datadog-agent icon indicating copy to clipboard operation
datadog-agent copied to clipboard

Published 20 hours ago verified publisher icon DataDog

[BUG] datadog admission controller breaks deployments using sidecars

Open bob-bins opened this issue 5 months ago • 1 comments

On version 3.118.0 of the DataDog Helm Chart, the DataDog admission controller (for this K8s label admission.datadoghq.com/enabled: true) incorrectly removes the restartPolicy property in a pod-to-be if it's specified in an initContainer. This causes any ReplicaSet containing a sidecar container with probes to break - they will be unable to create Pods given that only Sidecar containers can have probes, not "normal init containers".

Until this is fixed, we are unable to use the DataDog admission controller on any Deployments containing sidecar containers.

Is this just a matter of updating the k8s.io/api package here? Given that the sidecar container feature was made stable in v0.33 (it was beta in 0.32) https://github.com/DataDog/datadog-agent/blob/7a0a0406eddbe85194dff2a53f918990a3cbc930/go.mod#L206

bob-bins avatar Jun 10 '25 20:06 bob-bins

seeing this event that confirms datadog is removing the setting (near the bottom you'll find { "op": "remove", "path": "/spec/initContainers/0/restartPolicy" },

{
  "configuration": "datadog-webhook",
  "webhook": "datadog.webhook.config",
  "patch": [
    {
      "op": "add",
      "path": "/spec/containers/0/env",
      "value": [
        { "name": "DD_ENTITY_ID", "valueFrom": { "fieldRef": { "fieldPath": "metadata.uid" } } },
        { "name": "DD_DOGSTATSD_URL", "value": "unix:///var/run/datadog/dsd.socket" },
        { "name": "DD_TRACE_AGENT_URL", "value": "unix:///var/run/datadog/apm.socket" }
      ]
    },
    { "op": "add", "path": "/spec/containers/0/volumeMounts/-", "value": { "mountPath": "/var/run/datadog", "name": "datadog", "readOnly": true } },
    {
      "op": "add",
      "path": "/spec/initContainers/0/env",
      "value": [
        { "name": "DD_ENTITY_ID", "valueFrom": { "fieldRef": { "fieldPath": "metadata.uid" } } },
        { "name": "DD_DOGSTATSD_URL", "value": "unix:///var/run/datadog/dsd.socket" },
        { "name": "DD_TRACE_AGENT_URL", "value": "unix:///var/run/datadog/apm.socket" }
      ]
    },
    { "op": "remove", "path": "/spec/initContainers/0/restartPolicy" },
    { "op": "add", "path": "/spec/initContainers/0/volumeMounts/-", "value": { "mountPath": "/var/run/datadog", "name": "datadog", "readOnly": true } },
    { "op": "add", "path": "/spec/volumes/-", "value": { "hostPath": { "path": "/var/run/datadog", "type": "DirectoryOrCreate" }, "name": "datadog" } }
  ],
  "patchType": "JSONPatch"
}

bob-bins avatar Jun 27 '25 00:06 bob-bins

It turns out there was another older version of the Datadog Operator installed in the K8s cluster that I was not aware of.

bob-bins avatar Jul 29 '25 15:07 bob-bins