DataDog · gh-worker-dd-mergequeue-cf854d · Jun 5, 2026 · May 19, 2026 · Jun 1, 2026 · Jun 4, 2026
@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.220.0
+
+* [Host Profiler] Remove seccomp configmap and use profile baked into image ([#2698](https://github.com/DataDog/helm-charts/pull/2698)).
+
 ## 3.219.0
 
 * Update `datadog-csi-driver` chart dependency from `0.13.0` to `0.15.0`:

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: datadog
-version: 3.219.0
+version: 3.220.0
 appVersion: "7"
 description: Datadog Agent
 keywords:

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.219.0](https://img.shields.io/badge/Version-3.219.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.220.0](https://img.shields.io/badge/Version-3.220.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 > [!WARNING]
 > The Datadog Operator is now enabled by default since version [3.157.0](https://github.com/DataDog/helm-charts/blob/main/charts/datadog/CHANGELOG.md#31570) to collect chart metadata for display in [Fleet Automation](https://docs.datadoghq.com/agent/fleet_automation/). We are aware of issues affecting some environments and are actively working on fixes. We apologize for the inconvenience and appreciate your patience while we address these issues.
@@ -497,7 +497,7 @@ helm install <RELEASE_NAME> \
 | agents.containers.hostProfiler.envDict | object | `{}` | Set environment variables specific to host-profiler defined in a dict |
 | agents.containers.hostProfiler.envFrom | list | `[]` | Set environment variables specific to host-profiler from configMaps and/or secrets |
 | agents.containers.hostProfiler.resources | object | `{}` | Resource requests and limits for the host-profiler container |
-| agents.containers.hostProfiler.securityContext | object | `{"capabilities":{"add":["BPF","PERFMON","SYS_PTRACE","SYS_RESOURCE","DAC_READ_SEARCH","SYSLOG","CHECKPOINT_RESTORE"]},"privileged":false,"readOnlyRootFilesystem":true}` | Allows you to overwrite the default container SecurityContext for the host-profiler container. |
+| agents.containers.hostProfiler.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["BPF","PERFMON","SYS_PTRACE","SYS_RESOURCE","DAC_READ_SEARCH","SYSLOG","CHECKPOINT_RESTORE","IPC_LOCK"],"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true}` | Allows you to overwrite the default container SecurityContext for the host-profiler container. |
 | agents.containers.hostProfiler.volumeMounts | list | `[]` | Specify additional volumes to mount in the host-profiler container |
 | agents.containers.initContainers.resources | object | `{}` | Resource requests and limits for the init containers |
 | agents.containers.initContainers.securityContext | object | `{}` | Allows you to overwrite the default container SecurityContext for the init containers. |
@@ -571,7 +571,7 @@ helm install <RELEASE_NAME> \
 | agents.podSecurity.podSecurityPolicy.create | bool | `false` | If true, create a PodSecurityPolicy resource for Agent pods |
 | agents.podSecurity.privileged | bool | `false` | If true, Allow to run privileged containers |
 | agents.podSecurity.seLinuxContext | object | Must run as spc_t | Provide seLinuxContext configuration for PSP/SCC |
-| agents.podSecurity.seccompProfiles | list | `["runtime/default","localhost/system-probe","localhost/host-profiler"]` | Allowed seccomp profiles |
+| agents.podSecurity.seccompProfiles | list | `["runtime/default","localhost/system-probe"]` | Allowed seccomp profiles |
 | agents.podSecurity.securityContextConstraints.create | bool | `false` | If true, create a SecurityContextConstraints resource for Agent pods |
 | agents.podSecurity.volumes | list | `["configMap","downwardAPI","emptyDir","hostPath","secret"]` | Allowed volumes types |
 | agents.priorityClassCreate | bool | `false` | Creates a priorityClass for the Datadog Agent's Daemonset pods. |
@@ -846,7 +846,7 @@ helm install <RELEASE_NAME> \
 | datadog.hostProfiler.apparmor | string | `"unconfined"` | Specify an AppArmor profile for the host-profiler container (e.g. "localhost/datadog-host-profiler"). # Only used when agents.podSecurity.apparmor.enabled is true. |
 | datadog.hostProfiler.enabled | bool | `false` | Enable the Host Profiler. This feature is experimental and subject to change. |
 | datadog.hostProfiler.image | string | `""` | Image the Host Profiler. This parameter is experimental and will be removed once official image is available. |
-| datadog.hostProfiler.seccomp | string | `"localhost/host-profiler"` | Apply a seccomp profile to the host-profiler container (e.g. "localhost/host-profiler" or "runtime/default") |
+| datadog.hostProfiler.imagePullPolicy | string | `""` | Pull policy for the Host Profiler image. Defaults to agents.image.pullPolicy when unset. |
 | datadog.hostProfiler.seccompRoot | string | `"/var/lib/kubelet/seccomp"` | Specify the seccomp profile root directory |
 | datadog.hostVolumeMountPropagation | string | `"None"` | Allow to specify the `mountPropagation` value on all volumeMounts using HostPath |
 | datadog.ignoreAutoConfig | list | `[]` | List of integration to ignore auto_conf.yaml. |

@@ -1,15 +1,15 @@
 {{- define "container-host-profiler" -}}
 - name: host-profiler
   image: "{{ include "ddot-ebpf-image" . }}"
-  imagePullPolicy: {{ .Values.agents.image.pullPolicy }}
+  imagePullPolicy: {{ .Values.datadog.hostProfiler.imagePullPolicy | default .Values.agents.image.pullPolicy }}
   {{- if .Values.agents.lifecycle }}
   lifecycle:
 {{ toYaml .Values.agents.lifecycle | indent 4 }}
   {{- end }}
   command:
     - "host-profiler"
     - "--core-config={{ template "datadog.confPath" .  }}/datadog.yaml"
-{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.hostProfiler.securityContext "targetSystem" .Values.targetSystem "seccomp" .Values.datadog.hostProfiler.seccomp "kubeversion" .Capabilities.KubeVersion.Version "apparmor" (and .Values.agents.podSecurity.apparmor.enabled .Values.datadog.hostProfiler.apparmor)) | nindent 2 }}
+{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.hostProfiler.securityContext "targetSystem" .Values.targetSystem "seccomp" (printf "localhost/%s" (include "host-profiler-seccomp-name" .)) "kubeversion" .Capabilities.KubeVersion.Version "apparmor" (and .Values.agents.podSecurity.apparmor.enabled .Values.datadog.hostProfiler.apparmor)) | nindent 2 }}
   resources:
 {{ toYaml .Values.agents.containers.hostProfiler.resources | indent 4 }}
 {{- if or .Values.datadog.envFrom .Values.agents.containers.hostProfiler.envFrom }}

@@ -76,10 +76,7 @@
     type: DirectoryOrCreate
   name: apmsocket
 {{- end }}
-{{- if and (eq (include "should-enable-host-profiler" .) "true") (eq .Values.datadog.hostProfiler.seccomp "localhost/host-profiler") }}
-- name: host-profiler-security
-  configMap:
-    name: {{ template "datadog.fullname" . }}-host-profiler-security
+{{- if eq (include "should-enable-host-profiler" .) "true" }}
 - hostPath:
     path: {{ .Values.datadog.hostProfiler.seccompRoot }}
   name: host-profiler-seccomp-root

@@ -259,6 +259,14 @@ false
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the seccomp profile filename for the host-profiler, scoped to the image ref
+to avoid races when multiple host-profiler versions coexist on the same node.
+*/}}
+{{- define "host-profiler-seccomp-name" -}}
+host-profiler-{{ include "ddot-ebpf-image" . | sha256sum | trunc 8 }}
+{{- end -}}
+
 {{/*
 Return true if Agent Data Plane needs to be deployed
 

@@ -1,16 +1,13 @@
 {{- define "host-profiler-seccomp-init" -}}
 - name: host-profiler-seccomp-setup
 {{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.initContainers.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version) | indent 2 }}
-  image: "{{ include "image-path" (dict "root" .Values "image" .Values.agents.image) }}"
-  imagePullPolicy: {{ .Values.agents.image.pullPolicy }}
+  image: "{{ include "ddot-ebpf-image" . }}"
+  imagePullPolicy: {{ .Values.datadog.hostProfiler.imagePullPolicy | default .Values.agents.image.pullPolicy }}
   command:
   - cp
-  - /etc/config/host-profiler-seccomp.json
-  - /host{{ .Values.datadog.hostProfiler.seccompRoot }}/host-profiler
+  - /etc/dd-host-profiler/seccomp.json
+  - /host{{ .Values.datadog.hostProfiler.seccompRoot }}/{{ include "host-profiler-seccomp-name" . }}
   volumeMounts:
-  - name: host-profiler-security
-    mountPath: /etc/config
-    readOnly: true
   - name: host-profiler-seccomp-root
     mountPath: /host{{ .Values.datadog.hostProfiler.seccompRoot }}
     mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}

@@ -29,6 +29,9 @@ seLinuxContext:
 # system-probe requires some specific seccomp and capabilities
 seccompProfiles:
 {{ toYaml .Values.agents.podSecurity.seccompProfiles | indent 2 }}
+{{- if eq (include "should-enable-host-profiler" .) "true" }}
+  - "localhost/{{ include "host-profiler-seccomp-name" . }}"
+{{- end }}
 allowedCapabilities:
 {{ toYaml .Values.agents.podSecurity.capabilities | indent 2 }}
 #

@@ -182,7 +182,7 @@ spec:
         {{- if eq .Values.targetSystem "linux" }}
           {{- include "containers-init-linux" . | nindent 6 -}}
         {{- end }}
-        {{- if and (eq (include "should-enable-host-profiler" .) "true") (eq .Values.datadog.hostProfiler.seccomp "localhost/host-profiler") }}
+        {{- if eq (include "should-enable-host-profiler" .) "true" }}
           {{ include "host-profiler-seccomp-init" . | nindent 6 }}
         {{- end }}
         {{- if and (eq (include "should-enable-system-probe" .) "true")  (eq .Values.datadog.systemProbe.seccomp "localhost/system-probe") }}

@@ -809,8 +809,8 @@ datadog:
     enabled: false
     # datadog.hostProfiler.image -- Image the Host Profiler. This parameter is experimental and will be removed once official image is available.
     image: ""
-    # datadog.hostProfiler.seccomp -- Apply a seccomp profile to the host-profiler container (e.g. "localhost/host-profiler" or "runtime/default")
-    seccomp: localhost/host-profiler
+    # datadog.hostProfiler.imagePullPolicy -- Pull policy for the Host Profiler image. Defaults to agents.image.pullPolicy when unset.
+    imagePullPolicy: ""
     # datadog.hostProfiler.seccompRoot -- Specify the seccomp profile root directory
     seccompRoot: /var/lib/kubelet/seccomp
     # datadog.hostProfiler.apparmor -- Specify an AppArmor profile for the host-profiler container (e.g. "localhost/datadog-host-profiler").
@@ -2225,7 +2225,6 @@ agents:
     seccompProfiles:
       - "runtime/default"
       - "localhost/system-probe"
-      - "localhost/host-profiler"
 
     apparmor:
       # agents.podSecurity.apparmor.enabled -- If true, enable apparmor enforcement
@@ -2434,8 +2433,11 @@ agents:
       # agents.containers.hostProfiler.securityContext -- Allows you to overwrite the default container SecurityContext for the host-profiler container.
       securityContext:
         readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
         privileged: false
         capabilities:
+          drop:
+            - ALL
           add:
             - BPF
             - PERFMON
@@ -2444,6 +2446,7 @@ agents:
             - DAC_READ_SEARCH
             - SYSLOG
             - CHECKPOINT_RESTORE
+            - IPC_LOCK
 
       # agents.containers.hostProfiler.volumeMounts -- Specify additional volumes to mount in the host-profiler container
       volumeMounts: []