GKE allows a subset of approved partners to run privileged workloads in Autopilot clusters. These privileged workloads can bypass some of the security constraints that Autopilot enforces. For example, a partner might need to run a workload that uses specific Linux capabilities or requires a privileged container. Partners create and maintain allowlists for their privileged workloads. Each allowlist is a file that matches a specific privileged partner workload. Partners submit these allowlist files to GKE for approval. After approval, GKE hosts the allowlist file in a Google-managed repository. To run a partner workload, you install the corresponding allowlist file in your cluster. GKE provides a Kubernetes custom resource named the AllowlistSynchronizer that installs allowlists and keeps them up to date. After an allowlist installs successfully, you can deploy the corresponding privileged partner workload.
Resources:
Learn More Here → https://goo.gle/3HYLKGk
Subscribe to Google Cloud Tech → https://goo.gle/GoogleCloudTech
Speakers: Martin Omander
Products Mentioned: AI Infrastructure, Google Kubernetes Engine (GKE)
