This page provides an overview of allowlisted partner workloads that you can deploy in your Google Kubernetes Engine (GKE) Autopilot clusters.
What are Autopilot partner workloads?
Google Kubernetes Engine (GKE) Autopilot clusters don't usually allow
workloads that require elevated privileges, such as access to /var/run,
privileged: true, or highly-privileged Linux file capabilities such as
NET_RAW and SYS_ADMIN.
The exceptions to this restriction are Autopilot partner workloads. A subset of Google Cloud Partners provide specially-privileged workloads for Autopilot clusters. You can deploy these partner workloads to meet requirements such as collecting node-level metrics without needing to run a sidecar container in every Pod.
Overview of the allowlisting process
Every partner workload goes through a review process to ensure that they meet baseline requirements for GKE, such as having the least amount of permissions required to run correctly, and fine-grained control over the resources that the workloads can access.
We take measures such as the following to restrict the capabilities of these deployed workloads:
- Verify that the containers are pulled from the approved location.
- Reject Pod specs that don't match the approved specification.
- Remove functionality such as
kubectl execfor workloads with elevated privileges.
If you're a Google Cloud partner with an Autopilot workload that requires elevated privileges and needs to be allowlisted, contact your partner manager for information about the Autopilot partner program.
Pricing
Any resources that partner workloads create in your Autopilot clusters are billed according to the Autopilot pricing model. For information about any additional pricing for partner solutions, consult the relevant partner's documentation.
Allowlisted Autopilot partner workloads
The following table describes the allowlisted partner workloads for Autopilot. The partner workloads available for each of your clusters depends on the GKE version of the cluster.
| Partner | Description |
|---|---|
| Aqua |
Aqua supports securing and ensuring compliance for the full lifecycle of workloads on GKE Autopilot, and specifically the Kubernetes pods, which run multiple containers with shared sets of storage and networking resources. For more information, refer to Protecting Cloud Native Workloads on GKE Autopilot. |
| Checkmk |
Checkmk helps organizations monitor the reliability and availability of their applications, optimize resource usage, and proactively address issues that may arise. Checkmk can automatically discover and collect cluster-wide data providing visibility into GKE Autopilot performance and health, and visualize the information with out-of-the-box dashboards. For more information, refer to Checkmk installation instructions for GKE Autopilot. |
| Check Point CloudGuard |
Check Point CloudGuard provides unified, cloud-native security across your applications, workloads, and network. You can use it to manage your security posture across Google Cloud environments. For more information, refer to Onboarding Kubernetes clusters. |
| CrowdStrike Falcon |
CrowdStrike Falcon secures cloud infrastructure, stops breaches, and reduces human error by leveraging machine learning, and human driven threat intelligence to relentlessly reduce the attack surface and provide total visibility of events taking place in the environment. CrowdStrike Falcon's user space sensor provides visibility and protection for GKE Autopilot using a single agent, protecting both the node and containers running on it. For more information, refer to CrowdStrike Falcon Deployment Guide for GKE (login required). |
| Datadog |
Datadog provides comprehensive visibility into all your containerized apps running on GKE Autopilot by collecting metrics, logs, and traces, which help to surface performance issues and provide context to troubleshoot the issues. For more information, refer to Monitor GKE Autopilot with Datadog. |
| Dynatrace |
Dynatrace unifies enterprise observability and accelerates security platform modernization and cloud adoption by providing real-time discovery and AI-powered causal context. The Dynatrace OneAgent is quick and automatic to deploy in your Google Cloud environment to get immediate and automated insights, including into the usage and performance of your GKE clusters. For more information, refer to the Dynatrace installation instructions for GKE Autopilot. |
| Elastic Cloud on Kubernetes (ECK) |
Built on the Kubernetes Operator pattern, Elastic Cloud on Kubernetes (ECK) extends the basic Kubernetes orchestration capabilities to support the setup and management of the Elastic Stack on Kubernetes. With Elastic Cloud on Kubernetes you can streamline critical operations, such as managing and monitoring multiple clusters, scaling cluster capacity and storage, performing safe configuration changes through rolling upgrades, and much more. For more information, refer to the ECK Quickstart. |
| HashiCorp Consul |
HashiCorp Consul is a service networking solution to automate network configurations, discover services, and enable secure connectivity across environments, including GKE Autopilot. For more information, refer to the Consul installation instructions for GKE Autopilot. |
| Kubecost |
Kubecost provides real-time cost visibility and insights for teams using GKE, including Autopilot, helping you continuously monitor your Kubernetes costs. For more information, refer to the Kubecost installation instructions for GKE Autopilot. |
| Lacework |
Lacework provides visibility and context to defend cloud environments with autonomous machine learning. The Lacework security platform learns what is normal behavior in your cloud environment so you can quickly spot threats. For more information, refer to the Lacework installation instructions for GKE Autopilot. |
| New Relic |
The New Relic Kubernetes integration gives you observability into the health and performance of your environment by leveraging the New Relic infrastructure agent, which collects telemetry data from your cluster using several New Relic integrations such as the Kubernetes events integration, the Prometheus Agent, and the New Relic Logs Kubernetes plugin. For more information, refer to the New Relic installation instructions for GKE Autopilot. |
| Prisma Cloud by Palo Alto Networks |
Prisma Cloud DaemonSet Defenders enforce the policies you want for your environment. Prisma Cloud Radar displays a comprehensive visualization of your nodes and clusters so you can identify risks and investigate incidents. For more information, refer to the Prisma Cloud Kubernetes installation guide. |
| Splunk Observability Cloud |
Splunk Observability Cloud provides in-depth visibility into the composition, state, and ongoing issues within a cluster. For more information, refer to the Splunk Kubernetes installation guide. |
| Sysdig Secure DevOps Platform |
The Sysdig Secure Devops Platform lets you implement container security best practices in your GKE Autopilot clusters, including monitoring and securing your workloads using the Sysdig agent. The Sysdig agent is a host component that processes syscall, creates capture files, and performs auditing and compliance. For more information, refer to Visibility and Security for GKE Autopilot. |
| Wiz Runtime Sensor |
The Wiz Runtime Sensor provides native detection and response capabilities for cloud workloads. It is a lightweight eBPF-based agent that can be deployed to GKE clusters to provide real-time visibility and monitoring of running processes, network connections, file activity, and system calls to detect, investigate, and respond to malicious behavior affecting the workload. For more information, refer to the Wiz Runtime Sensor overview. |
This table only describes the Google Cloud partners that have Autopilot workloads that need elevated privileges. Other Google Cloud partners have products that work with Autopilot without needing elevated privileges. For a full list of Google Cloud partners, refer to the Partner Directory.