In this quickstart, you create a new Google Kubernetes Engine (GKE) cluster and use Config Sync to sync to configs in the Anthos Config Management samples repository.
Imagine that your compliance team is responsible for making sure that everyone in your organization is following internal rules. To enforce these rules, the compliance team has created configs, which they have added to the samples repository. Each cluster in your organization is required to sync to the repository and you are responsible for creating and syncing clusters.
Before you begin
Sign in to your Google Cloud account. If you're new to
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
Prepare your environment
In the following sections, you create and configure a cluster that you can use with Config Sync.
Create a cluster
To create a cluster that you can use with Config Sync, complete the following steps:
In the Google Cloud Console, go to the Google Kubernetes Engine page.
Click add_box Create.
In the Standard section, click Configure.
In the Cluster basics section, complete the following:
cs-clusteras the Name for your cluster.
- Leave all other fields with their recommended defaults.
In the left-hand menu, click default-pool and in the drop-down list that appears, click Nodes.
In the Nodes section, complete the following:
- In the Machine type drop-down list, select e2-standard-4.
- Leave all other fields as their default values.
In the left-hand menu, under Cluster, select Security.
In the Security page, select the Enable Workload Identity checkbox.
Click Create. It can take several minutes for your cluster to be created.
Give yourself admin permissions
After creating your cluster, grant yourself the GKE Hub Admin role that you need to use Config Sync in the Google Cloud Console.
In the Cloud Console, go to the IAM page.
In the New principals field, enter the email address that you used to register with Google Cloud.
In the Select a role drop-down list, search for and select GKE Hub Admin.
Enable Anthos Config Management
To enable Anthos Config Management, complete the following steps:
In the Cloud Console, go to the Config Management page.
Click Set up Config Management.
To enable the Config Management API, click Next. After you click Next, you are taken to the Select registered clusters for Config Management page where you can register your cluster.
Register your cluster
After your cluster is created, register your cluster to a fleet:
- In the Select registered clusters for Config Management page, locate
the Unregistered clusters from this project table, and find
cs-cluster, click Register.
Once the cluster is successfully registered, it appears in the Select registered clusters for Config Management table.
Configure your cluster
Now that you have created a cluster, you can configure Config Sync to sync
to the configs in the
of the Anthos Config Management samples repository.
To configure Config Sync on the Google Cloud Console, complete the following steps:
- In the Select registered clusters for Config Management table, select
cs-clusterand click Next.
- In the Config Sync page that appears, select an Anthos Config Management Version of 1.7.0 or later. This version enables syncing from multiple repositories by default.
- Leave the Enable Config sync checkbox enabled.
- In the URL field, add
- In the Authentication type drop-down list, select None.
- In the Branch field, add
- Leave the Tag/Commit field blank since we are using the default
- In the Policy directory field, add
- Leave Sync wait and Git proxy blank since we are using
their default values of 15 seconds and
- In the Source format drop-down list, select unstructured. We recommend that you use the unstructured format as it lets you organize your configs in the way that is most convenient to you.
- Click Next.
Clear the Enable Policy Controller checkbox and click Complete.
You are taken back to the Config Management menu. After a few minutes, you should see Synced in the Config sync status column next to
Now that Config Sync is synced to a repository, it continuously reconciles the state of your clusters with the configs in the repository.
Explore and test the Config Sync installation
In the following sections, you use Cloud Shell to explore your Config Sync installation and then try to modify a managed objec.
Open Cloud Shell
To launch Cloud Shell, complete the following commands:
Go to Google Cloud Console.
From the upper-right corner of the console, click the Activate Cloud Shell button:
A Cloud Shell session opens inside a frame lower on the console. Use this shell to run
To use the commands in the following sections, configure
kubectlcommand-line access by running the following command:
gcloud container clusters get-credentials cs-cluster \ --zone ZONE \ --project PROJECT_ID
Replace the following:
ZONE: the zone that you created your cluster in
PROJECT_ID: your project ID
Fetching cluster endpoint and auth data. kubeconfig entry generated for cs-cluster.
Examine your cluster and repository
quickstart directory includes ClusterRole,
CustomResourceDefinition, configurations for Prometheus
Operator for monitoring, Rolebinding, Namespace, and RepoSync.
These configs are applied as soon as the Config Sync is configured to
read from the repo.
All objects managed by Config Sync have the
app.kubernetes.io/managed-by label set to
To list namespaces managed by Config Sync, run the following command:
kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.io
NAME STATUS AGE gamestore Active 58s monitoring Active 58s
You can navigate to the /quickstart/multirepo/ folder of the Anthos Config Management repository in GitHub to explore the configs that caused these namespaces to be created.
You can examine other objects, such as ClusterRole, Reposyncs, CRDs, and Rolebindings, in the same way.
Attempt to manually modify a managed object
Config Sync prevents mutation of managed objects through the admission webhook.
If you attempt to make a conflicting change by manually modifying a Config Sync managed Kubernetes object, you receive an error.
To test this behaviour, try to delete the
kubectl delete namespace gamestore
error: admission webhook "v1.admission-webhook.configsync.gke.io" denied the request: requester is not authorized to delete managed resources
If you want to follow the tutorial for Writing configs for Config Sync, do not clean up yet. This quickstart is a prerequisite for that tutorial, which also includes instructions for cleaning up.
If you do not want to complete that tutorial, you can clean up by deleting the cluster that you used for this tutorial:
Go to the GKE menu in Cloud Console.
Next to the
cs-cluster, click more_vert Actions, then click delete Delete.
When prompted to confirm, click Delete again.