datadog Operator version `>= 1.3.0`
         containerImage:
           enabled: true
   
           # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
           # uncompressedLayersSupport: true
   
         # Enables Host Vulnerability Management
         host:
           enabled: true
   ```

1. Apply the changes and restart the Agent.

{% /tab %}

{% tab title="Helm" %}

1. Add the following to the `datadog` section of the `datadog-values.yaml` file:

   ```yaml
   # datadog-values.yaml file
   
   # (Optional) Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
   clusterAgent:
     admissionController:
       enabled: true
       cwsInstrumentation:
         enabled: true
   
   datadog:
     remoteConfiguration:
       enabled: true
     securityAgent:
       # Enables Threat Detection
       runtime:
         enabled: true
       # Enables Misconfigurations
       compliance:
         enabled: true
         host_benchmarks:
           enabled: true
     sbom:
       containerImage:
         enabled: true
   
         # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
         # uncompressedLayersSupport: true
   
       # Enables Host Vulnerability Management
       host:
         enabled: true
   
       # Enables Container Vulnerability Management
       # Image collection is enabled by default with Datadog Helm version `>= 3.46.0`
       # containerImageCollection:
       #   enabled: true
   ```

1. Restart the Agent.

If you experience RBAC issues, you can run the chart with the `clusterRole.allowCreatePodsExec` option enabled for the `clusterRole`:

```sh
helm install datadog-operator datadog/datadog-operator --set clusterRole.allowCreatePodsExec=true
```

{% /tab %}

{% tab title="DaemonSet" %}

1. Add the following settings to the `env` section of `security-agent` and `system-probe` in the `daemonset.yaml` file. Note that the `DD_ADMISSION_CONTROLLER_ENABLED` and `DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED` variables in the `cluster-agent-deployment.yaml` enable event enrichment with Kubernetes user identities (optional).

   ```bash
     # Source: datadog/templates/daemonset.yaml
     apiVersion:app/1
     kind: DaemonSet
     [...]
     spec:
     [...]
     spec:
         [...]
           containers:
           [...]
             - name: agent
               [...]
               env:
                 - name: DD_REMOTE_CONFIGURATION_ENABLED
                   value: "true"
             - name: system-probe
               [...]
               env:
                 - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
                   value: "true"
                 - name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
                   value: "true"
                 - name: DD_COMPLIANCE_CONFIG_ENABLED
                   value: "true"
                 - name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
                   value: "true"
                 - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT
                   value: "true"
             [...]
   
     # Source: datadog/templates/cluster-agent-deployment.yaml
     apiVersion:app/1
     kind: Deployment
     [...]
     spec:
       [...]
       template:
         [...]
         spec:
           [...]
           containers:
           [...]
             - name: cluster-agent
               [...]
               env:
                 - name: DD_ADMISSION_CONTROLLER_ENABLED
                   value: "true"
                 - name: DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED
                   value: "true"
   ```

{% /tab %}