Agent

Released on: 2026-06-17

Please refer to the 7.80.2 tag on integrations-core for the list of changes on the Core Checks

Compliance: CIS Docker rules (scope: docker) are no longer evaluated on Kubernetes nodes where the kubelet's CRI runtime is not Docker (e.g. containerd, CRI-O), avoiding false positives on GKE Container-Optimized OS which ships dockerd alongside containerd. The runtime is read from the kubelet's --container-runtime-endpoint flag or the containerRuntimeEndpoint field of its --config YAML; if it cannot be determined the rules continue to evaluate.

Fixed a confused-deputy vulnerability in the Cluster Agent's AppSec ingress-nginx admission mutator where the pod's --configmap=<namespace>/<name> argument was trusted verbatim, allowing a user with pod-create permission in one namespace to make the Cluster Agent service account create or update ConfigMaps and add labels and annotations in arbitrary namespaces. The mutator now requires the <namespace> portion to match the pod's own namespace (or use the $(POD_NAMESPACE) downward-API substitution) and skips mutation otherwise, emitting a warning event on the pod. The vulnerability affected Cluster Agent releases starting from 7.78.0.

Fix an issue where container log collection could stop for an individual container without recovering and without any error in the Agent logs. When a container's log stream was idle longer than logs_config.docker_client_read_timeout, the read timeout could cause the underlying Docker connection to close in a way that the tailer treated as a permanent shutdown, silently stopping log collection for that container until it was recreated or the Agent was restarted. The tailer now reconnects in this case, and only stops when the Agent is intentionally shutting down. Low-volume containers (for example, services that log only periodically) were the most affected.
OTel Agent: Disable v3 series API shadow sampling, which is incompatible with the zlib compression the OTel Agent forces for the metrics intake.

Datadog Cluster Agent

Released on: 2026-06-17 Pinned to datadog-agent v7.80.2: CHANGELOG.

Fixed an issue where the admission controller connectivity probe webhook did not include the AKS selector requirements when admission_controller.add_aks_selectors was enabled, which could cause repeated webhook reconciliation conflicts on AKS.