Running ARMO/Rapid7 Node Agents on GKE Autopilot Clusters

GKE Autopilot has historically restricted workloads that require privileged permissions, such as node agents used for security observability. This made it difficult for tools like the ARMO Platform (and the Rapid7 distribution built on it) to deploy their node-level agents on Autopilot clusters.

Why It Works Now

GKE Autopilot supports a mechanism for customers to run approved privileged workloads through a feature called Workload Allowlisting. ARMO publishes Google-approved WorkloadAllowlists for its node agents, and cluster operators enable them by installing an AllowlistSynchronizer that references the allowlist path.
Learn more in the official GKE documentation:
👉 Running Autopilot Partner Workloads

Prerequisites

GKE version: 1.32.2-gke.1652000 or later (required for the AllowlistSynchronizer resource).
Helm chart: a version that exposes the nodeAgent.gke.allowlist values (1.27.5 or later). Use a recent chart version.

Choose your distribution

The allowlist path and name depend on which node-agent image you run. All allowlists live in ARMO's Google-managed allowlist repository (ARMO/…).

Distribution	node-agent image	AllowlistSynchronizer path	Allowlist name
ARMO (private node-agent)	`quay.io/armosec/node-agent`	`ARMO/armo-private-node-agent/*`	`armo-private-node-agent-<CHART_MINOR>`
Rapid7	`quay.io/armosec/node-agent`	`ARMO/armo-rapid7-node-agent/*`	`armo-rapid7-node-agent-<CHART_MINOR>`

How allowlist versioning works

Each allowlist is published per Helm chart minor version, and its name encodes that minor version — e.g. chart 1.40.x → armo-private-node-agent-1.40 (or armo-rapid7-node-agent-1.40). The synchronizer paths below use a wildcard (/*), so they install all approved versions for the workload; you then select the one matching your chart with the Helm flag in Step 4.

The allowlist matching your chart minor must already be approved and published. After installing the synchronizer, confirm the expected version appears in kubectl get WorkloadAllowlist (Step 3) before deploying.

Step-by-Step Guide

Step 1: Create an AllowlistSynchronizer Resource

Create kubescape-allowlist.yaml, listing the path(s) for the distribution(s) you run:

apiVersion: auto.gke.io/v1
kind: AllowlistSynchronizer
metadata:
  name: kubescape-allow-list
spec:
  allowlistPaths:
  # ARMO private node-agent
  - ARMO/armo-private-node-agent/*
  # Rapid7 node-agent
  - ARMO/armo-rapid7-node-agent/*

Keep only the paths you need. A single synchronizer may list multiple paths.

Step 2: Apply the AllowlistSynchronizer

kubectl apply -f kubescape-allowlist.yaml

Optionally wait for the synchronizer to finish installing the allowlists:

kubectl wait --for=condition=Ready allowlistsynchronizer/kubescape-allow-list --timeout=60s

Step 3: Validate the Allowlist Sync

kubectl get WorkloadAllowlist

You should see the installed allowlists, including the version that matches your Helm chart minor. For example:

$ kubectl get WorkloadAllowlist
NAME                            AGE
armo-private-node-agent-1.40    37s
armo-rapid7-node-agent-1.40     37s

Step 4: Install with Helm

Install or upgrade your chart and point the node-agent at the matching allowlist. Set nodeAgent.gke.allowlist.name to the name from the table above, with the minor version matching the chart you install.

ARMO:

helm upgrade --install kubescape kubescape/kubescape-operator \
  ... <all the other settings> ... \
  --set nodeAgent.gke.allowlist.enabled=true \
  --set nodeAgent.gke.allowlist.name=armo-private-node-agent-<CHART_MINOR>

Rapid7 (the rapid7-operator chart wraps kubescape-operator, so the node-agent values are nested under kubescape-operator):

helm upgrade --install rapid7 <rapid7-chart> \
  ... <all the other settings> ... \
  --set kubescape-operator.nodeAgent.gke.allowlist.enabled=true \
  --set kubescape-operator.nodeAgent.gke.allowlist.name=armo-rapid7-node-agent-<CHART_MINOR>

Enabling nodeAgent.gke.allowlist.enabled adds the cloud.google.com/matching-allowlist label to the node-agent pod, which is how GKE matches the workload to the named allowlist.

Step 5: Verify the Node Agent Pod is Running

kubectl get pods -n kubescape

Look for a pod named node-agent-* with STATUS: Running.

Using private (mirrored) images

If you mirror the node-agent image into your own registry, reference it by the SHA-256 digest that matches the public image. Each allowlist publishes the accepted digests (containerImageDigests); see Run Autopilot partner workloads — private image mirrors.

🎉 You're Done!

Your GKE Autopilot cluster is now running the ARMO/Rapid7 node agents securely and in compliance with GKE's partner workload policies.