gcloud apply spec fields

This page explains the different fields that you can set in the configuration file for Anthos Config Management. You use this file when you are configuring Anthos Config Management components with the Google Cloud CLI. The gcloud CLI command you use to apply the configuration file also has reference documentation.

The file format used with the gcloud CLI is similar to the format of the ConfigManagement object. However the formats are different and the two are not interchangeable.

Configuration for Config Sync

Key	Description
`spec.configSync.enabled`	If `true`, enables Config Sync. Defaults to `false`.
`spec.configSync.sourceType`	The type of source that Config Sync should sync from. Accepts `git` or `oci`. This field is supported in Anthos Config Management version 1.12.0 and later. Default: `git`.
`spec.configSync.syncRepo`	The URL of the Git repository, OCI image, or Helm chart to use as the source of truth. You can omit this field if you don't have a repository prepared.
`spec.configSync.syncBranch`	The branch of the Git repository to sync from. This field is ignored if `.spec.configSync.sourceType` is set to `oci`. Default: `master`.
`spec.configSync.policyDir`	The path in the Git repository or OCI Image to the root directory that contains the configuration that you want to sync. Default: the root directory of the repository.
`spec.configSync.syncWait`	Period in seconds between consecutive syncs. Default: 15.
`spec.configSync.syncRev`	Git revision (tag or hash) to check out. This field is ignored if `.spec.configSync.sourceType` is set to `oci`. Default: `HEAD`.
`spec.configSync.preventDrift`	If `true`, enables the Config Sync admission webhook to prevent drifts by rejecting conflicting changes from being pushed to live clusters. Defaults: `false`. Config Sync always remediates drifts no matter the value of this field. This field is supported in Anthos Config Management version 1.10.0 and later.
`spec.configSync.secretType`	The type of Secret configured for access to the `.spec.configSync.syncRepo`. If you selected `git` as the source type, the value must be `ssh`, `cookiefile`, `gcenode`, `gcpserviceaccount`, `token`, or `none`. If you selected `oci` as the source type, the value must be `gcenode`, `gcpserviceaccount`, or `none`. The validation of this field is case-sensitive. Required.
`spec.configSync.gcpServiceAccountEmail`	The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when `spec.configSync.secretType` is `gcpserviceaccount`.
`spec.configSync.sourceFormat`	When set to `unstructured`, configures a non-hierarchical repo. Default: `hierarchy`.

Proxy configuration for the Git repository

If your organization's security policies require you to route traffic through an HTTPS proxy, you can use the proxy's URI to configure Config Sync to communicate with your Git host. Proxy is only supported when using an authorization type of cookiefile, none, or token.

Key	Description
`spec.configSync.httpsProxy`	Defines an `HTTPS_PROXY` environment variable used to access the Git repository. For example, `https://proxy.internal.business.co:443`. The HTTPS proxy only accepts `https` or unadorned URLs. URLs containing `http://` are rejected. If using an unadorned URL, make sure the communication between your proxy server and Git host is secure.

Configuration for Policy Controller

Key	Description
`spec.policyController.enabled`	If `true`, enables Policy Controller. Defaults to `false`.
`spec.policyController.templateLibraryInstalled`	If `true`, installs a library of constraint templates for common policy types. Defaults to `true`.
`spec.policyController.referentialRulesEnabled`	If `true`, enables support for referential constraints. Be sure that you understand the caveats about eventual consistency. Defaults to `false`.
`spec.policyController.auditIntervalSeconds`	Period in seconds between consecutive audits of constraint violations. Set to 0 to disable auditing. Default: 60.
`spec.policyController.logDeniesEnabled`	If `true`, logs all denies and dry run failures. Defaults to `false`.
`spec.policyController.mutationEnabled`	If `true`, enables support for mutations. Defaults to `false`.
`spec.policyController.exemptableNamespaces`	A list of namespaces to remove from Policy Controller admission webhook enforcement. Any violations are still reported in audit. Defaults to an empty list.
`spec.policyController.monitoring.backends`	A list of monitoring backends for Policy Controller to export metrics to. Default: `[cloudmonitoring, prometheus]`. This field is supported in Anthos Config Management version 1.12.0 and later.

Configuration for Hierarchy Controller

Key	Description
`spec.hierarchyController.enabled`	If `true`, enables Hierarchy Controller. Defaults to `false`.
`spec.hierarchyController.enableHierarchicalResourceQuota`	If `true`, enables hierarchical resource quotas. Defaults to `false`.
`spec.hierarchyController.enablePodTreeLabels`	If `true`, enables hierarchical observation of workloads. Defaults to `false`.

Example gcloud apply spec

applySpecVersion: 1
spec:
  configSync:
    enabled: true
    sourceFormat: unstructured
    syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
    syncBranch: main
    secretType: none
    policyDir: config-sync-quickstart/multirepo/root
  policyController:
    enabled: false
  hierarchyController:
    enabled: false