Stay organized with collections Save and categorize content based on your preferences.

Install Anthos Config Management

This page provides you with an overview of how to install and configure the Anthos Config Management components: Config Sync, Policy Controller, and Config Controller. To learn more about Anthos Config Management, see Anthos Config Management overview.

Supported platforms and versions

Config Sync, Policy Controller, and Config Controller are available for Anthos and Google Kubernetes Engine (GKE) users. For GKE users, there is an additional charge to use Policy Controller and Config Controller. To learn more, see Pricing.

For Anthos Config Management versioning and upgrade compatibility information, see Anthos version and upgrade support.

Enable Anthos Config Management

Before you can use Anthos Config Management components, you must enable the appropriate APIs and Anthos Config Management. To enable these features, complete the following steps:

Console

  1. In the Google Cloud console:
  2. Click Set up Config Management.
  3. To enable the Config Management API, click Next.

gcloud

  1. If you are an Anthos user, enable the Anthos API:

    gcloud services enable anthos.googleapis.com

    GKE users don't need to enable the Anthos API.

  2. To enable Anthos Config Management, run the following command:

    gcloud beta container fleet config-management enable

Set up Anthos Config Management components

Although the components are designed to work together, you can install each Anthos Config Management component as a standalone product. The following pages show you the different ways that you can set up and configure these components:

You can also take a quickstart that shows you a guided example of installing the Anthos Config Management components:

Upgrade Anthos Config Management

Policy Controller and Config Sync are upgraded whenever you upgrade Anthos Config Management. To learn more, see Upgrade Anthos Config Management.

RBAC and permissions

Anthos Config Management includes highly privileged workloads. The permissions for these workloads are covered in the following table.

Component Namespace Service Account Permissions Description
Config Management Operator config-management-system config-management-operator cluster-admin Config Management Operator installs the other components in this table. Some of those components require cluster-admin permissions, so Config Management Operator requires them as well.
Policy Controller gatekeeper-system See the Policy Controller overview for required permissions.
Config Sync config-management-system See the Config Sync overview for required permissions.

Resource requests

The following table lists Kubernetes resource requirements for Anthos Config Management components for each supported version. For more information, see Managing Resources for Containers in the Kubernetes documentation.

1.14

Component CPU Memory
Config Management Operator 100m 100Mi
Policy Controller 100m 256Mi
Config Sync 330 m + 80 m * (number of RootSync and RepoSync objects) 850 Mi + 600 Mi * (number of RootSync and RepoSync objects)

1.13

Component CPU Memory
Config Management Operator 100m 100Mi
Policy Controller 100m 256Mi
Config Sync 330 m + 80 m * (number of RootSync and RepoSync objects) 850 Mi + 600 Mi * (number of RootSync and RepoSync objects)

1.12

Component CPU Memory
Config Management Operator 100m 100Mi
Policy Controller 100m 256Mi
Config Sync 330 m + 80 m * (number of RootSync and RepoSync objects) 700 Mi + 600 Mi * (number of RootSync and RepoSync objects)

For a breakdown of Config Sync resource requests by component, see Resource requests in the Config Sync installation page.

What's next