Anthos Config Management is a service for configuration and policy management that combines three components; Policy Controller, Config Sync, and Config Controller. Together, these components make it possible for Anthos Config Management to continuously protect and configure your Google Cloud and Kubernetes resources as shown in the following diagram:
Since Anthos Config Management automatically synchronizes configurations and applies policies across multiple clusters, it provides you with a number of benefits:
Simplify management: Anthos Config Management lets you define and deploy configurations and policies across environments, without having to build your own toolchain from scratch.
Consistent configurations and policy management: Anthos Config Management provides an auditable and version-controlled system that manages the configuration of your organization's clusters.
Scalable across environments: Anthos Config Management centralizes the configuration and governance across environments, creating a scalable, automated, and reliable method for managing complex modern systems in production.
Secure and compliant: With Anthos Config Management, platform administrators can reduce security risks. You can define a fully-customized set of policies and ensure that the policies are consistently applied across environments. Anthos Config Management also continuously monitors environments to ensure their desired configuration is in place and no violations of governance controls are present.
Open source technologies: Anthos Config Management is based on Kubernetes and Cloud Native open source tools and projects, including Open Policy Agent Gatekeeper.
You can use each of the Anthos Config Management components independently, but they are designed to work together:
- Policy Controller
- Policy Controller enables the enforcement of fully programmable policies that represent constraints on the desired state. These policies act as "guardrails" and prevent configurations from violating security and compliance controls. You can use these policies to actively block non-compliant API requests, or simply to audit the configuration of your clusters and report violations. Policy Controller is built from the Open Policy Agent Gatekeeper project and comes with a full library of pre-built policies for common security and compliance controls. In addition, by following best practices for policy management, you can also enforce guardrails when editing configs or as a pre-submit check for Config Sync.
- Config Sync
- Config Sync continuously reconciles your clusters to a central set of configurations that are stored in one or more Git repositories. This GitOps methodology lets you apply configuration consistently across clusters and environments with an auditable, transactional, and version-controlled deployment process.
- Config Controller
- Config Controller is a hosted service to provision and orchestrate Anthos and Google Cloud resources. This component offers an API endpoint that can provision, actuate, and orchestrate Google Cloud resources as part of Anthos Config Management.
- Learn more about Policy Controller, Config Sync, and Config Controller.
- Learn about the Anthos security blueprint, which describes how to enforce security policies on Anthos clusters.
- Learn how to set up a Config Controller.