Installing Config Connector

Config Connector is a Kubernetes addon that allows you to manage your Google Cloud resources through Kubernetes configuration. With Anthos Config Management, Anthos users can install and uninstall Config Connector automatically.

Before you begin

  • You must have an Anthos entitlement to install Config Connector using Anthos Config Management. If you do not have an Anthos entitlement, you must use one of the alternative installation methods for Config Connector instead of following the instructions in this topic.

  • You must upgrade Anthos Config Management to v1.1.0 or higher before following these instructions.

  • You must have a cluster where Config Connector is not installed.

Installing Config Connector using Anthos Config Management

To install Config Connector using Anthos Config Management, you configure Anthos Config Management to install Config Connector on one of your clusters, then configure the cnrm-system service account.

Configuring Anthos Config Management

  1. Set the value of spec.configConnector.enabled to true in the Operator configuration file:

    # config-management.yaml
    
    apiVersion: configmanagement.gke.io/v1
    kind: ConfigManagement
    metadata:
      name: config-management
    spec:
      # Set to true to install and enable Config Connector
      configConnector:
        enabled: true
    
      # ...other fields...
      ```
    
  2. Apply the configuration using kubectl apply.

    kubectl apply -f config-management.yaml
    

The Pod is created but does not run until you configure the cnrm-system service account to manage Google Cloud resources in your project.

Applying the configuration also creates the cnrm-system namespace which you can then annotate.

Configuring the cnrm-system service account

Before Anthos Config Management can create Google Cloud resources, Config Connector needs to authenticate using an Identity and Access Management service account.

  1. Create the cnrm-system service account:

    gcloud iam service-accounts create cnrm-system --project [PROJECT_ID]
    
  2. The service account has an automatically-generated email address associated with it. To get this email address, use the following command:

    gcloud iam service-accounts list | grep cnrm-system
    

    Use this value where you see [SERVICE_ACCOUNT_EMAIL] in the following commands.

  3. Grant the cnrm-system service account roles and permissions required to configure the specific Google Cloud resources you need. This example grants the roles/owner role:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
     --member "serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
     --role "roles/owner"
    
  4. Create a key for the service account, stored locally as key.json:

    gcloud iam service-accounts keys create \
     --iam-account "[SERVICE_ACCOUNT_EMAIL]" \
     ./key.json
    
  5. Inject the key into the cnrm-system namespace in the cluster:

    kubectl create secret generic gcp-key \
     --from-file ./key.json \
     --namespace cnrm-system
    
  6. Remove the local copy of the key, because it contains sensitive data:

    rm ./key.json
    

Config Connector can now manage Google Cloud resources by syncing configs stored in your repo to clusters enrolled in Anthos Config Management.

Specifying where to create your resources

Before creating resources with Anthos Config Management, you must configure where to create your resources. To determine where to create the resource, Config Connector uses an annotation on either the resource configuration or the namespace. For more information, see Organizing resources.

You can create resources in a project, folder, or organization, which is the same way you would organize resources with Google Cloud.

Project

To create resources in a certain project, run the following command, replacing [NAMESPACE_NAME] with your namespace name and [PROJECT_ID] with your Google Cloud project ID:

kubectl annotate namespace \
[NAMESPACE_NAME] cnrm.cloud.google.com/project-id=[PROJECT_ID]

Folder

To create resources in a certain folder, run the following command, replacing [NAMESPACE_NAME] with your namespace name and [FOLDER_ID] with your Google Cloud folder ID:

kubectl annotate namespace \
[NAMESPACE_NAME] cnrm.cloud.google.com/folder-id=[FOLDER_ID]

Organization

To create resources in a certain organization, run the following command, replacing [NAMESPACE_NAME] with your namespace name and [ORGANIZATION_ID] with your Google Cloud organization ID:

kubectl annotate namespace \
[NAMESPACE_NAME] cnrm.cloud.google.com/organization-id=[ORGANIZATION_ID]

When you annotate your namespace, Config Connector creates resources in the corresponding project, folder or organization. To learn more about how Config Connector uses Kubernetes namespaces, see Kubernetes Namespaces and Google Cloud projects.

Verifying the installation

If Config Connector is installed correctly, its Pod and CRD exist in the cluster.

  1. Verify that the Config Connector Pod is running:

    kubectl wait -n cnrm-system \
     --for=condition=Initialized pod \
     cnrm-controller-manager-0
    

    If Config Connector is installed correctly, the output is similar to the following:

    pod/cnrm-controller-manager-0 condition met

  2. Verify that CRDs for each supported Google Cloud resource type are installed in the cluster:

    kubectl get crds | grep cnrm.cloud.google.com
    

    If Config Connector is installed correctly, the command lists resources ending in .cnrm.cloud.google.com, such as bigquerydatasets.bigquery.cnrm.cloud.google.com.

Uninstalling Config Connector

To disable and uninstall Config Connector, edit the configuration file for Anthos Config Management and set the value of spec.configConnector.enabled to false.

The Config Connector Pod is stopped and removed and the CRDs for each Google Cloud resource type are removed. Existing Google Cloud resources are not modified.

What's next