Configure a cluster with Anthos Config Management

Imagine you are a platform engineer for a large enterprise, supporting multiple app development teams building on Google Kubernetes Engine (GKE). You are in charge of maintaining the base-layer GKE environment and the org-wide policies that apply to all development teams.

You can simplify your cluster management with Anthos Config Management's Policy Controller and Config Sync. With Policy Controller, you can enforce customizable policies for your clusters. With Config Sync, you can consistently configure your clusters. When you use these components together, you can continuously enforce your policies.

In this tutorial you create a cluster and then you install Policy Controller and Config Sync on that cluster. Next, you explore an example Git repository that contains the Policy Controller constraints and Config Sync configs that you apply to your cluster to ensure consistent policy enforcement and configuration.

A diagram showing a GKE cluster with Policy Controller and Config Sync installed

For step-by-step guidance on this task directly in Cloud console, click Guide me:

Guide me

The following sections take you through the same steps as clicking Guide me.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

    In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

    Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

    In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

    Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

Prepare your environment

In the following sections, you create and configure a cluster that you can use with Policy Controller and Config Sync. Although in a real world scenario you would likely be managing multiple clusters, to simplify this tutorial you only create and manage one cluster.

Create a cluster

To create a cluster that you can use with Config Sync, complete the following steps:

  1. In the Google Cloud console, go to the Google Kubernetes Engine page.

    Go to Google Kubernetes Engine

  2. If you're using GKE for the first time, click Enable to enable the Kubernetes Engine API.

  3. Click Create.

  4. In the Standard section, click Configure.

  5. In the Cluster basics section, add acm-cluster in the Name field and leave all other fields with their recommended defaults.

  6. In the left-hand menu, under Cluster, select Security.

  7. In the Security page, select the Enable Workload Identity checkbox and leave all other fields with their default values.

  8. Click Create. It can take several minutes for your cluster to be created.

Give yourself admin permissions

After creating your cluster, grant yourself the GKE Hub Admin.

  1. In the Cloud console, go to the IAM page.

    Go to IAM

  2. Click Add.

  3. In the New principals field, enter the email address that you used to register with Google Cloud.

  4. In the Select a role drop-down list, search for and select GKE Hub Admin.

  5. Click Save.

Enable Anthos Config Management

To enable Anthos Config Management, complete the following steps:

  1. In the Cloud console, go to the Config Management page.

    Go to Config Management

  2. Click Set up Config Management.

  3. To enable the Config Management API, click Next. After you click Next, you are taken to the Select registered clusters for Config Management page where you can register your cluster.

Register your cluster

After your cluster is created, register your cluster to a fleet:

  1. In the Select registered clusters for Config Management page, locate the Unregistered clusters from this project table, and find acm-cluster.

  2. Next to acm-cluster, click Register.

    Once the cluster is successfully registered, it appears in the Select registered clusters for Config Management table.

Configure your cluster

To configure Policy Controller and Config Sync on the Google Cloud console, complete the following steps:

  1. In the Select registered clusters for Config Management table, select acm-cluster and click Next.
  2. In the Policy Controller page that appears, leave the Enable Policy Controller checkbox enabled and click Next.
  3. In the Config Sync page that appears, leave the Enable Config Sync checkbox enabled.
  4. In the Repository drop-down list, select Custom.
  5. In the URL field that appears, add: https://github.com/GoogleCloudPlatform/anthos-config-management-samples. This is a sample repository created by Google.
  6. Click Show Advanced Settings.
  7. In the Authentication Type drop-down list, select None.
  8. In the Branch field, add main.
  9. Leave the Tag / Commit field with its default value of HEAD.
  10. In the Configuration directory field, add /quickstart/config-sync. This directory contains the example constraints and configs that you use in the following sections.
  11. Leave the Sync wait, Git proxy, Source format, and Config Management version fields with their default values.
  12. Click Complete and you are taken back to the Config Management page.

After a few minutes, check the status of acm-cluster in the table. You should see Synced in the Config Sync status column and Installed in the Policy Controller status column.

Test Anthos Config Management capabilities

The repository that you added in the previous section contains the Config Sync configs and Policy Controller constraints that are now being applied to your cluster. The following sections show you how to confirm that the configs and constraints are being applied to your cluster.

Verify that a config is syncing

A config is a Kubernetes configuration declaration written in YAML or JSON that is stored in your Git repository. After you have finished configuring your cluster, Config Sync continuously applies these configs to your clusters.

The quickstart repository contains the following config for a namespace:

quickstart/config-sync/namespaces/hello.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: hello

This config gives all clusters that are synced to the repository the hello namespace and the following sections show you how to verify that this config is synced to your cluster.

Open Cloud Shell

To run the gcloud CLI and kubectl commands in the following sections use Cloud Shell. To launch Cloud Shell, run the following commands:

  1. Go to the Google Cloud console.

    Go to Google Cloud console

  2. From the upper-right corner of the console, click the Activate Cloud Shell button:

    A Cloud Shell session opens inside a frame lower on the console.

List namespaces that Config Sync manages

To confirm that Config Sync is managing the hello namespace, run the following commands in Cloud Shell:

  1. Configure kubectl command-line access:

    gcloud container clusters get-credentials acm-cluster \
    --zone ZONE \
    --project PROJECT_ID

    Replace the following:

    • ZONE: the zone that you created your cluster in
    • PROJECT_ID: your project ID

  2. List the namespaces that Config Sync is managing:

    kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.io

    The output is similar to the following:

    NAME    STATUS   AGE
hello   Active   7m7s

This output means that Config Sync is watching your Git repository and continuously syncing the configs in your repository to your GKE cluster.

Try to violate a constraint

You can ensure your clusters are compliant with your policies by using Policy Controller constraints. Policy Controller comes with a constraint template library that you can use to help you create your constraints.

The quickstart repository contains the no-ext-services.yaml constraint, which uses the K8sNoExternalServices constraint template from the library:

quickstart/config-sync/policies/no-ext-services.yaml 
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-internet-services
spec:
  parameters:
    internalCIDRs: []

This constraint prohibits the creation of an external Service and Config Sync is syncing this constraint from the repository to your cluster.

  • To test that Config Sync is syncing the constraint, get a list of constraints:

    kubectl get constraint

    The output is similar to the following:

    NAME                                                                   AGE
k8snoexternalservices.constraints.gatekeeper.sh/no-internet-services   7m39s

The quickstart repository also contains an external Service named service.yaml that would violate this constraint:

quickstart/resources/service.yaml 
apiVersion: v1
kind: Service
metadata:
  name: hello
  namespace: default
spec:
  type: LoadBalancer
  selector:
    app: hello
  ports:
  - name: http
    port: 80
    targetPort: 8080

To test that Policy Controller is enforcing your no-ext-services.yaml constraint, try to apply service.yaml by running the following commands:

  1. Clone the Anthos Config Management sample repository:

    git clone https://github.com/GoogleCloudPlatform/anthos-config-management-samples

  2. Navigate to the folder that contains the samples used in this tutorial:

    cd anthos-config-management-samples/quickstart/

  3. Try to apply service.yaml:

    kubectl apply -f resources/service.yaml

    Since the Service that you tried to create was an external Service, you cannot create it and the output is the following:

    Error from server ([no-internet-services] Creating services of type
`LoadBalancer` without Internal annotation is not allowed): error when
creating "resources/service.yaml": admission webhook
"validation.gatekeeper.sh" denied the request: [no-internet-services]
Creating services of type `LoadBalancer` without Internal annotation is not
allowed ```

By using Policy Controller and Config Sync together, your policies are consistently enforced on your clusters. Config Sync synced the K8sNoExternalServices policy to your cluster and Policy Controller enforced the policy at the admission controller level, blocking you from applying a resource that violated the policy.

You've now learned how to complete the following tasks for Anthos Config Management:

  1. Install Policy Controller and Config Sync.
  2. Use Config Sync to sync a config from a GitHub repository to your GKE cluster.
  3. Use Config Sync to sync a Policy Controller constraint to your cluster.
  4. Use Policy Controller to enforce an org-wide policy on your cluster.

Clean up

To avoid incurring charges, delete the cluster that you created for this quickstart:

  1. Go to the GKE menu in the Cloud console.

    Go to GKE

  2. Next to acm-cluster, click Actions and then click Delete.

  3. When prompted to confirm, click Delete again.

What's next