This page shows you how to run privileged open-source workloads onGoogle Kubernetes Engine (GKE) Autopilot. This page is forPlatform engineers who want to run specific open source applicationsin Autopilot nodes.

About allowlists for privileged Autopilot workloads

By default, GKE Autopilot enforces security constraintsthat reject workloads that need elevated privileges in the cluster. For example,you can't, by default, run a Pod that enables privileged mode or adds theNET_RAW Linux capability.

You can optionally run a specific set of privileged workloads fromAutopilot partnersand from certain open source projects in Autopilot mode.

To deploy privileged open source workloads in Autopilot mode, youdo the following:

1. Install anallowlist for the workload by deploying anAllowlistSynchronizer object. The AllowlistSynchronizer installs theallowlist as aWorkloadAllowlist object and manages its lifecycle.For instructions, seeRun privileged workloads from GKE Autopilot partners.
2. Deploy the privileged open source workload in your cluster by followingthe installation steps in the project's documentation.

Privileged open source workloads with Autopilot support

The following table describes the privileged open source workloads that you canrun on Autopilot. To enable a workload,create anAllowlistSynchronizer resource with the path to the allowlists for thatworkload in theallowlistPaths field.

Privileged open source workloads for Autopilot	Allowlist path
Grafana Alloy	Grafana/alloy/*
Grafana Beyla	Grafana/beyla/*

This table describes only the open-source workloads that need elevatedprivileges and are supported on Autopilot. Open-source software thatrequires elevated privileges and is not listed in this table might not work onAutopilot. If an open source application doesn't violate the defaultsecurity constraints in Autopilot, you can run the applicationwithout an allowlist.

What's next

• AllowlistSynchronizer CustomResourceDefinition