Run privileged open source workloads on GKE Autopilot


This page shows you how to run privileged open-source workloads on Google Kubernetes Engine (GKE) Autopilot. This page is for Platform engineers who want to run specific open source applications in Autopilot nodes.

About allowlists for privileged Autopilot workloads

By default, GKE Autopilot enforces security constraints that reject workloads that need elevated privileges in the cluster. For example, you can't, by default, run a Pod that enables privileged mode or adds the NET_RAW Linux capability.

You can optionally run a specific set of privileged workloads from Autopilot partners and from certain open source projects in Autopilot mode.

To deploy privileged open source workloads in Autopilot mode, you do the following:

  1. Install an allowlist for the workload by deploying an AllowlistSynchronizer object. The AllowlistSynchronizer installs the allowlist as a WorkloadAllowlist object and manages its lifecycle. For instructions, see Run privileged workloads from GKE Autopilot partners.
  2. Deploy the privileged open source workload in your cluster by following the installation steps in the project's documentation.

Privileged open source workloads with Autopilot support

The following table describes the privileged open source workloads that you can run on Autopilot. To enable a workload, create an AllowlistSynchronizer resource with the path to allowlist file for that workload in the allowlistPaths field.

Privileged open source workloads for Autopilot

Grafana Alloy

Grafana/alloy/*

Grafana Beyla

Grafana/beyla/*

This table describes only the open-source workloads that need elevated privileges and are supported on Autopilot. Open-source software that requires elevated privileges and is not listed in this table might not work on Autopilot. If an open source application doesn't violate the default security constraints in Autopilot, you can run the application without an allowlist.

What's next