ARMO Now Supports GKE Autopilot Clusters 🎉

May 22, 2025

Ben Hirschberg
CTO & Co-founder

We’re excited to announce that ARMO now fully supports Google Kubernetes Engine (GKE) Autopilot clusters!

This update comes in response to strong demand from our user community and enterprise customers, many of whom are embracing Autopilot for its simplicity and operational efficiency — while still requiring deep, real-time security observability and enforcement.

Get your Kubernetes Security Checklist now

Why This Matters

GKE Autopilot has traditionally restricted workloads that require privileged access, such as eBPF node agents. Only a few partner vendors were allowed to run privileged workloads in the Autopilot cluster. This presented a challenge for security teams that rely on host-level visibility to protect their Kubernetes environments.

Google Cloud’s Self-Workload Allowlisting feature in Autopilot now allows vendors like ARMO to securely run privileged workloads. This is enabled using a vetted, customer-controlled allowlist mechanism.

We Listened to You 👂

We heard your feedback loud and clear:

“We want Kubescape and ARMO’s runtime protection to work on GKE Autopilot!”

This wasn’t simply a feature request-it was a necessity for companies running production environments, especially those in regulated industries. They wanted to adopt Autopilot, but couldn’t compromise on visibility or security.

That’s why ARMO invested in adapting Kubescape to the new GKE partner model. Thus, ensuring seamless compatibility and a production-grade experience on Autopilot for both Kubescape and ARMO users.

Autopilot Users, Welcome to the ARMO Stack 🚀

With this integration, GKE Autopilot users can now take full advantage of the ARMO Cloud Application Detection and Response (CADR) stack — modern Cloud and Kubernetes security tooling with zero compromises:

✅ Vulnerability Management
With advanced reachability and “in-use” analysis to prioritize only what really matters.
✅ Misconfiguration & Compliance Scanning
Result in behavior-based smart remediations that enable tailored fixes, not just noisy alerts.
✅ Policy Management
From Kubernetes network policies to seccomp profiles, gain readily available, easy-to-implement automated suggestions and drift detection.
✅ Anomaly-Based Runtime Detection & Response
Full-stack cloud correlation and deep code-aware analysis power this industry-leading runtime security engine.

This means Autopilot clusters can now enjoy the same robust, modern, and integrated cloud and Kubernetes security platform that our customers already rely on across EKS, GKE Standard, and self-managed clusters.

Get Started

GKE Version: 1.32.2-gke.1652000 or later
Kubescape Helm Chart: 1.27.5 or later
Workload Allowlist Resource: Provided by ARMO, simply apply it

👉 Full instructions: Kubescape on GKE Autopilot – Documentation

Let’s Secure the Future of Kubernetes — Together

This is more than a compatibility update — it’s a step forward in our mission to bring modern, accessible security to every Kubernetes environment. Whether you run clusters in standard or fully-managed modes, ARMO is here to help you stay secure and in control. Try it today or demo

FAQs

What is GKE Autopilot?

GKE Autopilot is a fully managed mode of Google Kubernetes Engine (GKE) that aims to simplify Kubernetes operations by automatically managing the underlying infrastructure, including nodes, scaling, and upgrades.

This announcement is important because GKE Autopilot traditionally restricted workloads requiring privileged access, which hindered the deployment of security tools like ARMO that rely on host-level visibility. With Google Cloud’s new Self-Workload Allowlisting feature, ARMO can now run its necessary components in Autopilot clusters, providing users with deep, real-time security observability and enforcement in this simplified environment.

Do I need to make any changes to my GKE Autopilot cluster to use ARMO?

You need to ensure your GKE cluster is version 1.32.2-gke.1652000 or later and that you have Kubescape Helm Chart version 1.27.5 or later. Additionally, you will need to apply the Workload Allowlist Resource provided by ARMO to your cluster.