Datadog Agent Security

To monitor applications running on a Kubernetes node, the Datadog Agent needs access to host-level resources that are only accessible to the root user by default. These include:

Without access, observability signals would be missing, reducing what the Agent can collect and report.

Security benchmarks such as CIS Docker/Kubernetes flag running containers as root as a risk. However, those benchmarks are written for general-purpose workloads.

Observability and security agents legitimately require elevated permissions to perform their function. This is a common tradeoff across monitoring and node-level tools for most Kubernetes distributions.

In some environments, it is possible to run the Agent as a non-root user — but only if you modify the host configuration (kubelet, container runtime, file permissions, and so on) to grant non-root access to those resources.

These approaches are feasible when you fully control the node configuration, but they are generally not possible in managed Kubernetes services such as EKS, GKE, or AKS.