DataDog · lebauce · Nov 20, 2025 · Dec 4, 2025
@@ -1714,6 +1714,11 @@ type GlobalConfig struct {
 	// Configure the secret backend feature https://docs.datadoghq.com/agent/guide/secrets-management
 	// See also: https://github.com/DataDog/datadog-operator/blob/main/docs/secret_management.md
 	SecretBackend *SecretBackendConfig `json:"secretBackend,omitempty"`
+
+	// UseVSock allows the use of VSock communication between the Agent and containerized workloads.
+	// Default: 'false'
+	// +optional
+	UseVSock *bool `json:"useVSock,omitempty"`
 }
 
 // DatadogCredentials is a generic structure that holds credentials to access Datadog.

@@ -3148,6 +3148,11 @@ spec:
                         UseFIPSAgent enables the FIPS flavor of the Agent. If 'true', the FIPS proxy will always be disabled.
                         Default: 'false'
                       type: boolean
+                    useVSock:
+                      description: |-
+                        UseVSock allows the use of VSock communication between the Agent and containerized workloads.
+                        Default: 'false'
+                      type: boolean
                   type: object
                 override:
                   additionalProperties:

@@ -3332,6 +3332,10 @@
             "useFIPSAgent": {
               "description": "UseFIPSAgent enables the FIPS flavor of the Agent. If 'true', the FIPS proxy will always be disabled.\nDefault: 'false'",
               "type": "boolean"
+            },
+            "useVSock": {
+              "description": "UseVSock allows the use of VSock communication between the Agent and containerized workloads.\nDefault: 'false'",
+              "type": "boolean"
             }
           },
           "type": "object"

@@ -3148,6 +3148,11 @@ spec:
                             UseFIPSAgent enables the FIPS flavor of the Agent. If 'true', the FIPS proxy will always be disabled.
                             Default: 'false'
                           type: boolean
+                        useVSock:
+                          description: |-
+                            UseVSock allows the use of VSock communication between the Agent and containerized workloads.
+                            Default: 'false'
+                          type: boolean
                       type: object
                     override:
                       additionalProperties:

@@ -3336,6 +3336,10 @@
                 "useFIPSAgent": {
                   "description": "UseFIPSAgent enables the FIPS flavor of the Agent. If 'true', the FIPS proxy will always be disabled.\nDefault: 'false'",
                   "type": "boolean"
+                },
+                "useVSock": {
+                  "description": "UseVSock allows the use of VSock communication between the Agent and containerized workloads.\nDefault: 'false'",
+                  "type": "boolean"
                 }
               },
               "type": "object"

@@ -3148,6 +3148,11 @@ spec:
                         UseFIPSAgent enables the FIPS flavor of the Agent. If 'true', the FIPS proxy will always be disabled.
                         Default: 'false'
                       type: boolean
+                    useVSock:
+                      description: |-
+                        UseVSock allows the use of VSock communication between the Agent and containerized workloads.
+                        Default: 'false'
+                      type: boolean
                   type: object
                 override:
                   additionalProperties:

@@ -3332,6 +3332,10 @@
             "useFIPSAgent": {
               "description": "UseFIPSAgent enables the FIPS flavor of the Agent. If 'true', the FIPS proxy will always be disabled.\nDefault: 'false'",
               "type": "boolean"
+            },
+            "useVSock": {
+              "description": "UseVSock allows the use of VSock communication between the Agent and containerized workloads.\nDefault: 'false'",
+              "type": "boolean"
             }
           },
           "type": "object"

@@ -271,6 +271,7 @@ spec:
 | global.site | Is the Datadog intake site Agent data are sent to. Set to 'datadoghq.com' to send data to the US1 site (default). Set to 'datadoghq.eu' to send data to the EU site. Set to 'us3.datadoghq.com' to send data to the US3 site. Set to 'us5.datadoghq.com' to send data to the US5 site. Set to 'ddog-gov.com' to send data to the US1-FED site. Set to 'ap1.datadoghq.com' to send data to the AP1 site. Default: 'datadoghq.com' |
 | global.tags | Contains a list of tags to attach to every metric, event and service check collected. Learn more about tagging: https://docs.datadoghq.com/tagging/ |
 | global.useFIPSAgent | UseFIPSAgent enables the FIPS flavor of the Agent. If 'true', the FIPS proxy will always be disabled. Default: 'false' |
+| global.useVSock | UseVSock allows the use of VSock communication between the Agent and containerized workloads. Default: 'false' |
 | override | The default configurations of the agents |
 <br>
 

@@ -576,6 +576,9 @@ spec:
 `global.useFIPSAgent`
 : UseFIPSAgent enables the FIPS flavor of the Agent. If 'true', the FIPS proxy will always be disabled. Default: 'false'
 
+`global.useVSock`
+: UseVSock allows the use of VSock communication between the Agent and containerized workloads. Default: 'false'
+
 `override`
 : The default configurations of the agents
 

@@ -57,7 +57,18 @@ func GetVolumeForRmCorechecks() corev1.Volume {
 }
 
 // GetVolumeForAuth return the Volume container authentication information
-func GetVolumeForAuth() corev1.Volume {
+func GetVolumeForAuth(hostPath bool) corev1.Volume {
+	if hostPath {
+		return corev1.Volume{
+			Name: AuthVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: AuthVolumePath,
+				},
+			},
+		}
+	}
+
 	return corev1.Volume{
 		Name: AuthVolumeName,
 		VolumeSource: corev1.VolumeSource{

@@ -16,6 +16,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	apicommon "github.com/DataDog/datadog-operator/api/datadoghq/common"
+	datadoghqv2alpha1 "github.com/DataDog/datadog-operator/api/datadoghq/v2alpha1"
 	apiutils "github.com/DataDog/datadog-operator/api/utils"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/common"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/component"
@@ -28,22 +29,22 @@ import (
 
 // NewDefaultAgentDaemonset return a new default agent DaemonSet
 // TODO: remove instanceName once v2 reconcile is removed
-func NewDefaultAgentDaemonset(dda metav1.Object, edsOptions *ExtendedDaemonsetOptions, agentComponent feature.RequiredComponent, instanceName string) *appsv1.DaemonSet {
+func NewDefaultAgentDaemonset(dda metav1.Object, ddaSpec *datadoghqv2alpha1.DatadogAgentSpec, edsOptions *ExtendedDaemonsetOptions, agentComponent feature.RequiredComponent, instanceName string) *appsv1.DaemonSet {
 	daemonset := NewDaemonset(dda, edsOptions, constants.DefaultAgentResourceSuffix, component.GetAgentName(dda), common.GetAgentVersion(dda), nil, instanceName)
-	podTemplate := NewDefaultAgentPodTemplateSpec(dda, agentComponent, daemonset.GetLabels())
+	podTemplate := NewDefaultAgentPodTemplateSpec(dda, ddaSpec, agentComponent, daemonset.GetLabels())
 	daemonset.Spec.Template = *podTemplate
 	return daemonset
 }
 
 // NewDefaultAgentExtendedDaemonset return a new default agent DaemonSet
-func NewDefaultAgentExtendedDaemonset(dda metav1.Object, edsOptions *ExtendedDaemonsetOptions, agentComponent feature.RequiredComponent) *edsv1alpha1.ExtendedDaemonSet {
+func NewDefaultAgentExtendedDaemonset(dda metav1.Object, ddaSpec *datadoghqv2alpha1.DatadogAgentSpec, edsOptions *ExtendedDaemonsetOptions, agentComponent feature.RequiredComponent) *edsv1alpha1.ExtendedDaemonSet {
 	edsDaemonset := NewExtendedDaemonset(dda, edsOptions, constants.DefaultAgentResourceSuffix, component.GetAgentName(dda), common.GetAgentVersion(dda), nil)
-	edsDaemonset.Spec.Template = *NewDefaultAgentPodTemplateSpec(dda, agentComponent, edsDaemonset.GetLabels())
+	edsDaemonset.Spec.Template = *NewDefaultAgentPodTemplateSpec(dda, ddaSpec, agentComponent, edsDaemonset.GetLabels())
 	return edsDaemonset
 }
 
 // NewDefaultAgentPodTemplateSpec returns a defaulted node agent PodTemplateSpec with a single multi-process container or multiple single-process containers
-func NewDefaultAgentPodTemplateSpec(dda metav1.Object, agentComponent feature.RequiredComponent, labels map[string]string) *corev1.PodTemplateSpec {
+func NewDefaultAgentPodTemplateSpec(dda metav1.Object, ddaSpec *datadoghqv2alpha1.DatadogAgentSpec, agentComponent feature.RequiredComponent, labels map[string]string) *corev1.PodTemplateSpec {
 	requiredContainers := agentComponent.Containers
 
 	var agentContainers []corev1.Container
@@ -66,7 +67,7 @@ func NewDefaultAgentPodTemplateSpec(dda metav1.Object, agentComponent feature.Re
 			ServiceAccountName: getDefaultServiceAccountName(dda),
 			InitContainers:     initContainers(dda, requiredContainers),
 			Containers:         agentContainers,
-			Volumes:            volumesForAgent(dda, requiredContainers),
+			Volumes:            volumesForAgent(dda, ddaSpec, requiredContainers),
 		},
 	}
 }
@@ -448,7 +449,7 @@ func otelAgentContainer(dda metav1.Object) corev1.Container {
 			"--core-config=" + agentCustomConfigVolumePath,
 			"--sync-delay=30s",
 		},
-		Env: commonEnvVars(dda),
+		Env:          commonEnvVars(dda),
 		VolumeMounts: volumeMountsForOtelAgent(),
 		// todo(mackjmr): remove once support for annotations is removed.
 		// the otel-agent feature adds these ports if none are supplied by
@@ -672,10 +673,15 @@ func volumeMountsForInitConfig() []corev1.VolumeMount {
 	}
 }
 
-func volumesForAgent(dda metav1.Object, requiredContainers []apicommon.AgentContainerName) []corev1.Volume {
+func volumesForAgent(dda metav1.Object, ddaSpec *datadoghqv2alpha1.DatadogAgentSpec, requiredContainers []apicommon.AgentContainerName) []corev1.Volume {
+	useVSock := false
+	if ddaSpec != nil && ddaSpec.Global != nil {
+		useVSock = apiutils.BoolValue(ddaSpec.Global.UseVSock)
+	}
+
 	volumes := []corev1.Volume{
 		common.GetVolumeForLogs(),
-		common.GetVolumeForAuth(),
+		common.GetVolumeForAuth(useVSock),
 		common.GetVolumeInstallInfo(dda),
 		common.GetVolumeForChecksd(),
 		common.GetVolumeForConfd(),

@@ -7,6 +7,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	apicommon "github.com/DataDog/datadog-operator/api/datadoghq/common"
+	datadoghqv2alpha1 "github.com/DataDog/datadog-operator/api/datadoghq/v2alpha1"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/common"
 	"github.com/DataDog/datadog-operator/pkg/constants"
 	"github.com/stretchr/testify/assert"
@@ -62,7 +63,7 @@ func TestVolumesForAgent(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			volumes := volumesForAgent(tt.dda, tt.requiredContainers)
+			volumes := volumesForAgent(tt.dda, &datadoghqv2alpha1.DatadogAgentSpec{}, tt.requiredContainers)
 
 			// Check install-info volume
 			var installInfoVolume *corev1.Volume

@@ -71,7 +71,7 @@ func NewDefaultClusterAgentPodTemplateSpec(ddaMeta metav1.Object, ddaSpec *v2alp
 		common.GetVolumeForConfd(),
 		common.GetVolumeForLogs(),
 		common.GetVolumeForCertificates(),
-		common.GetVolumeForAuth(),
+		common.GetVolumeForAuth(false),
 
 		// /tmp is needed because some versions of the DCA (at least until
 		// 1.19.0) write to it.

@@ -22,7 +22,6 @@ import (
 const (
 	testDdaName      = "foo"
 	testDdaNamespace = "bar"
-	agentConfigFile  = "/etc/datadog-agent/datadog.yaml"
 )
 
 func defaultDatadogAgent() *datadoghqv2alpha1.DatadogAgent {

@@ -67,7 +67,7 @@ func (r *Reconciler) reconcileV2Agent(logger logr.Logger, requiredComponents fea
 	if (r.options.ExtendedDaemonsetOptions.Enabled && !r.options.DatadogAgentProfileEnabled) || (r.options.ExtendedDaemonsetOptions.Enabled &&
 		r.options.DatadogAgentProfileEnabled && agentprofile.IsDefaultProfile(profile.Namespace, profile.Name)) {
 		// Start by creating the Default Agent extendeddaemonset
-		eds = componentagent.NewDefaultAgentExtendedDaemonset(dda, &r.options.ExtendedDaemonsetOptions, requiredComponents.Agent)
+		eds = componentagent.NewDefaultAgentExtendedDaemonset(dda, &dda.Spec, &r.options.ExtendedDaemonsetOptions, requiredComponents.Agent)
 		podManagers = feature.NewPodTemplateManagers(&eds.Spec.Template)
 
 		// Set Global setting on the default extendeddaemonset
@@ -139,7 +139,7 @@ func (r *Reconciler) reconcileV2Agent(logger logr.Logger, requiredComponents fea
 	}
 
 	// Start by creating the Default Agent daemonset
-	daemonset = componentagent.NewDefaultAgentDaemonset(dda, &r.options.ExtendedDaemonsetOptions, requiredComponents.Agent, instanceName)
+	daemonset = componentagent.NewDefaultAgentDaemonset(dda, &dda.Spec, &r.options.ExtendedDaemonsetOptions, requiredComponents.Agent, instanceName)
 	podManagers = feature.NewPodTemplateManagers(&daemonset.Spec.Template)
 
 	// Check if this operator daemonset should have migration label (after Helm migration completed)

@@ -15,4 +15,5 @@ const (
 	DDRuntimeSecurityConfigActivityDumpEnabled        = "DD_RUNTIME_SECURITY_CONFIG_ACTIVITY_DUMP_ENABLED"
 	DDRuntimeSecurityConfigRemoteConfigurationEnabled = "DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED"
 	DDRuntimeSecurityConfigDirectSendFromSystemProbe  = "DD_RUNTIME_SECURITY_CONFIG_DIRECT_SEND_FROM_SYSTEM_PROBE"
+	DDRuntimeSecurityConfigEventGRPCServer            = "DD_RUNTIME_SECURITY_CONFIG_EVENT_GRPC_SERVER"
 )
@@ -49,6 +49,7 @@ type cwsFeature struct {
 	activityDumpEnabled        bool
 	remoteConfigurationEnabled bool
 	directSendFromSystemProbe  bool
+	useVSock                   bool
 
 	owner  metav1.Object
 	logger logr.Logger
@@ -90,6 +91,9 @@ func (f *cwsFeature) Configure(dda metav1.Object, ddaSpec *v2alpha1.DatadogAgent
 		}
 		f.configMapName = constants.GetConfName(dda, f.customConfig, defaultCWSConf)
 
+		if ddaSpec.Global != nil {
+			f.useVSock = apiutils.BoolValue(ddaSpec.Global.UseVSock)
+		}
 		if cwsConfig.Network != nil {
 			f.networkEnabled = apiutils.BoolValue(cwsConfig.Network.Enabled)
 		}
@@ -206,9 +210,19 @@ func (f *cwsFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provi
 	}
 	managers.EnvVar().AddEnvVarToContainers(containersForEnvVars, enabledEnvVar)
 
+	socketPath := filepath.Join(common.SystemProbeSocketVolumePath, "runtime-security.sock")
+	if f.useVSock {
+		socketPath = "vsock:5020"
+
+		managers.EnvVar().AddEnvVarToContainers(containersForEnvVars, &corev1.EnvVar{
+			Name:  DDRuntimeSecurityConfigEventGRPCServer,
+			Value: "security-agent",
+		})
+	}
+
 	runtimeSocketEnvVar := &corev1.EnvVar{
 		Name:  DDRuntimeSecurityConfigSocket,
-		Value: filepath.Join(common.SystemProbeSocketVolumePath, "runtime-security.sock"),
+		Value: socketPath,
 	}
 	managers.EnvVar().AddEnvVarToContainers(containersForEnvVars, runtimeSocketEnvVar)
 

@@ -126,5 +126,4 @@ func applyNodeAgentResources(manager feature.PodTemplateManagers, ddaSpec *v2alp
 			manager.Volume().AddVolume(&runtimeVol)
 		}
 	}
-
 }
@@ -32,4 +32,6 @@ const (
 	DDKubernetesResourcesLabelsAsTags      = "DD_KUBERNETES_RESOURCES_LABELS_AS_TAGS"
 	DDKubernetesResourcesAnnotationsAsTags = "DD_KUBERNETES_RESOURCES_ANNOTATIONS_AS_TAGS"
 	DDCSIEnabled                           = "DD_CSI_ENABLED"
+	DDVSockAddr                            = "DD_VSOCK_ADDR"
+	DDRemoteAgentRegistryEnabled           = "DD_REMOTE_AGENT_REGISTRY_ENABLED"
 )
@@ -261,6 +261,20 @@ func applyGlobalSettings(logger logr.Logger, manager feature.PodTemplateManagers
 	if !*config.UseFIPSAgent && config.FIPS != nil && apiutils.BoolValue(config.FIPS.Enabled) {
 		applyFIPSConfig(logger, manager, ddaMeta, ddaSpec, resourcesManager)
 	}
+
+	// Enable VSock communication between the Agent and containerized workloads if specified
+	if config.UseVSock != nil && *config.UseVSock {
+		manager.EnvVar().AddEnvVar(&corev1.EnvVar{
+			Name:  DDVSockAddr,
+			Value: "host",
+		})
+
+		// Remote agent doesn't work with vsock yet
+		manager.EnvVar().AddEnvVar(&corev1.EnvVar{
+			Name:  DDRemoteAgentRegistryEnabled,
+			Value: "false",
+		})
+	}
 }
 
 func updateContainerImages(config *v2alpha1.GlobalConfig, podTemplateManager feature.PodTemplateManagers) {

@@ -55,7 +55,7 @@ func (r *Reconciler) reconcileV2Agent(logger logr.Logger, requiredComponents fea
 	// multiple canaries, etc.
 	if r.options.ExtendedDaemonsetOptions.Enabled && !isDDAILabeledWithProfile(ddai) {
 		// Start by creating the Default Agent extendeddaemonset
-		eds = componentagent.NewDefaultAgentExtendedDaemonset(ddai, &r.options.ExtendedDaemonsetOptions, requiredComponents.Agent)
+		eds = componentagent.NewDefaultAgentExtendedDaemonset(ddai, &ddai.Spec, &r.options.ExtendedDaemonsetOptions, requiredComponents.Agent)
 		podManagers = feature.NewPodTemplateManagers(&eds.Spec.Template)
 
 		// Set Global setting on the default extendeddaemonset
@@ -107,7 +107,7 @@ func (r *Reconciler) reconcileV2Agent(logger logr.Logger, requiredComponents fea
 	}
 
 	// Start by creating the Default Agent daemonset
-	daemonset = componentagent.NewDefaultAgentDaemonset(ddai, &r.options.ExtendedDaemonsetOptions, requiredComponents.Agent, component.GetAgentName(ddai))
+	daemonset = componentagent.NewDefaultAgentDaemonset(ddai, &ddai.Spec, &r.options.ExtendedDaemonsetOptions, requiredComponents.Agent, component.GetAgentName(ddai))
 	podManagers = feature.NewPodTemplateManagers(&daemonset.Spec.Template)
 	// Set Global setting on the default daemonset
 	global.ApplyGlobalSettingsNodeAgent(logger, podManagers, ddai.GetObjectMeta(), &ddai.Spec, resourcesManager, singleContainerStrategyEnabled, requiredComponents)
-Original file line number
+Diff line change
@@ Expand Up @@
     			manager.Volume().AddVolume(&runtimeVol)
     		}
     	}
     }