diff --git a/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml b/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml
index 3d0dbb3..052b62f 100644
--- a/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml
+++ b/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml
@@ -31,6 +31,9 @@ spec:
         {{- include "checkmk.selectorLabels" . | nindent 8 }}
         component: {{ include "checkmk.fullname" . }}-node-collector
         app: {{ include "checkmk.fullname" . }}-node-collector-container-metrics
+        {{- if .Values.gkeAutopilot.enabled }}
+        cloud.google.com/matching-allowlist: checkmk-node-collector-container-metrics
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml
index 7400190..28711a1 100644
--- a/deploy/charts/checkmk/values.yaml
+++ b/deploy/charts/checkmk/values.yaml
@@ -10,6 +10,13 @@ kubeVersionOverride: ""
 ## If you are using one of them, or containerd is located in an alternate location, please uncomment / adapt the override.
 #containerdOverride: "/run/k3s/containerd/containerd.sock"
 
+## GKE Autopilot only allows privilegded workloads, if they are allowlisted.
+## Requirement: Please first deploy the allowlist-synchronizer CRD [https://github.com/checkmk/checkmk_kube_agent/tree/main/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml]
+## More info: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads 
+## To deploy in GKE Autopilot, please set to true.
+gkeAutopilot:
+  enabled: false
+
 tlsCommunication:
   enabled: false
   verifySsl: false
diff --git a/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml b/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml
new file mode 100644
index 0000000..82d34b8
--- /dev/null
+++ b/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml
@@ -0,0 +1,8 @@
+apiVersion: auto.gke.io/v1
+kind: AllowlistSynchronizer
+metadata:
+  name: checkmk-allowlist-synchronizer
+spec:
+  allowlistPaths:
+    - "Checkmk/checkmk_kube_agent/v1.0.0/*"
+    - "Checkmk/checkmk_kube_agent/v1.1.0/*"