Configure a cluster with Anthos Config Management
Imagine you're a platform engineer for a large enterprise, supporting multiple app development teams building on Google Kubernetes Engine (GKE). You're in charge of maintaining the base-layer GKE environment and the org-wide policies that apply to all development teams.
You can simplify your cluster management with Anthos Config Management's Policy Controller and Config Sync. With Policy Controller, you can enforce customizable policies for your clusters. With Config Sync, you can consistently configure your clusters. When you use these components together, you can continuously enforce your policies.
In this tutorial, you create a cluster and then you install Policy Controller and Config Sync on that cluster. Next, you explore an example Git repository that contains the Policy Controller constraints and Config Sync configs that you apply to your cluster to ensure consistent policy enforcement and configuration.
To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
Make sure that you have the following role or roles on the project: GKE Hub Admin
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
Find the row that has your email address in the Principal column.
If your email address isn't in that column, then you do not have any roles.
- In the Role column for the row with your email address, check whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
- In the New principals field, enter your email address.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
-
Create a cluster
In this section, you create a cluster that you can use in this tutorial. Although in a real-world scenario you would likely manage multiple clusters, to simplify this tutorial you only create and manage one cluster.
To create a cluster, complete the following steps:
In the Google Cloud console, go to the Kubernetes Engine page.
If you're using GKE for the first time, click Enable to enable the Kubernetes Engine API.
Click add_box Create.
In the Standard section, click Configure.
In the Cluster basics section, enter
acm-clusterin the Name field and leave all other fields with their recommended defaults.In the Cluster navigation menu, select Security.
In the Security page, select the Enable Workload Identity checkbox and leave all other fields with their default values.
Click Create. You are taken to the Kubernetes clusters page. It takes several minutes for your cluster to be created. When you see a green check mark in the Status column next to your cluster, it's ready.
Configure your cluster
To configure Policy Controller and Config Sync on the Google Cloud console, complete the following steps:
In the Google Cloud console, go to the Config Sync dashboard.
In the Config Sync settings box, click add Install Config Sync.
In the Available Clusters table, select
acm-clusterand click Next.In the Policy Controller page that appears, leave the Enable Policy Controller checkbox selected and click Next.
In the Config Sync page that appears, leave the Enable Config Sync checkbox selected.
In the Repository list, select Custom.
In the URL field that appears, enter:
https://github.com/GoogleCloudPlatform/anthos-config-management-samples. This is a sample repository created by Google.In the Configuration directory field, enter
/quickstart/config-sync. This directory contains the example constraints and configs that you use in the following sections.Leave all other fields with their default values.
Click Complete.
After a few minutes, check the status of acm-cluster by clicking the cluster
name in the Config Sync settings table. In the Config Sync section, you
should see Synced in the Status row. In the Policy Controller
section, you should see Installed in the Status row.
Test Anthos Config Management capabilities
The repository that you added in the previous section contains the Config Sync configs and Policy Controller constraints that are now being applied to your cluster. The following sections show you how to confirm that the configs and constraints are being applied to your cluster.
Verify that a config is syncing
A config is a Kubernetes configuration declaration written in YAML or JSON that is stored in your Git repository. After you have finished configuring your cluster, Config Sync continuously applies these configs to your clusters.
The quickstart repository contains the following config for a namespace:
This config gives all clusters that are synced to the repository the hello
namespace and the following steps show you how to verify that this namespace
config is synced to your cluster:
In the Google Cloud console, go to the Config Sync Packages page.
In the Filter list, select
Resource typeand then selectNamespace.
In the table, the Sync status column should have a value of Synced
for the hello namespace. A value of Synced means that Config Sync is
watching your Git repository and continuously syncing the configs in your
repository to your GKE cluster.
Try to violate a constraint
You can ensure that your clusters are compliant with your policies by using Policy Controller constraints. Policy Controller comes with a constraint template library that you can use to help you create your constraints.
The quickstart repository contains the no-ext-services.yaml constraint, which
uses the
K8sNoExternalServices constraint template
from the library:
This constraint prohibits the creation of an external Service and Config Sync is syncing this constraint from the repository to your cluster.
To test that Config Sync is syncing the constraint, use the Packages tab:
- In the Filter list,
select
Resource typeand then selectK8sNoExternalServices. In the table, you should see that theno-internet-servicesconstraint is synced to your cluster.
The quickstart repository also contains an external Service named
service.yaml that would violate this constraint:
To test that Policy Controller is enforcing your no-ext-services.yaml
constraint, try to apply service.yaml by running the following commands:
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
In the terminal, configure
kubectlcommand-line access:gcloud container clusters get-credentials acm-cluster \ --zone ZONE \ --project PROJECT_IDReplace the following:
ZONE: the zone that you created your cluster inPROJECT_ID: your project ID
-
Clone the Anthos Config Management sample repository:
git clone https://github.com/GoogleCloudPlatform/anthos-config-management-samples -
Navigate to the folder that contains the samples used in this tutorial:
cd anthos-config-management-samples/quickstart/ -
Try to apply
service.yaml:kubectl apply -f resources/service.yamlSince the Service that you tried to create was an external Service, you cannot create it and the output is the following:
Error from server ([no-internet-services] Creating services of type `LoadBalancer` without Internal annotation is not allowed): error when creating "resources/service.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [no-internet-services] Creating services of type `LoadBalancer` without Internal annotation is not allowed
By using Policy Controller and Config Sync together, your policies are
consistently enforced on your clusters. Config Sync synced the
K8sNoExternalServices policy to your cluster and Policy Controller enforced the
policy at the admission controller level, blocking you from applying a resource
that violated the policy.
You've now learned how to complete the following tasks for Anthos Config Management:
- Install Policy Controller and Config Sync.
- Use Config Sync to sync a config from a GitHub repository to your GKE cluster.
- Use Config Sync to sync a Policy Controller constraint to your cluster.
- Use Policy Controller to enforce an org-wide policy on your cluster.
Clean up
To avoid incurring charges, delete the cluster that you created for this quickstart:
In the Google Cloud console, go to the GKE menu.
Next to
acm-cluster, click more_vert Actions and then click delete Delete.When prompted to confirm, click Delete again.
What's next
- Learn more about Policy Controller.
- Learn more about Config Sync.
- Create your own repository and configs.
- Write constraints to enforce your policies.