Running ARMO/Kubescape Node Agents on GKE Autopilot Clusters
GKE Autopilot has historically restricted workloads that require privileged permissions, such as node agents used for security observability. This made it difficult for tools like Kubescape to deploy their node-level agents on Autopilot clusters.
Why It Works Now
GKE Autopilot supports a mechanism for customers to run approved privileged workloads through a feature called Workload Allowlisting. A vendor (here, ARMO, which maintains the Kubescape node-agent allowlist) publishes a Google-approved WorkloadAllowlist, and cluster operators enable it by installing an AllowlistSynchronizer that references the vendor's allowlist path.
Learn more in the official GKE documentation: 👉 Running Autopilot Partner Workloads
Prerequisites
- GKE version:
1.32.2-gke.1652000or later (required for theAllowlistSynchronizerresource). - Kubescape Helm chart: a version that exposes the
nodeAgent.gke.allowlistvalues (1.27.5or later). Use a recent chart version.
How allowlist versioning works
Each allowlist is published per Helm chart minor version, and its name encodes that minor version:
For example, Helm chart 1.40.x uses the allowlist armo-kubescape-node-agent-1.40-v2; chart 1.41.x uses armo-kubescape-node-agent-1.41, and so on. A revision suffix such as -v2 is appended when an allowlist is superseded — use the exact name reported by kubectl get WorkloadAllowlist (Step 3). The AllowlistSynchronizer path below uses a wildcard, so it installs all approved versions for the workload — you then select the one that matches your chart with the Helm flag in Step 4.
The allowlist matching your chart minor must already be approved and published by Google. After you install the synchronizer, confirm the expected version appears in
kubectl get WorkloadAllowlist(Step 3) before deploying.
Step-by-Step Guide
Step 1: Install the AllowlistSynchronizer
Apply an AllowlistSynchronizer to pull ARMO's allowlist(s) for the node-agent workload — in a single
command, no file to save. Use the path for the image you run:
ARMO/armo-kubescape-node-agent/*— the public Kubescape node-agent (quay.io/kubescape/node-agent).ARMO/armo-private-node-agent/*— the ARMO private node-agent (quay.io/armosec/node-agent).
kubectl apply -f - <<'EOF'
apiVersion: auto.gke.io/v1
kind: AllowlistSynchronizer
metadata:
name: kubescape-allow-list
spec:
allowlistPaths:
- ARMO/armo-kubescape-node-agent/*
- ARMO/armo-private-node-agent/*
EOF
Keep only the path you need.
Step 2: Wait for the AllowlistSynchronizer to sync (optional)
Step 3: Validate the Allowlist Sync
You should see the installed allowlists, including the version that matches your Helm chart minor:
$ kubectl get WorkloadAllowlist
NAME AGE
armo-kubescape-node-agent-1.40-v2 37s
armo-private-node-agent-1.40-v2 37s
Use the exact name shown here when overriding the allowlist name (Step 4). A revision suffix such as
-v2 is appended when an allowlist is superseded, so match whatever kubectl get WorkloadAllowlist
reports.
Step 4: Install Kubescape with Helm
Enable the GKE Autopilot allowlist when you install or upgrade. Recent chart versions set
nodeAgent.gke.allowlist.name to the correct allowlist for that chart version by default, so you
normally only need to enable the feature:
helm upgrade --install kubescape kubescape/kubescape-operator \
... <all the other settings> ... \
--set nodeAgent.gke.allowlist.enabled=true
Enabling the feature adds the
cloud.google.com/matching-allowlistlabel to the node-agent pod, which is how GKE matches the workload to the allowlist.
Overriding the allowlist name (older charts, or to pin a specific version): set
nodeAgent.gke.allowlist.name to the exact name shown in Step 3 that matches your chart — for example
armo-kubescape-node-agent-1.40-v2 (public Kubescape node-agent). ARMO users running the private
node-agent (quay.io/armosec/node-agent) should use armo-private-node-agent-… instead. The name must
match an allowlist installed in the cluster (Step 3).
Step 5: Verify the Node Agent Pod is Running
Look for a pod named node-agent-* with STATUS: Running.
Using private (mirrored) images
If you mirror the node-agent image into a private registry, reference it by SHA-256 digest that matches the public image. The allowlist publishes the accepted digests (containerImageDigests); see Run Autopilot partner workloads — private image mirrors.
Troubleshooting
Node-agent pod/DaemonSet rejected with a GKE Warden error (Workload Mismatches Found or
does not contain all required exemptions): the workload doesn't match the allowlist it was pointed at.
Common causes:
- Wrong or missing version. The allowlist named on the pod isn't installed in the cluster. Re-check
Step 3 (
kubectl get WorkloadAllowlist) and make sure the name matches an installed allowlist for your chart version. If it isn't there yet, the approved allowlist may still be rolling out to your region (Google rolls out gradually, up to ~7 business days after approval). AllowlistSynchronizernotReady. Runkubectl get allowlistsynchronizer— aSyncErrorusually means one listed path isn't published yet. Keep only paths you use.- The node-agent genuinely changed. If you run a chart version newer than the latest approved allowlist, its node-agent may require settings the allowlist doesn't cover yet. Use a chart version whose matching allowlist is approved.
The node-agent runs one DaemonSet per node group (the autoscaler sizes them per instance type), so you
may see several node-agent-* pods — this is expected.
🎉 You're Done!
Your GKE Autopilot cluster is now running Kubescape's node agents in compliance with GKE's partner workload policies.