Merge pull request #59 from cdmello-g/master

bobbypage · web-flow · commit 8c07c7e8ee58 · 2025-06-18T21:19:25.000-07:00
Add allowlist for autopilot clusters + update readme instructions for autopilot
diff --git a/containerd-nofile-infinity/README.md b/containerd-nofile-infinity/README.md
@@ -2,6 +2,12 @@
 
 This guide outlines the steps to configure the `LimitNOFILE` setting for the containerd service on GKE nodes. This is typically used to increase the maximum number of open file descriptors allowed for containerd, which can be beneficial for high-concurrency workloads or specific applications that require a large number of open files. Since containerd 2.0 the `LimitNOFILE` has been removed - see containerd/containerd#8924 for more details.
 
+## Prerequiste for GKE Autopilot Clusters:
+Deploy the `AllowListSynchronizer` resource in `containerd-nofile-infinity-allowlist.yaml`. This resource updates [Autopilot's security policies](https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads#about-allowlistsynchronizer) to run the privileged daemonset.
+    
+```bash
+kubectl apply -f containerd-nofile-infinity-allowlist.yaml
+```  
 
 ## Instructions
 
diff --git a/containerd-nofile-infinity/containerd-nofile-infinity-allowlist.yaml b/containerd-nofile-infinity/containerd-nofile-infinity-allowlist.yaml
@@ -0,0 +1,7 @@
+apiVersion: auto.gke.io/v1
+kind: AllowlistSynchronizer
+metadata:
+  name: gke-org-nofile-infinity-synchronizer
+spec:
+  allowlistPaths:
+  - "Gke-Org/nofile-infinity/gke-org-nofile-infinity-allowlist.yaml"
