diff --git a/content/en/containers/kubernetes/distributions.md b/content/en/containers/kubernetes/distributions.md index 9aee8d749c073..f002c44f70f19 100644 --- a/content/en/containers/kubernetes/distributions.md +++ b/content/en/containers/kubernetes/distributions.md @@ -74,7 +74,8 @@ spec: ## Azure Kubernetes Service (AKS) {#AKS} -AKS requires a specific configuration for the `Kubelet` integration due to how AKS has set up the SSL Certificates. Additionally, the optional [Admission Controller][1] feature requires a specific configuration to prevent an error when reconciling the webhook. +### Admission Controller +The optional [Admission Controller][1] feature requires a specific configuration to prevent an error when reconciling the webhook. {{< tabs >}} {{% tab "Datadog Operator" %}} @@ -93,12 +94,6 @@ spec: credentials: apiKey: appKey: - kubelet: - host: - valueFrom: - fieldRef: - fieldPath: spec.nodeName - hostCAPath: /etc/kubernetes/certs/kubeletserver.crt override: clusterAgent: containers: @@ -116,6 +111,72 @@ Replace `` with your [Datadog site][1]. Your site is {{< region-pa Custom `datadog-values.yaml`: +```yaml +datadog: + clusterName: + apiKey: + appKey: + +providers: + aks: + enabled: true +``` + +The `providers.aks.enabled` option sets the necessary environment variable `DD_ADMISSION_CONTROLLER_ADD_AKS_SELECTORS="true"` for you. + +{{% /tab %}} +{{< /tabs >}} + +### Kubelet serving certificate rotation +If your cluster, **does not** have [Kubelet serving certificate rotation][13] enabled, you must provide additional configuration to enable the Datadog Agent to connect to the Kubelet. Kubelet serving certificate rotation is enabled in Kubernetes clusters 1.27 and above on node pools updated after July 2025. + +Your nodes have this feature enabled if they have the label `kubernetes.azure.com/kubelet-serving-ca=cluster`. Verify if all of your nodes have this label by running: + +```shell +kubectl get nodes -L kubernetes.azure.com/kubelet-serving-ca +``` + +Ensure that all your nodes show `cluster`. + +#### Without Kubelet serving certificate rotation + +If Kubelet serving certificate rotation is not enabled, provide the following additional Kubelet configuration: + +{{< tabs >}} +{{% tab "Datadog Operator" %}} + +DatadogAgent Kubernetes Resource: + +```yaml +kind: DatadogAgent +apiVersion: datadoghq.com/v2alpha1 +metadata: + name: datadog +spec: + global: + clusterName: + site: + credentials: + apiKey: + appKey: + kubelet: + host: + fieldRef: + fieldPath: spec.nodeName + hostCAPath: /etc/kubernetes/certs/kubeletserver.crt + override: + clusterAgent: + containers: + cluster-agent: + env: + - name: DD_ADMISSION_CONTROLLER_ADD_AKS_SELECTORS + value: "true" +``` +{{% /tab %}} +{{% tab "Helm" %}} + +Custom `datadog-values.yaml`: + ```yaml datadog: clusterName: @@ -132,14 +193,21 @@ providers: aks: enabled: true ``` +{{% /tab %}} +{{< /tabs >}} -The `providers.aks.enabled` option sets the necessary environment variable `DD_ADMISSION_CONTROLLER_ADD_AKS_SELECTORS="true"` for you. +In these AKS node versions, the AKS Kubelet certificate requires changing the Kubelet host to the `spec.nodeName` and the `hostCAPath` location of the certificate, as seen in the previous snippets. This enables TLS verification. Without these changes, the Agent cannot connect to the Kubelet. -{{% /tab %}} +
After Kubelet serving certificate rotation is enabled in your cluster, remove this configuration.
-{{< /tabs >}} +When you upgrade your AKS cluster, you may see the Kubelet serving certificate rotation feature enabled for you automatically, which can negatively impact your Datadog Agent if you are using the above special configuration to reference the certificate `/etc/kubernetes/certs/kubeletserver.crt`. When Kubelet serving certificate rotation is enabled, this certificate is removed, causing: + +- In Datadog Operator: The Agent container shuts down in `Error`, as it cannot connect to the Kubelet, and it logs `Error while getting hostname, exiting: unable to reliably determine the host name` +- In Helm: The Agent pod fails to start with the warning event `MountVolume.SetUp failed for volume "kubelet-ca" : hostPath type check failed: /etc/kubernetes/certs/kubeletserver.crt is not a file` + +In these cases, remove the additional Kubelet configurations. -The AKS Kubelet certificate requires changing the Kubelet host to the `spec.nodeName` and the `hostCAPath` location of the certificate, as seen in the previous snippets. This enables TLS verification. Without these changes, the Agent cannot connect to the Kubelet. +As an alternative, you can also [connect to the Kubelet without TLS verification](#without-tls-verification). ### Without TLS verification @@ -607,3 +675,4 @@ agents: [10]: https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods [11]: https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-compute-classes [12]: https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port +[13]: https://learn.microsoft.com/en-us/azure/aks/certificate-rotation#kubelet-serving-certificate-rotation