Install Anthos Config Management
This page provides an overview of the different ways to install and configure Anthos Config Management's components: Config Sync, Policy Controller, and Config Controller.
Choose which Anthos Config Management components to use
Config Sync, Policy Controller, and Config Controller are designed to work together. However, you can install each as a standalone product or install a sub-set of components. For example, you might want to install only Config Sync to continuously sync your cluster configurations with a Git repository. Or you might want to install Config Controller to get the full benefit of a GitOps workflow because it also includes Policy Controller and Config Sync.
The following pages show you the different ways that you can set up and configure individual components:
The following quickstarts show you different ways to install Anthos Config Management components:
- To take the quickstart for Config Sync, see Sync configs from a repository.
- To take the quickstart for Policy Controller and Config Sync, see Configure a cluster with Anthos Config Management.
- To take the quickstart for a Config Controller instance, see Manage resources with Config Controller.
Anthos Config Management supported platforms and versions
Config Sync, Policy Controller, and Config Controller are available for Anthos. To learn more, see Pricing.
For Anthos Config Management versioning and upgrade compatibility information, see Anthos version and upgrade support.
Anthos Config Management role-based access controls (RBAC) and permissions
Anthos Config Management includes highly-privileged workloads. The following table lists permissions for these workloads:
| Component | Namespace | Service Account | Permissions | Description |
|---|---|---|---|---|
| Config Management Operator | config-management-system |
config-management-operator |
cluster-admin | Config Management Operator installs the other components in this table. Some of those components require cluster-admin permissions, so Config Management Operator requires them as well. |
| Policy Controller | gatekeeper-system |
See the Open Policy Agent Gatekeeper documentation for workload permissions. | ||
| Config Sync | config-management-system |
See Config Sync permissions for required permissions. |
Anthos Config Management resource requests
The following table lists Kubernetes resource requirements for Anthos Config Management components for each supported version.
1.16
| Component | CPU | Memory |
|---|---|---|
| Config Management Operator | 100 m | 100 Mi |
| Policy Controller | 100 m | 256 Mi |
| Config Sync | 330 m + 80 m * (number of RootSync and RepoSync objects) | 850 Mi + 600 Mi * (number of RootSync and RepoSync objects) |
1.15
| Component | CPU | Memory |
|---|---|---|
| Config Management Operator | 100 m | 100 Mi |
| Policy Controller | 100 m | 256 Mi |
| Config Sync | 330 m + 80 m * (number of RootSync and RepoSync objects) | 850 Mi + 600 Mi * (number of RootSync and RepoSync objects) |
1.14
| Component | CPU | Memory |
|---|---|---|
| Config Management Operator | 100 m | 100 Mi |
| Policy Controller | 100 m | 256 Mi |
| Config Sync | 330 m + 80 m * (number of RootSync and RepoSync objects) | 850 Mi + 600 Mi * (number of RootSync and RepoSync objects) |
For a breakdown of Config Sync resource requests by component, see Resource requests in the Config Sync installation page.
What's next
- Learn about Best practices for policy management with Anthos Config Management and GitLab.
- Take a tutorial about Safe rollouts with Anthos Config Management.