This page shows you how to run privileged open-source workloads on Google Kubernetes Engine (GKE) Autopilot. This page is for Platform engineers who want to run specific open source applications in Autopilot nodes.
About allowlists for privileged Autopilot workloads
By default, GKE Autopilot enforces security constraints
that reject workloads that need elevated privileges in the cluster. For example,
you can't, by default, run a Pod that enables privileged mode or adds the
NET_RAW Linux capability.
You can optionally run a specific set of privileged workloads from Autopilot partners and from certain open source projects in Autopilot mode.
To deploy privileged open source workloads in Autopilot mode, you do the following:
- Install an allowlist for the workload by deploying an
AllowlistSynchronizerobject. The AllowlistSynchronizer installs the allowlist as aWorkloadAllowlistobject and manages its lifecycle. For instructions, see Run privileged workloads from GKE Autopilot partners. - Deploy the privileged open source workload in your cluster by following the installation steps in the project's documentation.
Privileged open source workloads with Autopilot support
The following table describes the privileged open source workloads that you can
run on Autopilot. To enable a workload, create an
AllowlistSynchronizer resource with the path to allowlist file for that
workload in the allowlistPaths field.
| Privileged open source workloads for Autopilot | |
|---|---|
Grafana/alloy/*
|
|
Grafana/beyla/*
|
|
This table describes only the open-source workloads that need elevated privileges and are supported on Autopilot. Open-source software that requires elevated privileges and is not listed in this table might not work on Autopilot. If an open source application doesn't violate the default security constraints in Autopilot, you can run the application without an allowlist.