This page describes configs, the files Anthos Config Management reads from Git and applies to your clusters automatically. You can create a config and commit it to your repo.
Anthos Config Management keeps your enrolled clusters in sync using configs. A
config is a YAML or JSON file that is stored in your
repo and contains the same types of configuration
details that you can manually apply to a cluster using the kubectl apply
command. This topic covers how configs work, how to write them, and how
Anthos Config Management applies them to your enrolled clusters.
Anthos Config Management is designed for cluster operators who manage many clusters. You can ensure that your clusters meet business and compliance standards by allowing Anthos Config Management to manage namespaces, Roles, RoleBindings, ResourceQuotas, and other important Kubernetes objects, across your fleet. You can create a config for any Kubernetes object that can exist in a cluster.
Working with configs over time
The following decision tree illustrates the results of different configuration changes in a hypothetical group of clusters managed by Anthos Config Management over time. Following the diagram, some hypothetical actions by cluster operators and the results of those actions are discussed and used to illustrate how Anthos Config Management works.
This cluster uses the example repo. The cluster is already registered with Operator.
Anthos Config Management applies configs only when at least one of the following is true:
- a relevant config exists in the repo
- the annotation
configmanagement.gke.io/managed: enabledis applied to the Kubernetes object
The
foo-corpcluster has a ClusterRole namedpod-accountantthat does not have theconfigmanagement.gke.io/managed: enabledannotation, and no config for the ClusterRole object exists in the repo. Anthos Config Management does not configure thepod-accountantClusterRole.Anthos Config Management applies a relevant change automatically when it is committed to the repo.
A cluster administrator commits a config to the
cluster/quota-viewer-clusterrole.yamlfile in the repo. This config defines a ClusterRole calledquota-viewer. Because the config is created in thecluster/directory, it affects all enrolled clusters. Anthos Config Management detects the newly-committed config and applies it. Thequota-viewerClusterRole now exists in the cluster, has theconfigmanagement.gke.io/managed: enabledannotation, and is in sync with the contents ofquota-viewer-clusterrole.yaml.Some time later, someone deletes the
cluster/quota-viewer-clusterrole.yamlfile from the repo. Anthos Config Management detects this change and removes thequota-viewerClusterRole from the cluster.You can start managing an existing object in a cluster by adding the
configmanagement.gke.io/managed: enabledannotation.The
foo-corpcluster has a namespace directory calledshipping-dev. Within this namespace directory, a config for a Role calledjob-creatorexists and has theconfigmanagement.gke.io/managed: enabledannotation. Someone updates the filenamespaces/dev/shipping-dev/job-creator-role.yaml. The Operator detects and applies the change.Anthos Config Management allows you to apply configuration changes to namespaces in a grouped hierarchical way.
The
foo-corpcluster has a RoleBinding namedpod-creatorand a corresponding/namespaces/pod-creator/pod-creator.yamlfile in the repo. The diagram shows thatshipping-prod,shipping-staging, andshipping-devare all namespaces (they each have anamespace.yamlfile that defines a namespace) within theshipping-dev-backendabstract namespace directory. Each of these namespaces inherits thepod-creatorRoleBinding.Some time later, someone modifies the
pod-creatorRoleBinding in theshipping-prodnamespace directory. The Operator detects the change and updatespod-creatorto match the config in the repo.Eventually, someone removes the
pod-creatorconfig from the repo. Anthos Config Management detects the change and removes thepod-creatorRoleBinding from each of the three namespaces.Anthos Config Management allows you to manually apply changes and doesn't manage objects unless they have the
configmanagement.gke.io/managed: enabledannotation.Someone manually creates a new Role called
secret-adminin theshipping-prodnamespace. No config exists for thesecret-adminRole in the repo. Thesecret-adminRole does not have theconfigmanagement.gke.io/managed: enabledannotation. Anthos Config Management takes no action.Some time later, someone manually adds the
configmanagement.gke.io/managed:enabledannotation to thesecret-adminRole. There is still no corresponding config in the repo, so Anthos Config Management deletes thesecret-adminRole from the namespace.Anthos Config Management creates missing namespaces if configs exist for them.
Someone commits a new config for the
auditnamespace, which doesn't exist in the cluster. Anthos Config Management creates theauditnamespace in the cluster and applies theconfigmanagement.gke.io/managed: enabledannotation to it.Anthos Config Management can manage configs for a namespace that doesn't have the
configmanagement.gke.io/managed: enabledannotation.The
shipping-devnamespace exists in the cluster but does not have theconfigmanagement.gke.io/managed: enabledannotation. However, theshipping-devnamespace directory in the repo has a RoleBinding namedjob-creators, which has theconfigmanagement.gke.io/managed: enabledannotation.Someone adds a config for the
shipping-devnamespace to the repo, but there is no config for thejob-creatorsRoleBinding. Since no config exists for the RoleBinding, but the RoleBinding has theconfigmanagement.gke.io/managed: enabledannotation, Anthos Config Management deletes the RoleBinding.Later, someone adds a config for the
job-creatorsRoleBinding. Thejob-creatorsRoleBinding is re-created with the properties defined in the config.