topic Cortex XDR installation on GKE AutoPilot cluster in Cortex XDR Discussions

Cortex XDR installation on GKE AutoPilot cluster

P.Timperi — Wed, 06 Aug 2025 08:12:39 GMT

Cortex XDR seems to support GKE AutoPilot in latest release 8.9.

However, when generating the Kubernetes manifests on Cortex XDR dashboard, they will not deploy on AutoPilot cluster.

Instead, error message is given after kubectl apply command:
Violations details: {"[denied by autogke-default-linux-capabilities]":["linux capability 'SYS_ADMIN,SYSLOG,SYS_MODULE,SYS_RESOURCE,SYS_RAWIO,DAC_READ_SEARCH,NET_ADMIN,IPC_LOCK' on container 'cortex-agent' not allowed; Autopilot only allows the capabilities: 'AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT,SYS_PTRACE'."],"[denied by autogke-disallow-hostnamespaces]":["enabling hostPID is not allowed in Autopilot.","enabling hostIPC is not allowed in Autopilot.","enabling hostNetwork is not allowed in Autopilot."],"[denied by autogke-no-write-mode-hostpath]":["hostPath volume var-log in container cortex-agent is accessed in write mode; disallowed in Autopilot.","hostPath volume host-km-directory in container cortex-agent is accessed in write mode; disallowed in Autopilot.","hostPath volume agent-ids in container cortex-agent is accessed in write mode; disallowed in Autopilot.","hostPath volume host-fs used in container cortex-agent uses path / which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]."]}

Please instruct how to configure AutoPilot or the manifest correctly. Thanks!

Re: Cortex XDR installation on GKE AutoPilot cluster

eluis — Wed, 06 Aug 2025 12:27:56 GMT

Hello P.Timperi,

Please follow the step by step instructions on the document down below to install XDR on Kubernetes.

If the problem persists, please feel free to open a TAC support ticket:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.9/Cortex-XDR-Agent-Administrator-Guide/Install-the-Cortex-XDR-Agent-for-Kubernetes-Hosts

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

KR,

Luis

Re: Cortex XDR installation on GKE AutoPilot cluster

P.Timperi — Thu, 07 Aug 2025 12:00:58 GMT

Yes, I did follow the linked instructions and it works for standard GKE clusters, but not for AutoPilot.

I found out that the partner agent needs to have AllowlistSynchronizer file path at Google:
https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-partners
https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads

But Cortex XDR is missing on the list of supported agents. I did try "Allowlist path: Palo-Alto-Networks/prisma-cloud-defender/*", but it didn't work.. well, it is a different agent after all.
So, I guess the GKE AutoPilot support is not complete for Cortex XDR. It seems to miss the AllowlistSynchronizer file path?

Re: Cortex XDR installation on GKE AutoPilot cluster

atzarfaty — Wed, 28 Jan 2026 16:36:33 GMT

Hey, please refer to our official documentation for this matter:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/9.1/Cortex-XDR-Agent-Administrator-Guide/Install-the-Cortex-XDR-Agent-for-Kubernetes-Hosts

For GKE Autopilot running a privileged workload requires adding the path (Palo-Alto-Networks/cortex-agent/*) to the corresponding allowlist file to an AllowlistSynchronizer custom resource. Then deploy the AllowlistSynchronizer to your cluster. For more details, visit https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads#create-allowlistsynchronizer