08-06-2025 01:12 AM
Cortex XDR seems to support GKE AutoPilot in latest release 8.9.
However, when generating the Kubernetes manifests on Cortex XDR dashboard, they will not deploy on AutoPilot cluster.
Instead, error message is given after kubectl apply command:
Violations details: {"[denied by autogke-default-linux-capabilities]":["linux capability 'SYS_ADMIN,SYSLOG,SYS_MODULE,SYS_RESOURCE,SYS_RAWIO,DAC_READ_SEARCH,NET_ADMIN,IPC_LOCK' on container 'cortex-agent' not allowed; Autopilot only allows the capabilities: 'AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT,SYS_PTRACE'."],"[denied by autogke-disallow-hostnamespaces]":["enabling hostPID is not allowed in Autopilot.","enabling hostIPC is not allowed in Autopilot.","enabling hostNetwork is not allowed in Autopilot."],"[denied by autogke-no-write-mode-hostpath]":["hostPath volume var-log in container cortex-agent is accessed in write mode; disallowed in Autopilot.","hostPath volume host-km-directory in container cortex-agent is accessed in write mode; disallowed in Autopilot.","hostPath volume agent-ids in container cortex-agent is accessed in write mode; disallowed in Autopilot.","hostPath volume host-fs used in container cortex-agent uses path / which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]."]}
Please instruct how to configure AutoPilot or the manifest correctly. Thanks!
08-06-2025 05:27 AM
Hello P.Timperi,
Please follow the step by step instructions on the document down below to install XDR on Kubernetes.
If the problem persists, please feel free to open a TAC support ticket:
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
KR,
Luis
08-07-2025 05:00 AM
Yes, I did follow the linked instructions and it works for standard GKE clusters, but not for AutoPilot.
I found out that the partner agent needs to have AllowlistSynchronizer file path at Google:
https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-partners
https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads
But Cortex XDR is missing on the list of supported agents. I did try "Allowlist path: Palo-Alto-Networks/prisma-cloud-defender/*", but it didn't work.. well, it is a different agent after all.
So, I guess the GKE AutoPilot support is not complete for Cortex XDR. It seems to miss the AllowlistSynchronizer file path?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
