gcloud apply spec fields

This page explains the different fields that you can set in the configuration file for Anthos Config Management. You use this file when you are configuring Anthos Config Management components with the gcloud command-line tool. The gcloud tool command you use to apply the configuration file also has reference documentation.

The file format used with the gcloud tool is similar to the format of the ConfigManagement object. However the formats are different and the two are not interchangeable.

Configuration for Config Sync

Key Description
spec.configSync.enabled If true, enables Config Sync. Defaults to false.
spec.configSync.syncRepo The URL of the Git repository to use as the source of truth. Required.
spec.configSync.syncBranch The branch of the repository to sync from. Default: master.
spec.configSync.policyDir The path in the Git repository to the root directory that contains the configuration that you want to sync. Default: the root directory of the repository.
spec.configSync.syncWait Period in seconds between consecutive syncs. Default: 15.
spec.configSync.syncRev Git revision (tag or hash) to check out. Default HEAD.
spec.git.auth The type of Secret configured for access to the Git repo. Must be ssh, cookiefile, gcenode, gcpserviceaccount, token, or none. The validation of this field is case-sensitive. Required.
spec.git.gcpServiceAccountEmail The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when spec.git.auth is gcpserviceaccount.
spec.configSync.sourceFormat When set to unstructured, configures a non-hierarchical repo. Default: hierarchy.

Proxy configuration for the Git repository

If your organization's security policies require you to route traffic through an HTTPS proxy, you can use the proxy's URI to configure Config Sync to communicate with your Git host. Proxy is only supported when using an authorization type of cookiefile or none.

Key Description
spec.configSync.httpsProxy Defines an HTTP_PROXY environment variable used to access the Git repository.

Configuration for Policy Controller

Key Description
spec.policyController.enabled If true, enables Policy Controller. Defaults to false.
spec.policyController.templateLibraryInstalled If true, installs a library of constraint templates for common policy types. Defaults to true.
spec.policyController.referentialRulesEnabled If true, enables support for referential constraints. Be sure that you understand the caveats about eventual consistency. Defaults to false.
spec.policyController.auditIntervalSeconds Period in seconds between consecutive audits of constraint violations. Set to 0 to disable auditing. Default: 60.
spec.policyController.logDeniesEnabled If true, logs all denies and dry run failures. Defaults to false.
spec.policyController.exemptableNamespaces A list of namespaces to remove from Policy Controller admission webhook enforcement. Any violations are still reported in audit. Defaults to an empty list.

Configuration for Hierarchy Controller

Key Description
spec.hierarchyController.enabled If true, enables Hierarchy Controller. Defaults to false.
spec.hierarchyController.enableHierarchicalResourceQuota If true, enables hierarchical resource quotas. Defaults to false.
spec.hierarchyController.enablePodTreeLabels If true, enables hierarchical observation of workloads. Defaults to false.

Example gcloud apply spec

applySpecVersion: 1
spec:
  configSync:
    enabled: true
    sourceFormat: unstructured
    syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
    syncBranch: main
    secretType: none
    policyDir: root-multirepo-unstructured
  policyController:
    enabled: false
  hierarchyController:
     enabled: false