您可以在 Google Cloud 版本说明页面上查看 Google Cloud 所有产品的最新产品动态。
如需接收最新产品动态,请将本页面的网址添加到您的 Feed 阅读器,或直接添加 Feed 网址:https://cloud.google.com/feeds/anthosconfig-release-notes.xml
September 23, 2021
Config Sync supports rendering Kustomize configurations and Helm charts in multi-repo mode. The Git repository must have a kustomization.yaml file in the root of the sync directory to trigger the rendering process. To learn more, see Use a repo with Kustomize configurations and Helm charts.
The nomos hydrate command supports rendering unstructured source format and it supports rendering Kustomize configurations or Helm charts.
The nomos vet command supports rendering and it supports rendering Kustomize configurations or Helm charts. It provides a --keep-output flag to preserve the rendered output.
Config Sync ignores validating and applying any resource configuration in the Git repo with the annotation config.kubernetes.io/local-config: "true".
When encountering KNV1021: UnknownObjectError, Config Sync applies other resources that aren't affected by this error.
Updated Config Sync CPU requests to fit inside a default GKE cluster and for better resource utilization.
We strongly recommend that all Config Sync users enable multi-repo mode. It provides you with additional features and gives you the flexibility to sync to a single repository, or multiple repositories. If you are using kubectl to install and manage Config Sync, you can enable multi-repo mode by setting spec.enableMultiRepo: true in your ConfigManagement object. For more details, see Syncing from multiple repositories.
The Anthos Config Management operator is now installed into the config-management-system namespace rather than the kube-system namespace. If you are running custom monitoring or installation processes you need to update those processes. For specific instructions, see Manually installing Config Sync and Policy Controller with kubectl.
In nomos versions earlier than 1.9.0, the nomos status command reports an incorrect status for clusters using an Anthos Config Management version of 1.9.0 or later. Before upgrading to Anthos Config Management 1.9.0 or later, download the latest nomos CLI tool.
Fixed the issue causing the reconciler image version not getting updated, when upgrading from Anthos Config Management version 1.6.2. This was caused by an immutable label added in Anthos Config Management 1.6.2 and removed in 1.7.0.
August 26, 2021
kube-rbac-proxy has been removed since Hierarchy Controller does not expose any sensitive metrics, and kube-rbac-proxy is no longer actively maintained.
Fixed the issue causing a root or namespace reconciler to fail to be updated after switching from the auth type from none|gcenode|gcpserviceaccount to other types.
Fixed the issue causing Config Sync not to report sync errors when it fails to access Git repos.
Config Sync supports storing HTTPS/HTTP proxy credentials inside the git-creds Secret, using https_proxy or http_proxy as a key, to avoid exposing these credentials as plaintext.
Fixed the issue causing Config Sync not to pick up the latest schema of the CustomResourceDefinitions synced from Git repos.
Config Sync provides a way for users to override some system values:
- Use the
spec.override.resourcesfield of a RootSync or RepoSync object to override the resource limits for thereconcilercontainer and thegit-synccontainer. - Use the
spec.override.gitSyncDepthfield of a RootSync or RepoSync object to override the number of git commits to fetch from the git repository. - Set the
spec.git.noSSLVerifyfield of a RootSync or RepoSync object totrueto disable Git SSL certificate verification.
Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 07e2fd0).
July 22, 2021
This note was updated on August 5, 2021: the issue in the ResourceGroup Controller was fixed.
An issue introduced in 1.8.0 nomos hydrate that breaks support for --clusters has been fixed.
An issue that caused Config Sync monitoring Pods fail to start in a cluster with PodSecurityPolicy enabled has been fixed.
Cluster selectors and namespace selectors annotations are removed from the result of nomos hydrate so that it can pass nomos vet and can be synced directly to the cluster by Config Sync.
An issue in ResourceGroup Controller that failed to update statuses of the managed resources has been fixed.
July 01, 2021
This release note was updated on September 29, 2021:
- The issue with Config Sync causing excessive updates of resources has been fixed.
This release note was updated on August 5, 2021:
- The issue in
nomos hydratehas been fixed. - A bug in
nomos hydratehas been identified. nomos statushas been updated to show resource level status when MultiRepo is enabled.
This release note contains information about 1.8.0 features that are now more widely available.
Config Sync now supports accessing Cloud Source Repositories through a Google service account when Workload Identity is enabled in your cluster. To learn more, see Granting Config Sync read-only access to Git.
Config Management is now available on GKE. Config Management enables you to use Policy Controller. GKE users can also now install Config Sync using the Cloud Console or by using the gcloud command-line tool. To learn more, see Installing Config Sync.
The following commands have been promoted to beta:
gcloud container hub config-management applygcloud container hub config-management disablegcloud container hub config-management enablegcloud container hub config-management statusgcloud container hub config-management unmanagegcloud container hub config-management upgradegcloud container hub config-management version
The config file format for the gcloud apply command has changed. For more information on the new file format, see gcloud apply spec fields.
You can now configure your cluster with the same settings used by another cluster by using gcloud fetch-for-apply. To learn more, see Configuring Config Sync.
Config Sync cluster selectors support CustomResourceDefinitions.
The issue where nomos hydrate command attempts to connect to the API Server even if --no-api-server-check is passed has been fixed.
A bug in nomos hydrate breaks support for --clusters.
nomos status shows resource level status when MultiRepo is enabled.
June 24, 2021
Config Connector can no longer be installed via Anthos Config Management. Upgrading to Anthos Config Management v1.8.0 will not affect an existing Config Connector installation, but that installation can no longer be managed with Anthos Config Management. To install or upgrade Config Connector alongside Anthos Config Management v1.8.0 or later, see Advanced installation options > Upgrading from non-operator installations in the Config Connector documentation. The version of Config Connector supported in earlier versions of Anthos Config Management will stop working on Kubernetes versions greater than or equal to 1.19.
The Config Sync admission webhook serving port is switched from 8676 to 10250. If you use Config Sync in multi-repo mode in private GKE clusters, you no longer need to add a firewall rule to open port 8676.
The Hierarchy Controller admission webhook serving port has switched from 9443 to 10250. If you use Hierarchy Controller in private GKE clusters you no longer need to add a firewall rule to open port 9443.
The Anthos Policy Controller admission webhook serving port is switched from 8443 to 10250. If you use Policy Controller in private GKE clusters you no longer need to add a firewall rule to open port 8443.
All Anthos Config Management components have been updated to remove use of v1beta1 APIs scheduled to be removed in Kubernetes 1.22. See the Kubernetes Deprecated API Migration Guide for more details.
Anthos Policy Controller now supports the ability for users to mutate resources as a preview feature. For more information see Mutating resources.
Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: f6c2fe8).
Editing rights to Hierarchical Resource Quotas are now aggregated into the cluster-wide 'edit' and 'admin' Cluster Roles.
May 26, 2021
Hierarchy Controller has been updated to use HNC v0.8.0.
Increased reconciler memory limit to 300Mi.
The output of the nomos hydrate command does not pass nomos vet and cannot be synced using Config Sync without modifying the output. To work around this, we recommend removing the following annotations: configmanagement.gke.io/cluster-name , configmanagement.gke.io/source-path and removing label configsync.gke.io/declared-version
from the output so that the output can be successfully synced.
The nomos hydrate command attempts to connect to the API Server even if --no-api-server-check is passed. This behavior can be safely ignored in CI as if the CLI is unable to connect to the API Server it will not produce errors resulting from being unable to connect.
May 20, 2021
If Syncing from multiple repositories is enabled on a private GKE cluster, it's required to add a firewall rule to allow port 8676.
May 13, 2021
Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 9b5e4cf).
A bug in Anthos Config Management 1.7.0 which broke nomos hydrate --no-api-server-check has been fixed.
The Config Sync admission webhook in Anthos Config Management 1.7.0 would block requests when a managed resource in the cluster copied annotations to another resource.
Config Sync container images are now correctly updated when Anthos Config Management is upgraded.
A bug in Anthos Config Management 1.7.0 which caused nomos status to return errors when both unstructured repos and Hierarchy Controller were being used has been fixed.
April 13, 2021
Anthos Config Management v1.7.0 included several Kubernetes library updates, one of these updates made checks for Resource types more strict. As a consequence, Config Sync users upgrading from an older version of Anthos Config Management may see errors in the form KNV9998: failed to encode declared fields: internal error: ....resources.limits.cpu: expected string, got &value.valueUnstructured{Value:2}. As a workaround, all resource declarations should be specified as strings.
April 05, 2021
This release note was updated on September 29, 2021:
- An issue with Config Sync causing excessive updates of resources has been identified.
Anthos Config Management images are no longer included in Anthos on VMWare clusters. To learn more, see Changes to Anthos Config Management updates.
The ability to sync from multiple Git repositories is now a generally-available feature. To learn more, see Syncing from multiple repositories.
A memory leak in the Anthos Config Management Operator Pod that led to high memory utilization or Pod restarts due to out-of-memory errors has been corrected.
Preview versions of multi-repo occasionally used excessive CPU usage and sent unnecessary queries to the apiserver master node, resulting in an unhealthy cluster. This issue has been corrected.
Config Sync configured with sourceFormat: unstructured will have errors during syncing if the Git repository includes a "Repo" resource.
Config Sync configured with sourceFormat: unstructured will have errors during syncing if the Git repository specifies a ClusterSelector with an invalid metadata.name field.
Config Sync multi-repo mode can't update the reconciler deployment image version when upgrading from 1.6.2 or later because of a new label removed from the immutable label selector. The workaround is to manually delete the reconciler by running kubectl delete deployment -n config-management-system -l app=reconciler. For more information, see Error: reconciler deployments failed to be upgraded.
This release note was updated on August 27, 2021. The update adds information about how to resolve an upgrade issue.
Customers using Anthos Policy Controller who have upgraded since Anthos Config Management 1.5.1 need to update the timeoutSeconds in their ValidatingWebhookConfigurations from "5" to "3" to avoid issues with Kubernetes leader elections.
February 25, 2021
Hierarchy Controller now includes a preview of Hierarchical Resource Quotas (HRQs). HRQs are drop-in replacements for Kubernetes Resource Quotas, but apply to resources in both a namespace as well as all of its descendants. To learn more, see Using hierarchical resource quotas.
The Anthos Config Management Operator Deployment now specifies resources.limits for config-management-operator:manager.
This release note was updated on March 5, 2021. The update removed information about a feature that is not yet available.
Config Sync multi-repo mode can't sync Git repositories using ssh as the authentication method. If this issue affects you, please contact support so we can suggest ways to handle your required use cases while we correct this issue.
This release note was updated on April 24, 2021. The update adds information about how to resolve an issue.
Config Sync multi-repo mode can't update the reconciler deployment image version in the upgrade process because of a new label added to the immutable label selector. The workaround is to manually delete the reconciler by running kubectl delete deployment -n config-management-system -l app=reconciler. For more information, see Error: reconciler deployments failed to be upgraded
.
This release note was updated on August 27, 2021. The update adds information about how to resolve an upgrade issue.
January 28, 2021
Hierarchy Controller is upgraded to include HNC v0.7.0. This release introduces Exceptions. Exceptions let you use Kubernetes label selectors to precisely control where certain objects are propagated.
This release also removes support for the v1alpha1 API. If you were using Hierarchy Controller 1.5.1 or earlier, you must either update to Hierarchy Controller 1.5.2 or 1.6.0, and follow the HNC v0.6.0 directions to upgrade to v1alpha2.
The nomos status output has been fixed for multi-repo clusters to show git.syncBranch when git.syncRev is not specified (git.syncRev defaults to HEAD) to provide a consistent experience with mono-repo clusters.
The nomos status output has been fixed for multi-repo clusters to distinctly show status of multiple namespace repos synced to the clusters.
Anthos Config Management Operator and Config Sync Pods get high memory utilization or OOMKilled due to memory leak.
January 08, 2021
Config Sync unintentionally started using the absolute path in the file system with spec.git.policyDir. This has no effect on Config Sync running on the cluster, but breaks validation when running nomos vet manually against hierarchical repositories. The issue will be corrected in 1.6.1.
December 10, 2020
Anthos Policy Controller now includes additional policies covering many of the CIS Kubernetes Benchmark 1.5.1 controls. To learn more, see the Constraint template library.
Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 1de87b6).
Support for Git submodules has been fixed in this version.
November 16, 2020
A leading forward slash "/" in spec.git.policyDir will not match anything in Config Sync versions 1.5.2 and 1.6.0. For example:
policyDir: "/dirname"
will not match a top-level directory dirname. Because policyDir is always applied at the top of the directory structure, the workaround is to remove the leading forward slash.
This issue has been corrected in Config Sync 1.6.1; the forward slash will be ignored as it was in 1.5.1 and previous versions.
There is an issue where enabling referential constraints does not take effect for the audit container. This affects Anthos Config Management versions 1.5.0, 1.5.1, and 1.5.2.
The default timeout for Policy Controller's ValidatingWebhookConfiguration has been reduced to avoid interference with Kubernetes leader election processes.
Hierarchy Controller is upgraded to include HNC v0.6.0. This release introduces support for v1alpha2, and will automatically update all your existing HNC objects. We recommend backing up these objects before upgrading in case there are any problems with the upgrade process. For more information, see the release notes for HNC v0.6.0.
October 29, 2020
Anthos Config Management now includes the ability to sync from multiple Git repositories. This is a preview feature. To learn more, see Syncing from multiple repositories.
The installed product version was being misreported as "anthos-config-management" in ACM 1.5.0. The correct product version is now being reported.
When the enableLegacyFields is set to true, the ACM operator will create a RootSync resource automatically, but any subsequent changes to the RootSync resource will not be noticed by the operator. This will be fixed in a subsequent release. As a workaround, if the RootSync resource resource is modified, add or modify an unused annotation on the ConfigManagement resource to cause the operator to reconcile changes in the RootSync resource.
The nomos status output has been modified significantly to provide a consistent experience for both mono-repo and multi-repo clusters.
(Fixed on October 30, 2020) The version of Anthos Configuration Management included in the Anthos On-Prem release 1.5.1-gke.8 had initially referenced a version of the nomos image that had not be moved into the gcr.io/gke-on-prem-release repository, thus preventing a successful installation and/or upgrade of Anthos Configuration Management. This image has since been pushed to the repository to correct the issue for customers not using private registries. Customers using private registries will need to upgrade to 1.5.2 when it is available, or manually copy the nomos:v1.5.1-rc.7 image into their private repository.
September 24, 2020
Anthos Config Management now includes Config Connector v1.19.1.
Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 15d56e3).
Binary Authorization can now be enabled through the Anthos Config Management Operator. See Setting up with Anthos Config Management for details.
The syncer and importer Containers now both run in the git-importer Pod in the importer Container. Any resource patches that were previously targeted to the syncer container will need to be updated to target the importer container.
Anthos Config Management installs a resource-group-controller Deployment which fails on non-GKE clusters. This Deployment is unnecessary and does not cause any other issues.
The nomos CLI tool is now available via gcloud. Please see the downloads page for more information.
This release includes several logging and performance improvements.
August 27, 2020
Anthos Config Management now includes Config Connector v1.15.1.
Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 1de87b6).
This release includes several logging and performance improvements.
An issue with git submodule support is preventing syncing of configuration stored in submodule repositories. If this affects you, please contact support so we can suggest ways to handle your required use cases while we correct this.
July 30, 2020
Updated the git-sync image to fix security vulnerability CVE-2019-5482.
July 23, 2020
Config Connector has been updated in Anthos Config Management to version 1.13.1.
Anthos Config Management now includes Hierarchy Controller as a beta feature. For more information on this component, see the Hierarchy Controller overview.
Policy Controller users may now enable --log-denies to log all denies and dryrun failures. This is useful when trying to see what is being denied or fails dry-run and for keeping a log to debug cluster problems without looking through the status of all constraints. This is configured by setting spec.policyController.logDeniesEnabled: true in the configuration file for the Operator. There is an example in the section on Installing Policy Controller.
This release includes several logging and performance improvements.
This release includes several fixes and improvements for the nomos command line utility.
The use of unsecured HTTP for GitHub repo connections or in an http_proxy is now discouraged, and support for unsecured HTTP will be removed in a future release. HTTPS will continue to be supported for GitHub repo and local proxy connections.
This release improves the handling of GitHub repositories with very large histories.
Prior to this release, Config Sync and kubectl controllers and processes used the same annotation (kubectl.kubernetes.io/last-applied-configuration) to calculate three-way merge patches. The shared annotation sometimes resulted in resource fights, causing unnecessary removal of each other's fields. Config Sync now uses its own annotation, which prevents resource clashes.
In most cases, this change will be transparent to you. However, there are two cases where some previously unspecified behavior will change.
The first case is when you have run kubectl apply on an unmanaged resource in a cluster, and you later add that same resource to the GitHub repo. Previously, Config Sync would have pruned any fields that were previously applied but not declared in the GitHub repo. Now, Config Sync writes the declared fields to the resource and leaves undeclared fields in place. If you want to remove those fields, do one of the following:
- Get a local copy of the resource from GitHub and
kubectl applyit. - Use
kubectl edit --save-configto remove the fields directly.
The second case is when you stop managing a resource on the cluster or even stop all of Config Sync on a cluster. In this case, if you want to prune fields from a previously managed resource, you will see different behavior. Previously, you could get a local copy of the resource from GitHub, remove the unwanted fields, and kubectl apply it. Now, kubectl apply no longer prunes the missing fields. If you want to remove those fields, do one of the following:
- Call
kubectl apply set-last-appliedwith the unmodified resource from GitHub, then remove unwanted fields andkubectl applyit again without theset-last-appliedflag. - Use
kubectl edit --save-configto remove the fields directly.
In error messages, links to error docs are now more concise.
June 25, 2020
Anthos Config Management is now Generally Available on AKS (Kubernetes v1.16 or higher) and EKS (Kubernetes v1.16 or higher).
Config Connector is not currently supported on EKS or AKS, as it is unable to run on these providers.
The following Policy Controller constraint templates have been added to the Default Template Library:
- allowedserviceportname
- destinationruletlsenabled
- disallowedauthzprefix
- policystrictonly
- sourcenotallauthz
The following constraint templates have been updated:
- k8sblockprocessnamespacesharing
- k8sdisallowedrolebindingsubjects
- k8semptydirhassizelimit
- k8slocalstoragerequiresafetoevict
- k8smemoryrequestequalslimit
- k8snoexternalservices
- k8spspallowedusers
- k8spspallowprivilegeescalationcontainer
- k8spspapparmor
- k8spspcapabilities
- k8spspflexvolumes
- k8spspforbiddensysctls
- k8spspfsgroup
- k8spsphostfilesystem
- k8spsphostnamespace
- k8spsphostnetworkingports
- k8spspprivilegedcontainer
- k8spspprocmount
- k8spspreadonlyrootfilesystem
- k8spspseccomp
- k8spspselinux
- k8spspvolumetypes
See the Default Template Library documentation for more information.
Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 25ca799).
This new build of OPA Gatekeeper includes a number of bug fixes and performance improvements, and adds three new monitoring metrics:
- gatekeeper_sync
- gatekeeper_sync_duration_seconds
- gatekeeper_sync_last_run_time
The nomos CLI tool now supports the KUBECONFIG environment variable in a way that matches the kubectl behavior with multiple delimited configuration files.
Anthos Config Management no longer gets into a continuous PATCH loop when encountering unmanaged resources with config-management annotations and a missing last-applied-configuration annotation.
Anthos Config Management is not issuing errors when it encounters certain types of malformed configurations in a resource definition. This may result in the Kubernetes API Server ignoring the malformed fields and applying the default value for the field instead.
Policy Controller may fail to start successfully when synced resources are marked for deletion.
This issue will be addressed in the upstream OPA Gatekeeper project in a future release. For more information see the relevant issue in the Gatekeeper project.
This release includes several logging and performance improvements.
June 15, 2020
A regression in Anthos Config Management 1.3.2 results in unnecessary patches to the API server for the gatekeeper-system namespace and spurious logging for error KNV2005. This "fight" results when the gatekeeper-system namespace is managed in the Git repo, and two Anthos Config Management components (the operator and syncer) are both trying to reconcile the state of the namespace with the API server. The only workaround at this time is to unmanage the gatekeeper-system namespace. The issue will be fixed in Anthos Config Management 1.4.1.
May 21, 2020
This release includes several performance and memory improvements.
In order to help prevent accidental deletion, Anthos Config Management will no longer allow a user to remove all namespaces or cluster-scoped resources in a single commit. If you wish to delete the full set of resources under management, it now requires two steps: remove all but one in a first commit, allow ACM to sync those changes, then remove the final resource in a second commit.
Error documentation has been updated to add more information on error codes. Errors that are no longer encountered in the product have been removed. Most error references have been embellished with examples and steps for remediation.
Anthos Config Management now supports a GKE-only authentication mechanism based on the service account of the cluster's node pool. Documentation on its use is here.
Anthos Config Management now includes Config Connector v1.8.0.
Anthos Config Management will now attempt to detect when resources that it manages are also managed by other controllers. Documentation on this behavior is available in error knv2005 which ACM will log in that case.
Policy Controller has been upgraded to include a newer version of Open Policy Agent Gatekeeper.
This version includes updates to improve the management of policy resources. As a consequence, finalizers are no longer used to manage Constraints and Constraint Templates.
The following metrics have been made obsolete due to these changes and have been removed:
gatekeeper_watch_manager_is_running
gatekeeper_watch_manager_last_restart_check_time
gatekeeper_watch_manager_last_restart_time
gatekeeper_watch_manager_restart_attempts
The following metrics were removed and will be re-implemented in a later version:
gatekeeper_watch_manager_intended_watch_gvk
gatekeeper_watch_manager_watched_gvk
April 23, 2020
Anthos Config Management images are now included in the Google-provided system images for Binary Authorization.
Policy Agent now allows configuration of namespaces that will bypass the admission controller. For more information, see Excluding Namespaces from Policy Controller
You can now exempt Namespaces from Policy Controller enforcement
Anthos Config Management v1.3.1 now supports Kubernetes v1.16 and higher. Earlier versions of Anthos Config Management relied on APIs that have been deprecated in Kubernetes v1.16.
The Anthos Config Management Syncer pod now reports when it detects that it is fighting with another process over a resource.
Anthos Config Management no longer allows managing resources in unmanaged Namespaces.
If you define a CRD with an integer field that has min/max values, Anthos Config Management will be unable to update the CRD.
Anthos Config Management no longer overwrites undeclared labels and annotations on Namespaces.
March 24, 2020
Anthos Policy Controller is now Generally Available
Anthos Config Management now includes the generally-available version of Config Connector.
Anthos Config Management now supports the use of a Personal Access Tokens for authentication against supported Git providers. More information can be found in Installing Anthos Config Management.
Anthos Config Management now supports the use of an HTTP or HTTPS proxy to connect with your Git host. More information can be found at Installing Anthos Config Management.
February 21, 2020
GKE On-prem 1.2.2 includes images for ACM 1.2.1. Upgrading from ACM 1.2.1 to ACM 1.3 is a valid, tested, safe upgrade path.
Minor updates and bug fixes.
February 10, 2020
Anthos Config Management v1.2.1 is generally available for use in production.
Git repos with submodules are now also supported by Anthos Configuration Management out of the box without additional configuration. This allows delegation of config authoring in a Git-idiomatic way. For more information, please see Git's documentation on submodules.
A new CLI subcommand is available. nomos bugreport bundles up Anthos Config Management log information into a Zip file, which can be attached to a Google support ticket.
Previously, adding an APIService to the repo will leave Anthos Config Management in a bad state, with the error message "KNV2002: failed to get server resources: unable to retrieve the complete list of server APIs." This issue has been mitigated; Anthos Config Management will now sync APIService objects correctly.
It is not currently possible to downgrade to v1.0.x after upgrading to a more recent version of Anthos Config Management.
Currently, Config Connector can only be installed on a single cluster. If multiple Config Connector instances attempt to create or mutate the same Google Cloud resource, conflicts or errors may occur, and you may exhaust quota for a given resource.
Anthos Config Management now can optionally support an unstructured repository, though some features that relied on hierarchical namespaces are disabled in this mode. More information can be found here.
December 20, 2019
Anthos Config Management v1.2.0 is generally available for use in production.
This release has minor bug fixes and performance improvements.
September 19, 2019
Anthos Config Management v1.1.0 is generally available for use in production.
Policy Controller (Beta) is a Kubernetes dynamic admission controller that checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or business rules. It is built using Gatekeeper, an open source project.
You can now enable integration with Config Connector (beta), a Kubernetes addon that allows you to manage your Google Cloud Platform resources through Kubernetes configuration. You can sync configs for GCP resources with your Anthos Config Management repo and apply them automatically. For more information, see Installing Config Connector.
The apiVersion for the ConfigManagement CustomResource has changed. No action is required; the CustomResource is upgraded automatically when you upgrade to v1.1.0. You can read more about configuring Anthos Config Management.
Managed CRDs (CustomResourceDefinitions) are now Namespace-scoped by default, instead of cluster-scoped. This matches the semantics of the kubectl command.
If a CRD explicitly specifies a scope, Anthos Config Management honors that scope.
The nomos hydrate command is a replacement for the nomos view command, and reports your Anthos Config Management configuration in a human-readable way.
To use nomos hydrate, upgrade the nomos command to v1.1.
If you need to continue using nomos view, do not upgrade the nomos command from v1.0. It will remain forward-compatible for the foreseeable future.
You can read about a known issue with nomos view.
Anthos Config Management can now be installed on clusters using PodSecurityPolicies.
The nomos view command is deprecated and is not included in v1.1 or higher of the nomos command.
If you need to continue using nomos view, do not upgrade the nomos command from v1.0. It will remain forward-compatible for the foreseeable future.
It is not currently possible to downgrade to v1.0.x after upgrading to v1.1.0.
Currently, Config Connector can only be installed on a single cluster. If multiple Config Connector instances attempt to create or mutate the same GCP resource, conflicts or errors may occur, and you may exhaust quota for a given resource.
Adding an APIService to the repo will leave Anthos Config Management in a bad state, with the error message KNV2002: failed to get server resources: unable to retrieve the complete list of server APIs." This issue will affect both new and existing clusters syncing from this repo. To correct the issue:
- find the name of the
git-importerandsyncerpods usingkubectl get pods -n config-management-system - copy those names and restart the pods with
kubectl delete -n config-management-system pods git-importer-xxxx-xxxx syncer-xxxx-xxxx - These steps are required once for each cluster.
Once the pods for a cluster are restarted, syncing will be back to normal.
nomos view can fail to parse CRDs (Custom Resource Definitions) that exist in the local clone of the repo but have not yet been synced to a cluster.
To work around this issue, use nomos hydrate instead of nomos view.
June 14, 2019
Anthos Config Management v1.0.0 is generally available for use in production.
To upgrade to this version, follow the instructions for upgrading.
You must update all nomos binaries when you upgrade to Anthos Config Management v1.0.0.
Versions older than v1.0.0 are no longer available. If you participated in the early-access program for Anthos Config Management, you must upgrade to v1.0.0.
You can now sync CustomResourceDefinitions (CRDs). Anthos Config Management can now sync any type of Kubernetes object. For more information, see Configuring CustomResourceDefinitions.
We document how to stop Anthos Config Management from syncing configs as quickly as possible. This allows you to mitigate the potential for propagating unintended configs to clusters.
The nomos status subcommand provides a top-level view of the state of Anthos Config Management on all enrolled clusters, including errors and sync status. It reports on all clusters that kubectl can access.
The product name is now Anthos Config Management.
The nomos version command now provides version details for the Config Management Operator on each configured cluster, as well as the version of the nomos command itself.
New metrics allow you to monitor counts, latencies, and timestamps of specific operations.
The following changes have been made to the canonical example repository:
The canonical example repo has moved. If you use this repo or a fork, update your Git repository's remotes or create a separate clone of the new repo to ensure that you receive updates.
The filesystem standard and the value of the Repo object's spec.version for this version of Anthos Config Management are both
1.0.0.A new branch named
1.0.0contains configs compatible with Anthos Config Management v1.0.0.
An example NetworkPolicy illustrates some methods for enforcing good security practices across your clusters.
We improved the instructions for setting up SSH keys for authenticating to a Git repository.
HierarchicalResourceQuotas are no longer supported.
March 29, 2019
Anthos Config Management v0.13.1 (beta) is a maintenance release, and is compatible with Anthos Config Management v0.13.0.
To upgrade from v0.13.0 on an existing cluster, deploy the new Config Management Operator. You may need to remove an object that is no longer used, to prevent spurious log messages. See the release note about the change below.
You can now manage the default Namespace as well as Namespaces with names beginning with kube-.
Previously, if a config change removed a controller object (for example, a Deployment that has a ReplicaSet), removing the controller object did not remove objects it controlled. All of a controller object's child objects are now correctly removed when the controller object itself is removed.
Previously, if your repo contained only configs for Namespaces and no other configs, the Namespace configs would fail to sync. Repos now sync correctly even if it only contains configs for Namespaces.
The git-policy-importer application has been renamed to git-importer.
The nomos-cluster-policy ClusterConfig has been renamed to config-management-cluster-config. After upgrading, both ClusterConfig objects both exist on the cluster. This does not impact the functionality of the cluster, but you may see spurious log messages if the older ClusterConfig is still present. You can remove the old ClusterConfig to avoid these log messages:
kubectl delete clusterconfig nomos-cluster-policy
Syncing of CustomResourceDefinitions is not currently supported. If CustomResourceDefinition has been applied to the cluster, you can sync associated CustomResources.
Update: This issue no longer exists in Anthos Config Management v1.0.0 and higher.
March 20, 2019
Anthos Config Management 13.0.0 is the second beta release of Anthos Config Management. It represents a major change from v0.11.6, is not backward-compatible with any prior release, and cannot be installed on a cluster with a previous installation of Anthos Config Management. Backward-incompatible releases will always use a new minor version number.
You can now share a ResourceQuota among multiple Namespaces with a common abstract namespace directory. See Aggregate ResourceQuotas.
Syncs are no longer required, and are now silently ignored by the Config Management Operator. You can now create a config for any object in your cluster except a CustomResourceDefinition or the Config Management Operator itself.
The nomos-system Namespace has been renamed to config-management-system.
The nomos.dev/ API group has been renamed to configmanagement.gke.io/.
The Nomos object has been renamed to the ConfigManagement object and is now cluster-scoped.
The nomos-resource-quota object, which combines all of a Namespace's effective ResourceQuotas into a single one that is more efficient for Kubernetes to check and enforce, has been renamed to config-management-resource-quota.
Prometheus now uses the gkeconfig Namespace.
Annotations, rather than labels, are now used to determine that Anthos Config Management is managing a Kubernetes object.
Syncing of CustomResourceDefinitions is not currently supported. If a CustomResourceDefinition has been applied to the cluster, you can sync associated CustomResources.
Update: This issue no longer exists in Anthos Config Management v1.0.0 and higher.
March 04, 2019
This is the beta release of Anthos Config Management. It represents a major change from v0.10.4, and cannot be installed on a cluster with a previous installation of Anthos Config Management. An existing installation of the alpha from v0.10.4 or earlier will conflict with a new installation of v0.11.6 due to changes in the repository structure.
Added support for syncing all Kubernetes resources generically. For current limitations, see the list of known issues for this release.
Added support for NamespaceSelectors.
Moved repository format to Filesystem Standard v0.1.0.
Moved installation to use the Config Management Operator.
Syncing of CustomResourceDefinitions is not currently supported. If a CustomResourceDefinition has been applied to the cluster, you can sync associated CustomResources.
Update: This issue no longer exists in Anthos Config Management v1.0.0 and higher.
In some cases, local changes to managed resources made by kubectl apply can result in the removal of the nomos.dev/managed: enabled label, causing the resource to become unmanaged. As a workaround, use kubectl edit instead, or include the label in the YAML manifest you are applying.
Update: This issue no longer exists in Anthos Config Management v1.0.0 and higher. If changes are manually applied to managed Kubernetes objects, Anthos Config Management effectively reverts those changes as soon as it notices a difference between the config in the repo and the object in the cluster.
For more information, see Managing and unmanaging objects.