Config Connector is a Kubernetes addon that allows you to manage your Google Cloud resources through Kubernetes configuration. With Anthos Config Management, Anthos users can install and uninstall Config Connector automatically.
Before you begin
You must have an Anthos entitlement to install Config Connector using Anthos Config Management. If you do not have an Anthos entitlement, you must use one of the alternative installation methods for Config Connector instead of following the instructions in this topic.
You must upgrade Anthos Config Management to v1.1.0 or higher before following these instructions.
You must have a cluster where Config Connector is not installed.
Installing Config Connector using Anthos Config Management
To install Config Connector using Anthos Config Management, you
configure Anthos Config Management to install Config Connector
on one of your clusters,
then configure the cnrm-system service account.
Configuring Anthos Config Management
Set the value of
spec.configConnector.enabledtotruein the Anthos Config Management configuration file:# config-management.yaml apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: name: config-management spec: # Set to true to install and enable Config Connector configConnector: enabled: true # ...other fields... ```Apply the configuration using
kubectl apply.kubectl apply -f config-management.yaml
The Pod is created but does not run until you
configure the cnrm-system service account to
manage Google Cloud resources in your project.
Applying the configuration also creates the cnrm-system namespace which you can
then annotate.
Configuring the cnrm-system service account
Before Anthos Config Management can create Google Cloud resources, Config Connector needs to authenticate using an Identity and Access Management service account.
Create the
cnrm-systemservice account:gcloud iam service-accounts create cnrm-system --project [PROJECT_ID]
The service account has an automatically-generated email address associated with it. To get this email address, use the following command:
gcloud iam service-accounts list | grep cnrm-system
Use this value where you see [SERVICE_ACCOUNT_EMAIL] in the following commands.
Grant the
cnrm-systemservice account roles and permissions required to configure the specific Google Cloud resources you need. This example grants theroles/ownerrole:gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member "serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \ --role "roles/owner"
Create a key for the service account, stored locally as
key.json:gcloud iam service-accounts keys create \ --iam-account "[SERVICE_ACCOUNT_EMAIL]" \ ./key.json
Inject the key into the
cnrm-systemnamespace in the cluster:kubectl create secret generic gcp-key \ --from-file ./key.json \ --namespace cnrm-system
Remove the local copy of the key, because it contains sensitive data:
rm ./key.json
Config Connector can now manage Google Cloud resources by syncing configs stored in your repo to clusters enrolled in Anthos Config Management.
Specifying where to create your resources
Before creating resources with Anthos Config Management, you must configure where to create your resources. To determine where to create the resource, Config Connector uses an annotation on either the resource configuration or the namespace. For more information, see Organizing resources.
You can create resources in a project, folder, or organization, which is the same way you would organize resources with Google Cloud.
Project
To create resources in a certain project, run the following command, replacing [NAMESPACE_NAME] with your namespace name and [PROJECT_ID] with your Google Cloud project ID:
kubectl annotate namespace \
[NAMESPACE_NAME] cnrm.cloud.google.com/project-id=[PROJECT_ID]
Folder
To create resources in a certain folder, run the following command, replacing [NAMESPACE_NAME] with your namespace name and [FOLDER_ID] with your Google Cloud folder ID:
kubectl annotate namespace \
[NAMESPACE_NAME] cnrm.cloud.google.com/folder-id=[FOLDER_ID]
Organization
To create resources in a certain organization, run the following command, replacing [NAMESPACE_NAME] with your namespace name and [ORGANIZATION_ID] with your Google Cloud organization ID:
kubectl annotate namespace \
[NAMESPACE_NAME] cnrm.cloud.google.com/organization-id=[ORGANIZATION_ID]
When you annotate your namespace, Config Connector creates resources in the corresponding project, folder or organization. To learn more about how Config Connector uses Kubernetes namespaces, see Kubernetes Namespaces and Google Cloud projects.
Verifying the installation
If Config Connector is installed correctly, its Pod and CRD exist in the cluster.
Verify that the Config Connector Pod is running:
kubectl wait -n cnrm-system \ --for=condition=Initialized pod \ cnrm-controller-manager-0
If Config Connector is installed correctly, the output is similar to the following:
pod/cnrm-controller-manager-0 condition met
Verify that CRDs for each supported Google Cloud resource type are installed in the cluster:
kubectl get crds | grep cnrm.cloud.google.com
If Config Connector is installed correctly, the command lists resources ending in
.cnrm.cloud.google.com, such asbigquerydatasets.bigquery.cnrm.cloud.google.com.
Uninstalling Config Connector
To disable and uninstall Config Connector, edit the configuration file for
Anthos Config Management and set the value of spec.configConnector.enabled to
false.
The Config Connector Pod is stopped and removed and the CRDs for each Google Cloud resource type are removed. Existing Google Cloud resources are not modified.
What's next
- Learn more about Config Connector
- Learn about configuring Google Cloud resources using Anthos Config Management