Autopilot partner workloads

This page provides an overview of allowlisted partner workloads that you can deploy in your Google Kubernetes Engine (GKE) Autopilot clusters.

What are Autopilot partner workloads?

Google Kubernetes Engine (GKE) Autopilot clusters don't usually allow workloads that require elevated privileges, such as access to /var/run, privileged: true, or highly-privileged Linux file capabilities such as NET_RAW and SYS_ADMIN.

The exceptions to this restriction are Autopilot partner workloads. A subset of Google Cloud Partners provide specially-privileged workloads for Autopilot clusters. You can deploy these partner workloads to meet requirements such as collecting node-level metrics without needing to run a sidecar container in every Pod.

Overview of the allowlisting process

Every partner workload goes through a review process to ensure that they meet baseline requirements for GKE, such as having the least amount of permissions required to run correctly, and fine-grained control over the resources that the workloads can access.

We take measures such as the following to restrict the capabilities of these deployed workloads:

  • Verify that the containers are pulled from the approved location.
  • Reject Pod specs that don't match the approved specification.
  • Remove functionality such as kubectl exec for workloads with elevated privileges.

If you're a Google Cloud partner with an Autopilot workload that requires elevated privileges and needs to be allowlisted, contact your partner manager for information about the Autopilot partner program.


Any resources that partner workloads create in your Autopilot clusters are billed according to the Autopilot pricing model. For information about any additional pricing for partner solutions, consult the relevant partner's documentation.

Allowlisted Autopilot partner workloads

The following table describes the allowlisted partner workloads for Autopilot. The partner workloads available for each of your clusters depends on the GKE version of the cluster.

Partner Description


Aqua supports securing and ensuring compliance for the full lifecycle of workloads on GKE Autopilot, and specifically the Kubernetes pods, which run multiple containers with shared sets of storage and networking resources.

For more information, refer to Protecting Cloud Native Workloads on GKE Autopilot.

Check Point CloudGuard

Check Point CloudGuard provides unified, cloud-native security across your applications, workloads, and network. You can use it to manage your security posture across Google Cloud environments.

For more information, refer to Onboarding Kubernetes clusters.


Datadog provides comprehensive visibility into all your containerized apps running on GKE Autopilot by collecting metrics, logs, and traces, which help to surface performance issues and provide context to troubleshoot the issues.

For more information, refer to Monitor GKE Autopilot with Datadog.


Dynatrace unifies enterprise observability and accelerates security platform modernization and cloud adoption by providing real-time discovery and AI-powered causal context. The Dynatrace OneAgent is quick and automatic to deploy in your Google Cloud environment to get immediate and automated insights, including into the usage and performance of your GKE clusters.

For more information, refer to the Dynatrace installation instructions for GKE Autopilot.

Elastic Cloud on Kubernetes (ECK)

Built on the Kubernetes Operator pattern, Elastic Cloud on Kubernetes (ECK) extends the basic Kubernetes orchestration capabilities to support the setup and management of the Elastic Stack on Kubernetes. With Elastic Cloud on Kubernetes you can streamline critical operations, such as managing and monitoring multiple clusters, scaling cluster capacity and storage, performing safe configuration changes through rolling upgrades, and much more.

For more information, refer to the ECK Quickstart.


Lacework provides visibility and context to defend cloud environments with autonomous machine learning. The Lacework security platform learns what is normal behavior in your cloud environment so you can quickly spot threats.

For more information, refer to the Lacework installation instructions for GKE Autopilot.

Prisma Cloud by Palo Alto Networks

Prisma Cloud DaemonSet Defenders enforce the policies you want for your environment. Prisma Cloud Radar displays a comprehensive visualization of your nodes and clusters so you can identify risks and investigate incidents.

For more information, refer to the Prisma Cloud Kubernetes installation guide.

Splunk Observability Cloud

Splunk Observability Cloud provides in-depth visibility into the composition, state, and ongoing issues within a cluster.

For more information, refer to the Splunk Kubernetes installation guide.

Sysdig Secure DevOps Platform

The Sysdig Secure Devops Platform lets you implement container security best practices in your GKE Autopilot clusters, including monitoring and securing your workloads using the Sysdig agent. The Sysdig agent is a host component that processes syscall, creates capture files, and performs auditing and compliance.

For more information, refer to Visibility and Security for GKE Autopilot.

Wiz Runtime Sensor

The Wiz Runtime Sensor provides native detection and response capabilities for cloud workloads. It is a lightweight eBPF-based agent that can be deployed to GKE clusters to provide real-time visibility and monitoring of running processes, network connections, file activity, and system calls to detect, investigate, and respond to malicious behavior affecting the workload.

For more information, refer to the Wiz Runtime Sensor overview.

This table only describes the Google Cloud partners that have Autopilot workloads that need elevated privileges. Other Google Cloud partners have products that work with Autopilot without needing elevated privileges. For a full list of Google Cloud partners, refer to the Partner Directory.