This page provides you with an overview of how to install and configure the Anthos Config Management components; Config Sync, Policy Controller, and Config Controller. To learn more about Anthos Config Management, see Anthos Config Management overview.
Supported platforms and versions
Config Sync, Policy Controller, and Config Controller are available for Anthos and Google Kubernetes Engine (GKE) users. For GKE users, there is an additional charge to use Policy Controller and Config Controller. To learn more, see Pricing.
For Anthos Config Management versioning and upgrade compatibility information, see Anthos version and upgrade support.
Enable Anthos Config Management
Before you can use Anthos Config Management components, you must enable the appropriate APIs and Anthos Config Management. To enable these features, complete the following steps:
If you are an Anthos user, enable the Anthos API:
gcloud services enable anthos.googleapis.com
GKE users don't need to enable the Anthos API.
To enable Anthos Config Management, run the following command:
gcloud beta container hub config-management enable
Set up Anthos Config Management components
Although the components are designed to work together, you can install each Anthos Config Management component as a standalone product. The following pages show you the different ways that you can set up and configure these components:
Example: Install Config Sync and Policy Controller
Whether you use Anthos or GKE, you can install and configure Config Sync and Policy Controller using the Google Cloud Console. This process automates and simplifies many of the installation options. The following sections walk you through this installation method.
Before you begin
Before you complete the exercises in the following sections, ensure that you have completed the following tasks:
- Create, or make sure you have access to, a Git repository. Your Git repository can store your configs and constraint templates.
- Create, or make sure you have access to, a cluster that is on an Anthos supported platform and version.
- Create, or make sure you have access to, a GKE cluster that meets the requirements for Config Sync.
Install Config Sync and Policy Controller
Complete the following sections to install Config Sync and Policy Controller.
Register your clusters
To register your clusters, complete the following tasks:
In the Cloud Console:
Click New Setup.
In the Select registered clusters for Config Management page, locate the Unregistered clusters from this project table, and find the cluster that you want to register.
Click Register next to the cluster that you want to register.
After the cluster is successfully registered, it appears in the Select registered clusters for Config Management table.
Configure Config Sync and Policy Controller
Once you have registered your clusters, you can continue on to install and configure Config Sync and Policy Controller in one continuous workflow.
To install Config Sync, complete the following steps:
- Select the cluster that you want to configure, and select Next.
- Optional: In the Config Sync page that appears, select the Anthos Config Management Version that you want to use. The default is the current version.
- In the Configurations section, leave the Enable Config Sync checkbox selected.
- In the URL field, add the URL of the Git repository to use as the
source of truth. You can enter URLs using either the HTTPS or SSH protocol.
https://github.com/GoogleCloudPlatform/anthos-config-management-samplesuses the HTTPS protocol. If you don't enter a protocol, the URL is treated as an HTTPS URL.
In the Authentication type drop-down list, select the one of the following options:
- None: Use no authentication.
- SSH: Use an SSH key pair.
- Cookiefile: Use a
- Token: Use a token.
- Google Cloud Repository: Use a Google service account to access a Cloud Source Repositories repository. Only select this option if Workload Identity is not enabled in your cluster.
- Workload Identity: Use a Google service account to access a
Cloud Source Repositories repository. When you select
Workload Identity, you need to add your Google service
account email address. For example,
acm@PROJECT_ID.iam.gserviceaccount.com. If you select this authentication type, you also need to create an IAM policy binding after you finish configuring Config Sync. For details, see the Google service account tab of Grant Config Sync read-only access to Git.
Follow the instructions in the Google Cloud Console to grant Config Sync read-only access to Git and click Continue.
Optional: In the Branch field, add the branch of the repository to sync from. The default is the master branch.
Optional: In the Tag/Commit field, add the Git revision (tag or hash) to check out. The default is
Optional: In the Policy directory field, add the path within the repository to the top of the policy hierarchy to sync. The default is the root directory of the repository.
Optional: In the Sync wait field, add the period in seconds between consecutive syncs. The default is 15 seconds.
Optional: In the Git proxy field, enter the URL for the HTTPS proxy to be used when communicating with the Git repository. This is an optional field, and if it's left blank, no proxy is used.
Optional: In the Source format field, choose either unstructured or hierarchy. The default is unstructured and we recommend that you select unstructured as this format lets you organize your configs in the way that is most convenient to you.
Click Next to begin the Policy Controller installation.
To install Policy Controller, complete the following steps:
- In the Policy Controller page, leave the Enable Policy Controller checkbox selected.
- Optional: To install a library of constraint templates for common policy types, leave the Install default template library checkbox selected.
- Optional: In the Audit interval field, select the period in seconds between consecutive syncs. The default is 60 seconds and if you set the audit interval to 0, auditing is disabled.
- Optional: In the Exempt namespaces field, provide a list of namespaces. Objects in these namespaces are ignored by all policies. The namespaces do not need to currently exist.
- Optional: To enable referential constraints, select the Enable the ability to use Constraint Templates that reference objects other than the object currently being evaluated checkbox.
Click Complete. You are taken back to the Config Management page.
After a few minutes, you should see Synced in the Config Sync status column and Installed in the Policy Controller status column next to the clusters that you configured. If you see Error in the Config Sync column, click the word Error for more information.
Upgrade Anthos Config Management
Policy Controller and Config Sync are upgraded whenever you upgrade Anthos Config Management. To learn more, see Upgrade Anthos Config Management.
The following table lists Kubernetes resource requirements for Anthos Config Management components. For more information, see Managing Resources for Containers in the Kubernetes documentation.
|Config Management Operator||100m||20Mi|
|Config Sync (default mode)||240 m + 80 m * (number of RootSync and RepoSync objects)||620 Mi + 210 Mi * (number of RootSync and RepoSync objects)|
For a breakdown of Config Sync resource requests by component, see Resource requests in the Config Sync installation page.
- Learn about Best practices for policy management with Anthos Config Management and GitLab.
- Take a tutorial about Safe rollouts with Anthos Config Management.