gcloud apply spec fields

This page explains the different fields that you can set in the configuration file for Config Sync. You use this file when you are configuring Config Sync components with the Google Cloud CLI. The gcloud CLI command you use to apply the configuration file also has reference documentation.

These commands can also configure Policy Controller, but it's recommended that you use the Policy Controller gcloud commands instead.

The file format used with the gcloud CLI is similar to the format of the ConfigManagement object. However the formats are different and the two are not interchangeable.

Configuration for Config Sync

Key	Description
`spec.upgrades`	(Preview) The upgrade setting for Config Sync. If set to `auto`, the Config Sync version is auto-upgraded. For information about how auto-upgrades work, see Upgrade Config Sync. Set to `manual` to manually upgrade the Config Sync version. The default value is `manual`. This flag is supported only for GKE clusters on Google Cloud.
`spec.configSync.enabled`	If `true`, enables Config Sync. If `false`, disables Config Sync. Required for gcloud CLI version 429.0.0 and earlier. Optional for gcloud CLI version 430.0.0 and later. Default: `true`
`spec.configSync.sourceType`	The type of source that Config Sync should sync from. Accepts `git` or `oci`. Default: `git`.
`spec.configSync.syncRepo`	The URL of the Git repository, OCI image, or Helm chart to use as the source of truth. You can omit this field if you don't have a repository prepared.
`spec.configSync.syncBranch`	The branch of the Git repository to sync from. This field is ignored if `.spec.configSync.sourceType` is set to `oci`. This field is optional and the default is `master`. Starting from Config Sync version 1.17.0, it's recommended to use the `spec.configSync.syncRev` field to specify a branch name for simplicity. If both the `spec.configSync.syncRev` field and the `spec.configSync.syncBranch` field are specified, `spec.configSync.syncRev` takes precedence over `spec.configSync.syncBranch`.
`spec.configSync.policyDir`	The path in the Git repository or OCI Image to the root directory that contains the configuration that you want to sync. Default: the root directory of the repository.
`spec.configSync.syncWait`	Period in seconds between consecutive syncs. Default: 15.
`spec.configSync.syncRev`	Git revision (tag or hash) to sync from. This field is ignored if `.spec.configSync.sourceType` is set to `oci`. This field is optional and the default value is `HEAD`. Starting from Config Sync version 1.17.0, you can also specify a branch name in the `spec.configSync.syncRev` field. When using a hash in version 1.17.0 or later, it must be a full hash, and not an abbreviated form.
`spec.configSync.preventDrift`	If `true`, enables the Config Sync admission webhook to prevent drifts by rejecting conflicting changes from being pushed to live clusters. Defaults: `false`. Config Sync always remediates drifts no matter the value of this field.
`spec.configSync.secretType`	The type of Secret configured for access to the `.spec.configSync.syncRepo`. If you selected `git` as the source type, the value must be `ssh`, `cookiefile`, `gcenode`, `gcpserviceaccount`, `token`, or `none`. If you selected `oci` as the source type, the value must be `gcenode`, `gcpserviceaccount`, or `none`. The validation of this field is case-sensitive. Required.
`spec.configSync.gcpServiceAccountEmail`	The Google Cloud Service Account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when `spec.configSync.secretType` is `gcpserviceaccount`.
`spec.configSync.metricsGcpServiceAccountEmail`	The email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring. The GSA should have the Monitoring Metric Writer (`roles/monitoring.metricWriter`) IAM role. The Kubernetes ServiceAccount `default` in the namespace `config-management-monitoring` should be bound to the GSA.
`spec.configSync.sourceFormat`	When set to `unstructured`, configures a non-hierarchical repo. Default: `hierarchy`.

Proxy configuration for the Git repository

If your organization's security policies require you to route traffic through an HTTPS proxy, you can use the proxy's URI to configure Config Sync to communicate with your Git host. Proxy is only supported when using an authorization type of cookiefile, none, or token.

Key	Description
`spec.configSync.httpsProxy`	Defines an `HTTPS_PROXY` environment variable used to access the Git repository. For example, `https://proxy.internal.business.co:443`. The HTTPS proxy only accepts `https` or unadorned URLs. URLs containing `http://` are rejected. If using an unadorned URL, make sure the communication between your proxy server and Git host is secure.

Configuration for Policy Controller

Key	Description
`spec.policyController.enabled`	If `true`, enables Policy Controller. Defaults to `false`.
`spec.policyController.templateLibraryInstalled`	If `true`, installs a library of constraint templates for common policy types. Defaults to `true`.
`spec.policyController.referentialRulesEnabled`	If `true`, enables support for referential constraints. Be sure that you understand the caveats about eventual consistency. Defaults to `false`.
`spec.policyController.auditIntervalSeconds`	Period in seconds between consecutive audits of constraint violations. Set to 0 to disable auditing. Default: 60.
`spec.policyController.logDeniesEnabled`	If `true`, logs all denies and dry run failures. Defaults to `false`.
`spec.policyController.mutationEnabled`	If `true`, enables support for mutations. Defaults to `false`.
`spec.policyController.exemptableNamespaces`	A list of namespaces to remove from Policy Controller admission webhook enforcement. Any violations are still reported in audit. Defaults to an empty list.
`spec.policyController.monitoring.backends`	A list of monitoring backends for Policy Controller to export metrics to. Default: `[cloudmonitoring, prometheus]`.

Configuration for Hierarchy Controller

Key	Description
`spec.hierarchyController.enabled`	If `true`, enables Hierarchy Controller. Defaults to `false`.
`spec.hierarchyController.enableHierarchicalResourceQuota`	If `true`, enables hierarchical resource quotas. Defaults to `false`.
`spec.hierarchyController.enablePodTreeLabels`	If `true`, enables hierarchical observation of workloads. Defaults to `false`.

Example gcloud apply spec

applySpecVersion: 1
spec:
  configSync:
    enabled: true
    sourceFormat: unstructured
    syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
    syncBranch: main
    secretType: none
    policyDir: config-sync-quickstart/multirepo/root
  hierarchyController:
    enabled: false