The Datadog Admission Controller is a component of the Datadog Cluster Agent. The main benefit of the Admission Controller is to simplify your application Pod configuration. For that, it has two main functionalities:
Inject environment variables (DD_AGENT_HOST, DD_TRACE_AGENT_URL and DD_ENTITY_ID) to configure DogStatsD and APM tracer libraries into the user’s application containers.
Inject Datadog standard tags (env, service, version) from application labels into the container environment variables.
To enable the Admission Controller for the Datadog Operator, set the parameter features.admissionController.enabled to true in your DatadogAgent configuration:
Starting from Helm chart v2.35.0, Datadog Admission controller is activated by default. No extra configuration is needed to enable the Admission Controller.
To enable the Admission Controller for Helm chart v2.34.6 and earlier, set the parameter clusterAgent.admissionController.enabled to true:
datadog-values.yaml
#(...)clusterAgent:#(...)## @param admissionController - object - required## Enable the admissionController to automatically inject APM and## DogStatsD config and standard tags (env, service, version) into## your pods#admissionController:enabled:true## @param mutateUnlabelled - boolean - optional## Enable injecting config without having the pod label:## admission.datadoghq.com/enabled="true"#mutateUnlabelled:false
To enable the Admission Controller without using Helm or the Datadog operator, add the following to your configuration:
To configure DogStatsD clients or other APM libraries that do not support library injection, inject the environment variables DD_AGENT_HOST and DD_ENTITY_ID by doing one of the following:
Add the label admission.datadoghq.com/enabled: "true" to your Pod.
Configure the Cluster Agent admission controller by setting mutateUnlabelled (or DD_ADMISSION_CONTROLLER_MUTATE_UNLABELLED, depending on your configuration method) to true.
Adding a mutateUnlabelled: true Agent config in the Helm chart causes the Cluster Agent to attempt to intercept every unlabelled Pod.
To prevent Pods from receiving environment variables, add the label admission.datadoghq.com/enabled: "false". This works even if you set mutateUnlabelled: true.
If mutateUnlabelled is set to false, the Pod label must be set to admission.datadoghq.com/enabled: "true".
Possible options:
mutateUnlabelled
Pod label
Injection
true
No label
Yes
true
admission.datadoghq.com/enabled=true
Yes
true
admission.datadoghq.com/enabled=false
No
false
No label
No
false
admission.datadoghq.com/enabled=true
Yes
false
admission.datadoghq.com/enabled=false
No
Order of priority
The Datadog Admission Controller does not inject the environment variables DD_VERSION, DD_ENV, or DD_SERVICE if they already exist.
When these environment variables are not set, the Admission Controller uses standard tags value in the following order (highest first):
Labels on the Pod
Labels on the ownerReference (ReplicaSets, DaemonSets, Deployments, etc.)
Configure APM and DogstatsD communication mode
Starting from Datadog Cluster Agent v1.20.0, the Datadog Admission Controller can be configured to inject different modes of communication between the application and Datadog agent.
This feature can be configured by setting admission_controller.inject_config.mode or by defining a Pod-specific mode using the admission.datadoghq.com/config.mode Pod label.
Starting from Helm chart v3.22.0 and Datadog Operator v1.1.0, the communication mode is automatically set to socket if either APM socket or DSD socket is enabled.
Possible options:
Mode
Description
hostip (Default)
Inject the host IP in DD_AGENT_HOST environment variable
service
Inject Datadog’s local-service DNS name in DD_AGENT_HOST environment variable (available with Kubernetes v1.22+)
socket
Inject Unix Domain Socket path in DD_TRACE_AGENT_URL environment variable and the volume definition to access the corresponding path. Inject URL to use to connect the Datadog Agent for DogStatsD metrics in DD_DOGSTATSD_URL.
Note: Pod-specific mode takes precedence over the global mode defined at the Admission Controller level.