Stay organized with collections Save and categorize content based on your preferences.

gcloud apply spec fields

This page explains the different fields that you can set in the configuration file for Anthos Config Management. You use this file when you are configuring Anthos Config Management components with the Google Cloud CLI. The gcloud CLI command you use to apply the configuration file also has reference documentation.

The file format used with the gcloud CLI is similar to the format of the ConfigManagement object. However the formats are different and the two are not interchangeable.

Configuration for Config Sync

Key Description
spec.configSync.enabled If true, enables Config Sync. Defaults to false.
spec.configSync.sourceType The type of source that Config Sync should sync from. Accepts git or oci. This field is supported in Anthos Config Management version 1.12.0 and later. Default: git.
spec.configSync.syncRepo The URL of the Git repository, OCI image, or Helm chart to use as the source of truth. You can omit this field if you don't have a repository prepared.
spec.configSync.syncBranch The branch of the Git repository to sync from. This field is ignored if .spec.configSync.sourceType is set to oci. Default: master.
spec.configSync.policyDir The path in the Git repository or OCI Image to the root directory that contains the configuration that you want to sync. Default: the root directory of the repository.
spec.configSync.syncWait Period in seconds between consecutive syncs. Default: 15.
spec.configSync.syncRev Git revision (tag or hash) to check out. This field is ignored if .spec.configSync.sourceType is set to oci. Default: HEAD.
spec.configSync.preventDrift If true, enables the Config Sync admission webhook to prevent drifts by rejecting conflicting changes from being pushed to live clusters. Defaults: false. Config Sync always remediates drifts no matter the value of this field. This field is supported in Anthos Config Management version 1.10.0 and later.
spec.configSync.secretType The type of Secret configured for access to the .spec.configSync.syncRepo. If you selected git as the source type, the value must be ssh, cookiefile, gcenode, gcpserviceaccount, token, or none. If you selected oci as the source type, the value must be gcenode, gcpserviceaccount, or none. The validation of this field is case-sensitive. Required.
spec.configSync.gcpServiceAccountEmail The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when spec.configSync.secretType is gcpserviceaccount.
spec.configSync.sourceFormat When set to unstructured, configures a non-hierarchical repo. Default: hierarchy.

Proxy configuration for the Git repository

If your organization's security policies require you to route traffic through an HTTPS proxy, you can use the proxy's URI to configure Config Sync to communicate with your Git host. Proxy is only supported when using an authorization type of cookiefile, none, or token.

Key Description
spec.configSync.httpsProxy Defines an HTTPS_PROXY environment variable used to access the Git repository. For example,
The HTTPS proxy only accepts https or unadorned URLs. URLs containing http:// are rejected.
If using an unadorned URL, make sure the communication between your proxy server and Git host is secure.

Configuration for Policy Controller

Key Description
spec.policyController.enabled If true, enables Policy Controller. Defaults to false.
spec.policyController.templateLibraryInstalled If true, installs a library of constraint templates for common policy types. Defaults to true.
spec.policyController.referentialRulesEnabled If true, enables support for referential constraints. Be sure that you understand the caveats about eventual consistency. Defaults to false.
spec.policyController.auditIntervalSeconds Period in seconds between consecutive audits of constraint violations. Set to 0 to disable auditing. Default: 60.
spec.policyController.logDeniesEnabled If true, logs all denies and dry run failures. Defaults to false.
spec.policyController.mutationEnabled If true, enables support for mutations. Defaults to false.
spec.policyController.exemptableNamespaces A list of namespaces to remove from Policy Controller admission webhook enforcement. Any violations are still reported in audit. Defaults to an empty list.
spec.policyController.monitoring.backends A list of monitoring backends for Policy Controller to export metrics to. Default: [cloudmonitoring, prometheus]. This field is supported in Anthos Config Management version 1.12.0 and later.

Configuration for Hierarchy Controller

Key Description
spec.hierarchyController.enabled If true, enables Hierarchy Controller. Defaults to false.
spec.hierarchyController.enableHierarchicalResourceQuota If true, enables hierarchical resource quotas. Defaults to false.
spec.hierarchyController.enablePodTreeLabels If true, enables hierarchical observation of workloads. Defaults to false.

Example gcloud apply spec

applySpecVersion: 1
    enabled: true
    sourceFormat: unstructured
    syncBranch: main
    secretType: none
    policyDir: config-sync-quickstart/multirepo/root
    enabled: false
    enabled: false