This page shows you how to run privileged open-source workloads on
Google Kubernetes Engine (GKE) Autopilot. This page is for
Platform engineers who want to run specific open source applications
in Autopilot nodes.
About allowlists for privileged Autopilot workloads
By default, GKE Autopilot enforces security constraints
that reject workloads that need elevated privileges in the cluster. For example,
you can't, by default, run a Pod that enables privileged mode or adds the
NET_RAW Linux capability.
You can optionally run a specific set of privileged workloads from
Autopilot partners
and from certain open source projects in Autopilot mode.
To deploy privileged open source workloads in Autopilot mode, you
do the following:
Install an allowlist for the workload by deploying an
AllowlistSynchronizer object. The AllowlistSynchronizer installs the
allowlist as a WorkloadAllowlist object and manages its lifecycle.
For instructions, see
Run privileged workloads from GKE Autopilot partners.
Deploy the privileged open source workload in your cluster by following
the installation steps in the project's documentation.
Privileged open source workloads with Autopilot support
The following table describes the privileged open source workloads that you can
run on Autopilot. To enable a workload, create an
AllowlistSynchronizer resource with the path to the allowlists for that
workload in the allowlistPaths field.
This table describes only the open-source workloads that need elevated
privileges and are supported on Autopilot. Open-source software that
requires elevated privileges and is not listed in this table might not work on
Autopilot. If an open source application doesn't violate the default
security constraints in Autopilot, you can run the application
without an allowlist.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Run privileged open source workloads on GKE Autopilot\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview)\n\n*** ** * ** ***\n\nThis page shows you how to run privileged open-source workloads on Google Kubernetes Engine (GKE) Autopilot. This page is for Platform engineers who want to run specific open source applications in Autopilot nodes.\n\n\u003cbr /\u003e\n\nAbout allowlists for privileged Autopilot workloads\n---------------------------------------------------\n\nBy default, GKE Autopilot enforces security constraints\nthat reject workloads that need elevated privileges in the cluster. For example,\nyou can't, by default, run a Pod that enables privileged mode or adds the\n`NET_RAW` Linux capability.\n\nYou can optionally run a specific set of privileged workloads from\n[Autopilot partners](/kubernetes-engine/docs/resources/autopilot-partners)\nand from certain open source projects in Autopilot mode.\n\nTo deploy privileged open source workloads in Autopilot mode, you\ndo the following:\n\n1. Install an *allowlist* for the workload by deploying an `AllowlistSynchronizer` object. The AllowlistSynchronizer installs the allowlist as a `WorkloadAllowlist` object and manages its lifecycle. For instructions, see [Run privileged workloads from GKE Autopilot partners](/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads).\n2. Deploy the privileged open source workload in your cluster by following the installation steps in the project's documentation.\n\nPrivileged open source workloads with Autopilot support\n-------------------------------------------------------\n\nThe following table describes the privileged open source workloads that you can\nrun on Autopilot. To enable a workload, [create an\n`AllowlistSynchronizer` resource](/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads#create-allowlistsynchronizer) with the path to the allowlists for that\nworkload in the `allowlistPaths` field.\n\nThis table describes only the open-source workloads that need elevated\nprivileges and are supported on Autopilot. Open-source software that\nrequires elevated privileges and is not listed in this table might not work on\nAutopilot. If an open source application doesn't violate the default\nsecurity constraints in Autopilot, you can run the application\nwithout an allowlist.\n\nWhat's next\n-----------\n\n- [AllowlistSynchronizer CustomResourceDefinition](/kubernetes-engine/docs/reference/crds/allowlistsynchronizer)"]]
