This page provides an overview of allowlisted partner workloads that you can deploy in your Google Kubernetes Engine (GKE) Autopilot clusters.
What are Autopilot partner workloads?
Google Kubernetes Engine (GKE) Autopilot clusters don't usually allow
workloads that require elevated privileges, such as access to /var/run
,
privileged: true
, or highly-privileged Linux file capabilities such as
NET_RAW
and SYS_ADMIN
.
The exceptions to this restriction are Autopilot partner workloads. A subset of Google Cloud Partners provide specially-privileged workloads for Autopilot clusters. You can deploy these partner workloads to meet requirements such as collecting node-level metrics without needing to run a sidecar container in every Pod.
Overview of the allowlisting process
Every partner workload goes through a review process to ensure that they meet baseline requirements for GKE, such as having the least amount of permissions required to run correctly, and fine-grained control over the resources that the workloads can access.
We take measures such as the following to restrict the capabilities of these deployed workloads:
- Verify that the containers are pulled from the approved location.
- Reject Pod specs that don't match the approved specification.
- Remove functionality such as
kubectl exec
for workloads with elevated privileges.
If you're a Google Cloud partner with an Autopilot workload that requires elevated privileges and needs to be allowlisted, contact your partner manager for information about the Autopilot partner program.
Pricing
Any resources that partner workloads create in your Autopilot clusters are billed according to the Autopilot pricing model. For information about any additional pricing for partner solutions, consult the relevant partner's documentation.
Allowlisted Autopilot partner workloads
The following table describes the allowlisted partner workloads for Autopilot. The partner workloads available for each of your clusters depends on the GKE version of the cluster. For instructions to check the workloads available for a specific cluster, refer to View and deploy partner workloads:
Partner | Description |
---|---|
Aqua |
Aqua supports securing and ensuring compliance for the full lifecycle of workloads on GKE Autopilot, and specifically the Kubernetes pods, which run multiple containers with shared sets of storage and networking resources. For more information, refer to Protecting Cloud Native Workloads on GKE Autopilot. |
Datadog |
Datadog provides comprehensive visibility into all your containerized apps running on GKE Autopilot by collecting metrics, logs, and traces, which help to surface performance issues and provide context to troubleshoot the issues. For more information, refer to Monitor GKE Autopilot with Datadog. |
Istio CNI plugin |
The Istio Container Network Interface (CNI) plugin lets you
install and use an Istio mesh without needing to deploy Pods with sidecar
containers that have special file capabilities such as For more information, refer to Install Istio with the Istio CNI plugin. |
Prisma Cloud by Palo Alto Networks |
Prisma Cloud DaemonSet Defenders enforce the policies you want for your environment. Prisma Cloud Radar displays a comprehensive visualization of your nodes and clusters so you can identify risks and investigate incidents. For more information, refer to the Prisma Cloud Kubernetes installation guide. |
Splunk Observability Cloud |
Splunk Observability Cloud provides in-depth visibility into the composition, state, and ongoing issues within a cluster. For more information, refer to the Splunk Kubernetes installation guide. |
Sysdig Secure DevOps Platform |
The Sysdig Secure Devops Platform lets you implement container security best practices in your GKE Autopilot clusters, including monitoring and securing your workloads using the Sysdig agent. The Sysdig agent is a host component that processes syscall, creates capture files, and performs auditing and compliance. For more information, refer to Visibility and Security for GKE Autopilot. |
This table only describes the Google Cloud partners that have Autopilot workloads that need elevated privileges. Other Google Cloud partners have products that work with Autopilot without needing elevated privileges. For a full list of Google Cloud partners, refer to the Partner Directory.