CRE-2025-0059

Datadog CWS Instrumentation webhook registration fails without service accountLow
Impact: 6/10
Mitigation: 2/10

CRE-2025-0059View on GitHub

Datadog CWS Admission Controller webhook Configuration Known Issue

Description

- Datadog Cluster Agent fails to register its CWS (Container Workload Security) instrumentation webhook when running in `remote_copy` mode without a configured service account.\n

Mitigation

- Set `cluster_agent.service_account_name` in your Helm values or Agent config:\n ```yaml\n cluster_agent:\n service_account_name: datadog-cluster-agent\n ```\n- Redeploy the Datadog Cluster Agent after applying the correct service account.\n- Verify that the ServiceAccount exists and has the necessary RBAC permissions.\n

References

https://docs.datadoghq.com/containers/troubleshooting/admission-controller/?tab=helm