CRE-2025-0059

Datadog CWS Instrumentation webhook registration fails without service accountLow
Impact: 6/10
Mitigation: 2/10

CRE-2025-0059View on GitHub

Datadog CWS Admission Controller webhook Configuration Known Issue

Description

- Datadog Cluster Agent fails to register its CWS (Container Workload Security) instrumentation webhook when running in `remote_copy` mode without a configured service account.

Mitigation

- Set `cluster_agent.service_account_name` in your Helm values or Agent config: ```yaml cluster_agent: service_account_name: datadog-cluster-agent ``` - Redeploy the Datadog Cluster Agent after applying the correct service account. - Verify that the ServiceAccount exists and has the necessary RBAC permissions.

References

https://docs.datadoghq.com/containers/troubleshooting/admission-controller/?tab=helm