Using the nomos command

The nomos command (nomos.exe on Windows) is an optional command-line tool you can install locally, such as on a workstation or laptop. You can use the nomos command to interact with the Config Management Operator, check the syntax of configs before you commit them to your repo, and debug problems with Anthos Config Management, your cluster, or your repo.


Before you can use the nomos command to interact with a cluster, the Operator must already be installed on the target cluster, and the kubectl command must be configured to authenticate to the target cluster. See Installing Anthos Config Management for more information.

Installing the nomos command

The nomos command is a binary compiled from Go code. It is optional and is not included in a default Anthos Config Management installation.

To download the nomos command for each version of Anthos Config Management, see Downloads.

Note: Anthos Config Management requires an active Anthos entitlement. Otherwise, the download fails with a 404 File not found error.
For more information, see Pricing for Anthos.

Extra steps for macOS and Linux clients

After downloading the binary, configure it to be executable:

chmod +x /path/to/nomos

You can move the command to a location your system searches for binaries, such as /usr/local/bin, or you can run the command by using its fully-qualified path.

Basic usage

The nomos and nomos.exe commands include sub-commands to initialize your repo, check for syntax errors, get the status of each enrolled cluster, and view your repo as a series of CustomResourceDefinitions.

For basic command syntax, use the --help argument:

nomos --help

The nomos command reads from the local clone of your repo. Use the --path flag to specify the location of the top level of the repo. By default, --path is set to ., or the current directory.

nomos --path=path/to/your/repo status

Checking installation status

You can check if Anthos Config Management is properly installed and configured on all of your clusters using the nomos status command. It reports any errors that prevent Anthos Config Management from running. For example:

nomos status
Context             Status           Last Synced Token
-------             ------           -----------------
managed-cluster-1   NOT INSTALLED
managed-cluster-2   NOT CONFIGURED
managed-cluster-3   SYNCED           f52a11e4

Config Management Errors:
managed-cluster-2   missing git-creds Secret

In this output, Anthos Config Management is not installed on managed-cluster-1. It is installed but not configured on managed-cluster-2. It is installed and running correctly on managed-cluster-3.

In addition, the reason managed-cluster-2 is not configured is that the git-creds Secret is not present.

Initializing a new repo

To initialize a new Anthos Config Management repo, create an empty directory, change to it, initialize a new Git repository, then run the nomos init command:

mkdir my-repo
cd my-repo
git init
nomos init

This creates the basic directory structure of your repo, including the system/, cluster/, and namespaces/ directories.

Checking for errors in the repo

Before you commit a config to the repo, use the nomos vet command to check the syntax and validity of the configs in your repo:

nomos vet

If syntax errors are found, the nomos vet command exits with a non-zero status and logs error messages to STDERR.

If nomos vet is unable to determine if the type is namespaced, nomos connects to the API Server. Because nomos understands core Kubernetes types and Anthos Config Management CRDs, it only tries to connect to the API Server if there are CRs which have no corresponding declared CRD. In this case, if the API Server does not have the CRD applied, nomos vet returns an error. To disable this check and suppress errors from missing CRDs, pass the --no-api-server-check flag.

Automatically checking for syntax errors when committing

If you commit a file with JSON or YAML errors Anthos Config Management does not apply the change. However, you can prevent these types of errors from ever getting into the repo by using client-side or server-side hooks.

Using nomos vet in a Git pre-commit hook

You can configure a pre-commit hook that runs nomos vet to check for syntax errors when you commit a change to the local Git clone of your repo. If a pre-commit hook exits with a non-zero status, the git commit operation fails.

To run the nomos vet command as a pre-commit hook, edit the .git/hooks/pre-commit file in your repo (notice that .git starts with a . character). You may need to create the file manually. Add the nomos vet command to a new line in the script. The --path argument is optional.

nomos vet --path=/path/to/repo

Ensure that the pre-commit file is executable:

chmod +x .git/hooks/pre-commit

Now, when you run a git commit command in the clone of your repo, nomos vet runs automatically.

The contents of the repo's .git/ directory are not tracked by the repo itself, and cannot be committed to the repo in the same location. You can create a directory in the repo for Git hooks, and people who use the repo can copy the hooks into the appropriate place in their local clone.

Using nomos vet in a server-side hook

Git provides a mechanism for running checks at the server, rather than the client, during a git push operation. If the check fails, the git push also fails. These server-side hooks cannot be bypassed by the client. The method for configuring server-side hooks depends on how your Git server is hosted. See one of the following links for more information, or check the documentation for your Git hosting service.

Viewing the result of all configs in the repo

You can use the nomos hydrate command to view the combined contents of your repo on each enrolled cluster.

If you run nomos hydrate with no options, it creates a compiled/ directory in the current working directory. Within that directory, a subdirectory is created for each enrolled cluster, with the fully-resolved configs the Operator would apply to the cluster.

You can specify the name of the output directory by providing a directory path as the command's argument:

nomos hydrate [/path/to/directory]

To limit the output to a single cluster or a list of clusters, use the --clusters flag and supply a comma-separated list of cluster names.

To emulate the behavior of nomos view and save the effective configuration to a single file, use the --flat flag.

For more information, use the --help flag:

nomos hydrate --flat

nomos view

When Anthos Config Management imports configs from the repo, it converts them to CustomResourceDefinitions (CRDs) of type ClusterConfig or NamespaceConfig. The nomos view command allows you to view the CRDs resulting from the current state of your repo in JSON format. This can be useful before you commit your change, or to debug issues with configs that are not obvious by using the nomos vet command.

nomos view --path=/path/to/your/repo

Check for errors on your clusters

Whenever you push a Git commit to the repo, the Operator detects the change and applies the new configurations to all enrolled clusters. You can monitor the status of Anthos Config Management on all enrolled clusters using the nomos status command. For each cluster it reports the hash of the Git commit that was last applied to the cluster as well as any errors that have occurred while trying to apply any recent changes. For example:

nomos status
Context                 Status      Last Synced Token
-------                 ------      -----------------
managed-cluster-1       SYNCED      f52a11e4
managed-cluster-2       PENDING     9edf8444
managed-cluster-3       ERROR       9edf8444
managed-cluster-4       NOT INSTALLED
managed-cluster-5       SYNCED      f52a11e4

Config Management Errors:
managed-cluster-3       KNV1021: No CustomResourceDefinition is defined for the resource in the cluster.

You can see that two of the clusters have synced the most recent change, one cluster is still syncing, and one cluster has an error that has prevented the change from being applied. In this case it appears that managed-cluster-3 is missing a CRD that the other clusters have installed.

By default the nomos status command will print the status for each cluster and then exit. However you can use the poll flag to run the command continuously and have it reprint the status table at a regular interval:

nomos status --poll 2s

About Last Synced Token

nomos status displays the most recent Git commit hash that was applied to the cluster in its output under Last Synced Token. To obtain this value, query the Repo object and look at the status.sync field:

kubectl get -o yaml
apiVersion: v1
kind: Repo
- status:
      lastUpdate: "2019-09-26T10:17:57Z"
      latestToken: f1739af550912034139aca51e382dc50c4036ae0

This commit represents the most recent commit against the cluster. However, not every namespace in the cluster is affected by each commit; to see the most recent commit in a particular namespace, query the particular NamespaceConfig object and look at the status field. For example:

kubectl get my-namespace -o yaml
kind: NamespaceConfig
  syncState: synced
      lastUpdate: "2019-09-26T08:24:32Z"
      latestToken: 1850bad9419d3baec8af220c15d5e952dbeb3b25

Even though a namespace may be affected by a commit, not every resource in the namespace may have been affected. To find the most recently-synced commit for a specific resource, query the specific resource and look at For example:

kubectl get my-role-binding -o yaml
kind: ClusterRoleBinding
  annotations: e56b09554ca8004a2c38185a4ed11364fd6986c4

Creating a bug report

If you have a problem with Anthos Config Management that requires help from Google Cloud support, you can provide them valuable debug information using the nomos bugreport command.

nomos bugreport

This command generates a timestamped zip file with information on the Kubernetes cluster set in your kubectl context.

The file contains logs from Anthos Config Management Pods. It does not contain information from the resources synced with Anthos Config Management.


On Linux, you may see the following error when executing a nomos command:

failed to create client configs: while getting config path: failed to get current user: user: Current not implemented on linux/amd64

Create a USER environment variable to fix this problem:

export USER=$(whoami)

What's next?