This page explains the different fields that you can set in the configuration file for Config Sync. You use this file when you are configuring Config Sync components with the Google Cloud CLI. The gcloud CLI command you use to apply the configuration file also has reference documentation.
These commands can also configure Policy Controller, but it's
recommended that you use the
Policy Controller gcloud commands
instead.
The file format used with the gcloud CLI is similar to the
format of the ConfigManagement object. However the formats are different and
the two are not interchangeable.
Common configuration for Config Management
| Key | Description |
|---|---|
spec.version |
The version of Config Management. If you are configuring Config Management for a cluster, the default version is the current version of the Config Management installation on said cluster. Otherwise, for fleet-wide configuration or in the absence of an existing installation on the target cluster, the default is the latest version. |
Configuration for Config Sync
| Key | Description |
|---|---|
spec.cluster |
The cluster name used by Config Sync
cluster-name-selector
annotation or ClusterSelector,
for applying configs to only a subset of clusters. Set this field if a name
different from the cluster's fleet membership name is used by
Config Sync cluster-name-selector annotation or ClusterSelector. |
spec.upgrades |
(Preview) The upgrade setting for Config Sync.
If set to auto, the Config Sync version is auto-upgraded. For
information about how auto-upgrades work, see
Upgrade Config Sync.
Set to manual to manually upgrade the Config Sync version.
The default value is manual. This flag is supported only for
GKE clusters on Google Cloud.
|
spec.configSync.enabled |
If true, enables
Config Sync.
If false, disables Config Sync.
Required for gcloud CLI version 429.0.0 and earlier. Optional for
gcloud CLI version 430.0.0 and later. Default: true |
spec.configSync.sourceType |
The type of source that Config Sync should sync from.
Accepts git or oci. Default: git. |
spec.configSync.syncRepo |
The URL of the Git repository, OCI image, or Helm chart to use as the source of truth. You can omit this field if you don't have a repository prepared. |
spec.configSync.syncBranch |
The branch of the Git repository to sync from. This field is ignored if
.spec.configSync.sourceType is set to oci. This
field is optional and the default is master. Starting from
Config Sync version 1.17.0, it's recommended to use the
spec.configSync.syncRev field to specify a branch name for
simplicity. If both the spec.configSync.syncRev field and the
spec.configSync.syncBranch field are specified,
spec.configSync.syncRev takes precedence over
spec.configSync.syncBranch.
|
spec.configSync.policyDir |
The path in the Git repository or OCI Image to the root directory that contains the configuration that you want to sync. Default: the root directory of the repository. |
spec.configSync.syncWait |
Period in seconds between consecutive syncs. Default: 15. |
spec.configSync.syncRev |
Git revision (tag or hash) to sync from. This field is ignored if
.spec.configSync.sourceType is set to oci. This
field is optional and the default value is HEAD. Starting
from Config Sync version 1.17.0, you can also specify a branch name
in the spec.configSync.syncRev field. When using a hash in
version 1.17.0 or later, it must be a full hash, and not an abbreviated
form.
|
spec.configSync.preventDrift |
If true, enables the Config Sync admission webhook to
prevent drifts
by rejecting conflicting changes from being pushed to live
clusters. Defaults: false.
Config Sync always remediates drifts no matter the value of this field. |
spec.configSync.secretType |
The type of Secret configured for access to the .spec.configSync.syncRepo.
If you selected git as the source type, the value must be ssh,
cookiefile, gcenode, gcpserviceaccount,
token, or none.
If you selected oci as the source type, the value must be
gcenode, gcpserviceaccount, or none.
The validation of this field is case-sensitive. Required. |
spec.configSync.gcpServiceAccountEmail |
The Google Cloud Service Account used to annotate the RootSync or
RepoSync controller's Kubernetes Service Account. This field is only used
when spec.configSync.secretType is gcpserviceaccount. |
spec.configSync.metricsGcpServiceAccountEmail |
Deprecated: If Workload Identity Federation for GKE is enabled, Google Cloud Service Account is not required for exporting Config Sync metrics. Use Kubernetes Service Account instead. |
spec.configSync.sourceFormat |
When set to unstructured, configures a
non-hierarchical repo.
Default: hierarchy. |
Proxy configuration for the Git repository
If your organization's security policies require you to route traffic through
an HTTPS proxy, you can use the proxy's URI to configure
Config Sync to communicate with your Git host. Proxy is only supported when
using an authorization type of cookiefile, none, or token.
| Key | Description |
|---|---|
spec.configSync.httpsProxy |
Defines an HTTPS_PROXY environment variable used to access
the Git repository. For example,
https://proxy.internal.business.co:443.The HTTPS proxy only accepts https or unadorned URLs.
URLs containing http:// are rejected.If using an unadorned URL, make sure the communication between your proxy server and Git host is secure. |
Configuration for Policy Controller
| Key | Description |
|---|---|
spec.policyController.enabled |
If true, enables
Policy Controller.
Defaults to false. |
spec.policyController.templateLibraryInstalled |
If true, installs a
library
of constraint templates for common policy types. Defaults to true. |
spec.policyController.referentialRulesEnabled |
If true, enables support for referential constraints. Be
sure that you understand the
caveats about eventual consistency.
Defaults to false. |
spec.policyController.auditIntervalSeconds |
Period in seconds between consecutive audits of constraint violations. Set to 0 to disable auditing. Default: 60. |
spec.policyController.logDeniesEnabled |
If true, logs all denies and dry run failures. Defaults to
false. |
spec.policyController.mutationEnabled |
If true, enables support for
mutations. Defaults to
false. |
spec.policyController.exemptableNamespaces |
A list of namespaces to remove from Policy Controller admission webhook enforcement. Any violations are still reported in audit. Defaults to an empty list. |
spec.policyController.monitoring.backends |
A list of monitoring backends for Policy Controller to export
metrics to. Default: [cloudmonitoring, prometheus]. |
Configuration for Hierarchy Controller
| Key | Description |
|---|---|
spec.hierarchyController.enabled |
If true, enables
Hierarchy Controller.
Defaults to false. |
spec.hierarchyController.enableHierarchicalResourceQuota |
If true, enables
hierarchical resource quotas.
Defaults to false. |
spec.hierarchyController.enablePodTreeLabels |
If true, enables
hierarchical observation of workloads.
Defaults to false. |
Example gcloud apply spec
applySpecVersion: 1
spec:
configSync:
enabled: true
sourceFormat: unstructured
syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
syncBranch: main
secretType: none
policyDir: config-sync-quickstart/multirepo/root