Skip to content

Fix Operator config and standardize unprivileged instructions #32147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JacksonDavenport merged 3 commits into from
Oct 10, 2025
+21 −19
Merged

Fix Operator config and standardize unprivileged instructions #32147

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4efbd07
Fix Operator config and standardize unprivileged instructions
JacksonDavenport Oct 10, 2025
278dbba
Apply suggestions from code review
JacksonDavenport Oct 10, 2025
334fde7
Merge branch 'master' into jack.davenport/k8s-install-unprivileged
JacksonDavenport Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 21 additions & 19 deletions content/en/containers/kubernetes/installation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,18 @@

### Unprivileged installation

To run an unprivileged installation, add the following `securityContext` to your configuration relative to your desired `<USER_ID>` and `<GROUP ID>`:

- Replace `<USER_ID>` with the UID to run the Datadog Agent. Datadog recommends setting this value to `100` for the preexisting `dd-agent` user [for Datadog Agent v7.48+][26].
- Replace `<GROUP_ID>` with the group ID that owns the Docker or containerd socket.

This sets the `securityContext` at the pod level for the Agent.

{{< tabs >}}
{{% tab "Datadog Operator" %}}
To run an unprivileged installation, add the following to `datadog-agent.yaml`:

{{< highlight yaml "hl_lines=13-18" >}}
{{< highlight yaml "hl_lines=14-19" >}}

Check notice on line 169 in content/en/containers/kubernetes/installation.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.sentencelength 

Suggestion: Try to keep your sentence length to 25 words or fewer.
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
Expand All @@ -172,18 +179,14 @@
apiSecret:
secretName: datadog-secret
keyName: api-key
agent:
config:
securityContext:
runAsUser: <USER_ID>
supplementalGroups:
- <GROUP_ID>
{{< /highlight >}}

- Replace `<USER_ID>` with the UID to run the Datadog Agent. Datadog recommends [setting this value to 100 since Datadog Agent v7.48+][1].
- Replace `<GROUP_ID>` with the group ID that owns the Docker or containerd socket.

[1]: /data_security/kubernetes/#running-container-as-root-user
override:
nodeAgent:
securityContext:
runAsUser: <USER_ID>
supplementalGroups:
- <GROUP_ID>
{{< /highlight >}}

Then, deploy the Agent:

Expand All @@ -195,19 +198,17 @@
{{% tab "Helm" %}}
To run an unprivileged installation, add the following to your `datadog-values.yaml` file:

{{< highlight yaml "hl_lines=4-7" >}}
{{< highlight yaml "hl_lines=5-8" >}}
datadog:
apiKeyExistingSecret: datadog-secret
clusterName: <CLUSTER_NAME>
site: <DATADOG_SITE>
securityContext:
runAsUser: <USER_ID>
supplementalGroups:
- <GROUP_ID>
runAsUser: <USER_ID>
supplementalGroups:
- <GROUP_ID>
{{< /highlight >}}

- Replace `<USER_ID>` with the UID to run the Datadog Agent.
- Replace `<GROUP_ID>` with the group ID that owns the Docker or containerd socket.

Then, deploy the Agent:

```shell
Expand Down Expand Up @@ -339,3 +340,4 @@
[23]: https://app.datadoghq.com/orchestration/resource/pod
[24]: /infrastructure/containers/orchestrator_explorer
[25]: /infrastructure/containers/kubernetes_resource_utilization
[26]: /data_security/kubernetes/#running-container-as-root-user
Loading