[BUG]: DD_TAGS from Cluster Agent not injected #8250
Description
Tracer Version(s)
3.38.0
Operating system and platform
Linux x64
Instrumentation Mode
SSI
TFM
Net8.0?
Bug Report
It seems when deploying Datadog with the Helm chart and adding the datadog.tags directive, the resulting DD_TAGS environment variable available on the cluster agent is not injected into instrumented workloads.
Helm (only relevant parts):
datadog:
tags:
- 'env:dev'
- 'region:eu-north-1'
- 'provider:aws'
- 'collector:datadog'
apm:
socketEnabled: false
portEnabled: true
instrumentation:
enabled: true
targets:
- name: 'dotnet'
namespaceSelector:
matchNames:
- 'dotnet-dev'
ddTraceVersions:
dotnet: 3.38.0 # latest as of this writingIn the Cluster Agent pod, I can see (again, only relevant bits):
- name: DD_TAGS
value: '["env:dev","region:eu-north-1","provider:aws","collector:datadog"]'
image: eu.gcr.io/datadoghq/cluster-agent:7.75.0And finally, in an instrumented workload:
Details
apiVersion: v1
kind: Pod
metadata:
annotations:
internal.apm.datadoghq.com/applied-target: >-
{"name":"dotnet","namespaceSelector":{"matchNames":["dotnet-dev"]},"ddTraceVersions":{"dotnet":"3.38.0"}}
labels:
app: email
env: dev
pod-template-hash: 5799b8dd57
provider: AWS
region: eu-north-1
runtime: dotnet
version: sha-df71385
name: email-5799b8dd57-czl9q
namespace: dotnet-dev
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: email
topologyKey: topology.kubernetes.io/zone
weight: 100
containers:
- env:
- name: DD_INSTRUMENTATION_APPLIED_TARGET
value: >-
{"name":"dotnet","namespaceSelector":{"matchNames":["dotnet-dev"]},"ddTraceVersions":{"dotnet":"3.38.0"}}
- name: DD_RUNTIME_METRICS_ENABLED
value: 'true'
- name: DD_TRACE_HEALTH_METRICS_ENABLED
value: 'true'
- name: DD_LOGS_INJECTION
value: 'true'
- name: DD_TRACE_ENABLED
value: 'true'
- name: DD_SERVICE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app']
- name: DD_SERVICE_K8S_ENV_SOURCE
value: labels_as_tags
- name: DD_ENV
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['env']
- name: DD_VERSION
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['version']
- name: DD_INSTRUMENTATION_INSTALL_TYPE
value: k8s_single_step
- name: DD_INSTRUMENTATION_INSTALL_ID
value: a289eaa2-683a-453b-815b-6293950d9639
- name: DD_INSTRUMENTATION_INSTALL_TIME
value: '1754571794'
- name: DD_INTERNAL_POD_UID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: DD_EXTERNAL_ENV
value: it-false,cn-email,pu-$(DD_INTERNAL_POD_UID)
- name: DD_ENTITY_ID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: DD_AGENT_HOST
value: datadog.datadog.svc.cluster.local
- name: ASPNETCORE_URLS
value: http://0.0.0.0:8080
- name: LD_PRELOAD
value: >-
/opt/datadog-packages/datadog-apm-inject/stable/inject/launcher.preload.so
- name: DD_INJECT_SENDER_TYPE
value: k8s
- name: DD_INJECT_START_TIME
value: '1772214719'
- name: DD_INSTRUMENTATION_LANGUAGES_DETECTED
value: dotnet
- name: DD_INSTRUMENTATION_LANGUAGE_DETECTION_INJECTION_ENABLED
value: 'true'
image: ghcr.io/company/email:sha-df71385
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: email
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 256Mi
requests:
cpu: 50m
memory: 256Mi
startupProbe:
failureThreshold: 24
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /opt/datadog-packages/datadog-apm-inject
name: datadog-auto-instrumentation
subPath: opt/datadog-packages/datadog-apm-inject
- mountPath: /etc/ld.so.preload
name: datadog-auto-instrumentation-etc
readOnly: true
subPath: ld.so.preload
- mountPath: /app/appsettings.json
name: appsettings-volume
subPath: appsettings.json
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-w4jrd
readOnly: true
- mountPath: /opt/datadog/apm/library
name: datadog-auto-instrumentation
subPath: opt/datadog/apm/library
dnsPolicy: ClusterFirst
enableServiceLinks: true
imagePullSecrets:
- name: ghcr-login
initContainers:
- args:
- >-
cp -r /opt/datadog-packages/datadog-apm-inject/* /datadog-inject &&
echo
/opt/datadog-packages/datadog-apm-inject/stable/inject/launcher.preload.so
> /datadog-etc/ld.so.preload && echo $(date +%s) >>
/datadog-inject/c-init-time.datadog-init-apm-inject
command:
- /bin/sh
- '-c'
- '--'
env:
- name: DD_INTERNAL_POD_UID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: DD_EXTERNAL_ENV
value: it-true,cn-datadog-init-apm-inject,pu-$(DD_INTERNAL_POD_UID)
- name: DD_ENTITY_ID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: DD_AGENT_HOST
value: datadog.datadog.svc.cluster.local
- name: DD_INSTRUMENTATION_APPLIED_TARGET
value: >-
{"name":"dotnet","namespaceSelector":{"matchNames":["dotnet-dev"]},"ddTraceVersions":{"dotnet":"3.38.0"}}
- name: DD_RUNTIME_METRICS_ENABLED
value: 'true'
- name: DD_TRACE_HEALTH_METRICS_ENABLED
value: 'true'
- name: DD_LOGS_INJECTION
value: 'true'
- name: DD_TRACE_ENABLED
value: 'true'
- name: DD_SERVICE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app']
- name: DD_SERVICE_K8S_ENV_SOURCE
value: labels_as_tags
- name: DD_ENV
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['env']
- name: DD_VERSION
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['version']
image: eu.gcr.io/datadoghq/apm-inject:0
imagePullPolicy: IfNotPresent
name: datadog-init-apm-inject
resources:
limits:
cpu: 50m
memory: 256Mi
requests:
cpu: 50m
memory: 256Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /datadog-inject
name: datadog-auto-instrumentation
subPath: opt/datadog-packages/datadog-apm-inject
- mountPath: /datadog-etc
name: datadog-auto-instrumentation-etc
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-w4jrd
readOnly: true
- args:
- >-
sh copy-lib.sh /datadog-lib && echo $(date +%s) >>
/opt/datadog-packages/datadog-apm-inject/c-init-time.datadog-lib-dotnet-init
command:
- /bin/sh
- '-c'
- '--'
env:
- name: DD_INTERNAL_POD_UID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: DD_EXTERNAL_ENV
value: it-true,cn-datadog-lib-dotnet-init,pu-$(DD_INTERNAL_POD_UID)
- name: DD_ENTITY_ID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: DD_AGENT_HOST
value: datadog.datadog.svc.cluster.local
- name: DD_INSTRUMENTATION_APPLIED_TARGET
value: >-
{"name":"dotnet","namespaceSelector":{"matchNames":["dotnet-dev"]},"ddTraceVersions":{"dotnet":"3.38.0"}}
- name: DD_RUNTIME_METRICS_ENABLED
value: 'true'
- name: DD_TRACE_HEALTH_METRICS_ENABLED
value: 'true'
- name: DD_LOGS_INJECTION
value: 'true'
- name: DD_TRACE_ENABLED
value: 'true'
- name: DD_SERVICE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app']
- name: DD_SERVICE_K8S_ENV_SOURCE
value: labels_as_tags
- name: DD_ENV
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['env']
- name: DD_VERSION
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['version']
image: eu.gcr.io/datadoghq/dd-lib-dotnet-init:3.38.0
imagePullPolicy: IfNotPresent
name: datadog-lib-dotnet-init
resources:
limits:
cpu: 50m
memory: 256Mi
requests:
cpu: 50m
memory: 256Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /datadog-lib
name: datadog-auto-instrumentation
subPath: opt/datadog/apm/library/dotnet
- mountPath: /opt/datadog-packages/datadog-apm-inject
name: datadog-auto-instrumentation
subPath: opt/datadog-packages/datadog-apm-inject
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-w4jrd
readOnly: true
nodeName: ip-10-110-128-81.eu-north-1.compute.internal
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
topologySpreadConstraints:
- labelSelector:
matchLabels:
app: email
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: appsettings-volume
secret:
defaultMode: 420
items:
- key: appsettings.json
path: appsettings.json
secretName: email-appsettings
- name: kube-api-access-w4jrd
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- emptyDir: {}
name: datadog-auto-instrumentation
- emptyDir: {}
name: datadog-auto-instrumentation-etc
status:
conditions:
- lastProbeTime: null
lastTransitionTime: '2026-02-27T17:52:01Z'
status: 'True'
type: PodReadyToStartContainers
- lastProbeTime: null
lastTransitionTime: '2026-02-27T17:52:03Z'
status: 'True'
type: Initialized
- lastProbeTime: null
lastTransitionTime: '2026-02-27T17:52:35Z'
status: 'True'
type: Ready
- lastProbeTime: null
lastTransitionTime: '2026-02-27T17:52:35Z'
status: 'True'
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: '2026-02-27T17:51:59Z'
status: 'True'
type: PodScheduled
containerStatuses:
- containerID: >-
containerd://ef935ab592db7e433f7c1f6e1a6a3cfab584627eb4d231717811d83f6cdae693
image: ghcr.io/company/email:sha-df71385
imageID: >-
ghcr.io/company/email@sha256:d7cb533f5683dd3226cd3fc854adee4a6dc3705d8e72b560ec727fb108f69639
lastState: {}
name: email
ready: true
restartCount: 0
started: true
state:
running:
startedAt: '2026-02-27T17:52:03Z'
volumeMounts:
- mountPath: /opt/datadog-packages/datadog-apm-inject
name: datadog-auto-instrumentation
- mountPath: /etc/ld.so.preload
name: datadog-auto-instrumentation-etc
readOnly: true
recursiveReadOnly: Disabled
- mountPath: /app/appsettings.json
name: appsettings-volume
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-w4jrd
readOnly: true
recursiveReadOnly: Disabled
- mountPath: /opt/datadog/apm/library
name: datadog-auto-instrumentation
hostIP: 10.110.128.81
hostIPs:
- ip: 10.110.128.81
initContainerStatuses:
- containerID: >-
containerd://c75834bba1c10edf621f54fa3b4ca7e8d3091fcadf1ebc7e1d8b39b96aff5485
image: eu.gcr.io/datadoghq/apm-inject:0
imageID: >-
eu.gcr.io/datadoghq/apm-inject@sha256:b5677a7a55b085612dced5f1930843abb48227fbc93d37c873ee7e6d80b86fa0
lastState: {}
name: datadog-init-apm-inject
ready: true
restartCount: 0
started: false
state:
terminated:
containerID: >-
containerd://c75834bba1c10edf621f54fa3b4ca7e8d3091fcadf1ebc7e1d8b39b96aff5485
exitCode: 0
finishedAt: '2026-02-27T17:52:00Z'
reason: Completed
startedAt: '2026-02-27T17:52:00Z'
volumeMounts:
- mountPath: /datadog-inject
name: datadog-auto-instrumentation
- mountPath: /datadog-etc
name: datadog-auto-instrumentation-etc
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-w4jrd
readOnly: true
recursiveReadOnly: Disabled
- containerID: >-
containerd://2c160edffcab681ef963fb12064eebfb456a18ed0efd5718dd53f00f27afcca4
image: eu.gcr.io/datadoghq/dd-lib-dotnet-init:3.38.0
imageID: >-
eu.gcr.io/datadoghq/dd-lib-dotnet-init@sha256:cb381708166b42419f14ee4e79da55515e09021a5ebde5f295838b87c5df84ad
lastState: {}
name: datadog-lib-dotnet-init
ready: true
restartCount: 0
started: false
state:
terminated:
containerID: >-
containerd://2c160edffcab681ef963fb12064eebfb456a18ed0efd5718dd53f00f27afcca4
exitCode: 0
finishedAt: '2026-02-27T17:52:02Z'
reason: Completed
startedAt: '2026-02-27T17:52:01Z'
volumeMounts:
- mountPath: /datadog-lib
name: datadog-auto-instrumentation
- mountPath: /opt/datadog-packages/datadog-apm-inject
name: datadog-auto-instrumentation
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-w4jrd
readOnly: true
recursiveReadOnly: Disabled
phase: Running
podIP: 10.110.128.42
podIPs:
- ip: 10.110.128.42
qosClass: Burstable
startTime: '2026-02-27T17:51:59Z'No DD_TAGS and they (the tags) are not available in Datadog either.
According to documentation here: https://docs.datadoghq.com/tracing/trace_collection/single-step-apm/kubernetes/?tab=agentv764recommended#configure-usts-explicitly-with-ddtraceconfigs
DD_ENV inherited from cluster-level tags above
Leads me to believe that all tags under the datadog.tags attribute should be inherited.
Reproduction Code
No response