Skip to main content

CRE-2025-0059

Datadog CWS Instrumentation webhook registration fails without service accountLow
Impact: 6/10
Mitigation: 2/10

CRE-2025-0059View on GitHub

Datadog CWS Admission Controller webhook Configuration Known Issue

Description

Datadog Cluster Agent fails to register its CWS (Container Workload Security) instrumentation webhook when running in `remote_copy` mode without a configured service account.

Cause

The `cluster_agent.service_account_name` configuration is missing.
In `remote_copy` mode, the Cluster Agent requires a Kubernetes ServiceAccount to manage its admission webhooks.

Mitigation

Set `cluster_agent.service_account_name` in your Helm values or Agent config:

  cluster_agent:    service_account_name: datadog-cluster-agent

Redeploy the Datadog Cluster Agent after applying the correct service account.
Verify that the ServiceAccount exists and has the necessary RBAC permissions.

References

https://docs.datadoghq.com/containers/troubleshooting/admission-controller/?tab=helm