18572: Introduce GKE allowlist synchronizer

martinhv · anthonyh209 · commit 7270e654f85d · 2025-08-22T08:30:31.000+02:00
This werk adds the necessary helm configurations in order to enable support to run the collector in GKE Autopilot. Closes: #33 Change-Id: I025ead7fceddfd68f06fe6b182d834f69f9fcf02
diff --git a/.werks/18572.md b/.werks/18572.md
@@ -0,0 +1,15 @@
+[//]: # (werk v2)
+# Introduce GKE allowlist synchonizer
+
+key        | value
+---------- | ---
+date       | 2025-08-19T09:29:55+00:00
+version    | 2.0.0-alpha.1
+class      | feature
+edition    | cre
+component  | helm
+level      | 1
+compatible | yes
+
+This werk adds the necessary helm configurations in order to
+enable support to run the collector in GKE Autopilot.
diff --git a/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml b/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml
@@ -0,0 +1,12 @@
+{{- /* Deploy only if .Values.gkeAutopilot.allowlistPaths is non-empty */ -}}
+{{- if and .Values.gkeAutopilot (hasKey .Values.gkeAutopilot "allowlistPaths") }}
+apiVersion: auto.gke.io/v1
+kind: AllowlistSynchronizer
+metadata:
+  name: {{ include "checkmk.fullname" . }}-allowlist-synchronizer
+spec:
+  allowlistPaths:
+{{- range .Values.gkeAutopilot.allowlistPaths }}
+    - "{{ . }}"
+{{- end }}
+{{- end }}
diff --git a/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml b/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml
@@ -31,6 +31,9 @@ spec:
         {{- include "checkmk.selectorLabels" . | nindent 8 }}
         component: {{ include "checkmk.fullname" . }}-node-collector
         app: {{ include "checkmk.fullname" . }}-node-collector-container-metrics
+        {{- if .Values.gkeAutopilot.enabled }}
+        cloud.google.com/matching-allowlist: checkmk-node-collector-container-metrics
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml
@@ -10,6 +10,13 @@ kubeVersionOverride: ""
 ## If you are using one of them, or containerd is located in an alternate location, please uncomment / adapt the override.
 #containerdOverride: "/run/k3s/containerd/containerd.sock"
 
+## GKE Autopilot only allows privilegded workloads, if they are allowlisted.
+## Requirement: Please first deploy the allowlist-synchronizer CRD [https://github.com/checkmk/checkmk_kube_agent/tree/main/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml]
+## More info: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads 
+## To deploy in GKE Autopilot, please set to true.
+gkeAutopilot:
+  enabled: false
+
 tlsCommunication:
   enabled: false
   verifySsl: false
