You're viewing documentation for Anthos Config Management 1.3. This version has reached end of life and is no longer supported. View the latest documentation.

Installing Config Connector

Config Connector is a Kubernetes addon that allows you to manage your Google Cloud resources through Kubernetes configuration. With Anthos Config Management, Anthos users can install and uninstall Config Connector automatically.

Before you begin

  • You must have an Anthos entitlement to install Config Connector using Anthos Config Management. If you do not have an Anthos entitlement, you must use one of the alternative installation methods for Config Connector instead of following the instructions in this topic.

  • You must upgrade Anthos Config Management to v1.1.0 or higher before following these instructions.

  • You must have a cluster where Config Connector is not installed.

Installing Config Connector using Anthos Config Management

To install Config Connector using Anthos Config Management, you configure Anthos Config Management to install Config Connector on one of your clusters, then configure the cnrm-system service account.

Configuring Anthos Config Management

  1. Set the value of spec.configConnector.enabled to true in the Operator configuration file:

    # config-management.yaml
    kind: ConfigManagement
      name: config-management
      namespace: config-management-system
      # clusterName is required and must be unique among all managed clusters
      clusterName: my-cluster
        syncBranch: 1.0.0
        secretType: ssh
        policyDir: "foo-corp"
      # Set to true to install and enable Config Connector
        enabled: true
  2. Apply the configuration using kubectl apply.

    kubectl apply -f config-management.yaml

The Pod is created but does not run until you configure the cnrm-system service account to manage Google Cloud resources in your project.

Configuring the cnrm-system service account

Before Anthos Config Management can create Google Cloud resources, Config Connector needs to authenticate using an Identity and Access Management service account.

  1. Create the cnrm-system service account:

    gcloud iam service-accounts create cnrm-system --project [PROJECT_ID]
  2. The service account has an automatically-generated email address associated with it. To get this email address, use the following command:

    gcloud iam service-accounts list | grep cnrm-system

    Use this value where you see [SERVICE_ACCOUNT_EMAIL] in the following commands.

  3. Grant the cnrm-system service account roles and permissions required to configure the specific Google Cloud resources you need. This example grants the roles/owner role:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
     --member "serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
     --role "roles/owner"
  4. Create a key for the service account, stored locally as key.json:

    gcloud iam service-accounts keys create \
     --iam-account "[SERVICE_ACCOUNT_EMAIL]" \
  5. Inject the key into the cnrm-system namespace in the cluster:

    kubectl create secret generic gcp-key \
     --from-file ./key.json \
     --namespace cnrm-system
  6. Remove the local copy of the key, because it contains sensitive data:

    rm ./key.json

Config Connector can now manage Google Cloud resources by syncing configs stored in your repo to clusters enrolled in Anthos Config Management.

Verifying the installation

If Config Connector is installed correctly, its Pod and CRD exist in the cluster.

  1. Verify that the Config Connector Pod is running:

    kubectl wait -n cnrm-system \
     --for=condition=Initialized pod \

    If Config Connector is installed correctly, the output is similar to the following:

    pod/cnrm-controller-manager-0 condition met

  2. Verify that CRDs for each supported Google Cloud resource type are installed in the cluster:

    kubectl get crds | grep

    If Config Connector is installed correctly, the command lists resources ending in, such as

Uninstalling Config Connector

To disable and uninstall Config Connector, edit the configuration file for Anthos Config Management and set the value of spec.configConnector.enabled to false.

The Config Connector Pod is stopped and removed and the CRDs for each Google Cloud resource type are removed. Existing Google Cloud resources are not modified.

What's next?