Stay organized with collections Save and categorize content based on your preferences.

Configure a cluster with Anthos Config Management

Imagine you're a platform engineer for a large enterprise, supporting multiple app development teams building on Google Kubernetes Engine (GKE). You're in charge of maintaining the base-layer GKE environment and the org-wide policies that apply to all development teams.

You can simplify your cluster management with Anthos Config Management's Policy Controller and Config Sync. With Policy Controller, you can enforce customizable policies for your clusters. With Config Sync, you can consistently configure your clusters. When you use these components together, you can continuously enforce your policies.

In this tutorial, you create a cluster and then you install Policy Controller and Config Sync on that cluster. Next, you explore an example Git repository that contains the Policy Controller constraints and Config Sync configs that you apply to your cluster to ensure consistent policy enforcement and configuration.

A diagram showing a GKE cluster with Policy Controller and Config Sync installed


To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me


Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  5. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  6. Make sure that you have the following role or roles on the project: GKE Hub Admin

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Find the row that has your email address in the Principal column.

      If your email address isn't in that column, then you do not have any roles.

    4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.
    4. In the New principals field, enter your email address.
    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

Create a cluster

In this section, you create a cluster that you can use in this tutorial. Although in a real-world scenario you would likely manage multiple clusters, to simplify this tutorial you only create and manage one cluster.

To create a cluster, complete the following steps:

  1. In the Google Cloud console, go to the Kubernetes Engine page.

    Go to Google Kubernetes Engine

  2. If you're using GKE for the first time, click Enable to enable the Kubernetes Engine API.

  3. Click Create.

  4. In the Standard section, click Configure.

  5. In the Cluster basics section, enter acm-cluster in the Name field and leave all other fields with their recommended defaults.

  6. In the Cluster navigation menu, select Security.

  7. In the Security page, select the Enable Workload Identity checkbox and leave all other fields with their default values.

  8. Click Create. You are taken to the Kubernetes clusters page. It takes several minutes for your cluster to be created. When you see a green check mark in the Status column next to your cluster, it's ready.

Configure your cluster

To configure Policy Controller and Config Sync on the Google Cloud console, complete the following steps:

  1. In the Google Cloud console, go to the Config Sync dashboard.

    Go to Config Sync dashboard

  2. In the Config Sync settings box, click Install Config Sync.

  3. In the Available Clusters table, select acm-cluster and click Next.

  4. In the Policy Controller page that appears, leave the Enable Policy Controller checkbox selected and click Next.

  5. In the Config Sync page that appears, leave the Enable Config Sync checkbox selected.

  6. In the Repository list, select Custom.

  7. In the URL field that appears, enter: https://github.com/GoogleCloudPlatform/anthos-config-management-samples. This is a sample repository created by Google.

  8. In the Configuration directory field, enter /quickstart/config-sync. This directory contains the example constraints and configs that you use in the following sections.

  9. Leave all other fields with their default values.

  10. Click Complete.

After a few minutes, check the status of acm-cluster by clicking the cluster name in the Config Sync settings table. In the Config Sync section, you should see Synced in the Status row. In the Policy Controller section, you should see Installed in the Status row.

Test Anthos Config Management capabilities

The repository that you added in the previous section contains the Config Sync configs and Policy Controller constraints that are now being applied to your cluster. The following sections show you how to confirm that the configs and constraints are being applied to your cluster.

Verify that a config is syncing

A config is a Kubernetes configuration declaration written in YAML or JSON that is stored in your Git repository. After you have finished configuring your cluster, Config Sync continuously applies these configs to your clusters.

The quickstart repository contains the following config for a namespace:

apiVersion: v1
kind: Namespace
metadata:
  name: hello

This config gives all clusters that are synced to the repository the hello namespace and the following steps show you how to verify that this namespace config is synced to your cluster:

  1. In the Google Cloud console, go to the Config Sync Packages page.

    Go to Packages

  2. In the Filter list, select Resource type and then select Namespace.

In the table, the Sync status column should have a value of Synced for the hello namespace. A value of Synced means that Config Sync is watching your Git repository and continuously syncing the configs in your repository to your GKE cluster.

Try to violate a constraint

You can ensure that your clusters are compliant with your policies by using Policy Controller constraints. Policy Controller comes with a constraint template library that you can use to help you create your constraints.

The quickstart repository contains the no-ext-services.yaml constraint, which uses the K8sNoExternalServices constraint template from the library:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-internet-services
spec:
  parameters:
    internalCIDRs: [] 

This constraint prohibits the creation of an external Service and Config Sync is syncing this constraint from the repository to your cluster.

To test that Config Sync is syncing the constraint, use the Packages tab:

  • In the Filter list, select Resource type and then select K8sNoExternalServices. In the table, you should see that the no-internet-services constraint is synced to your cluster.

The quickstart repository also contains an external Service named service.yaml that would violate this constraint:

apiVersion: v1
kind: Service
metadata:
  name: hello
  namespace: default
spec:
  type: LoadBalancer
  selector:
    app: hello
  ports:
  - name: http
    port: 80
    targetPort: 8080

To test that Policy Controller is enforcing your no-ext-services.yaml constraint, try to apply service.yaml by running the following commands:

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. In the terminal, configure kubectl command-line access:

    gcloud container clusters get-credentials acm-cluster \
        --zone ZONE \
        --project PROJECT_ID
    

    Replace the following:

    • ZONE: the zone that you created your cluster in
    • PROJECT_ID: your project ID

  3. Clone the Anthos Config Management sample repository:

    git clone https://github.com/GoogleCloudPlatform/anthos-config-management-samples
    

  4. Navigate to the folder that contains the samples used in this tutorial:

    cd anthos-config-management-samples/quickstart/
    

  5. Try to apply service.yaml:

    kubectl apply -f resources/service.yaml
    

    Since the Service that you tried to create was an external Service, you cannot create it and the output is the following:

    Error from server ([no-internet-services] Creating services of type
    `LoadBalancer` without Internal annotation is not allowed): error when
    creating "resources/service.yaml": admission webhook
    "validation.gatekeeper.sh" denied the request: [no-internet-services]
    Creating services of type `LoadBalancer` without Internal annotation is not
    allowed
    

By using Policy Controller and Config Sync together, your policies are consistently enforced on your clusters. Config Sync synced the K8sNoExternalServices policy to your cluster and Policy Controller enforced the policy at the admission controller level, blocking you from applying a resource that violated the policy.

You've now learned how to complete the following tasks for Anthos Config Management:

  1. Install Policy Controller and Config Sync.
  2. Use Config Sync to sync a config from a GitHub repository to your GKE cluster.
  3. Use Config Sync to sync a Policy Controller constraint to your cluster.
  4. Use Policy Controller to enforce an org-wide policy on your cluster.

Clean up

To avoid incurring charges, delete the cluster that you created for this quickstart:

  1. In the Google Cloud console, go to the GKE menu.

    Go to Kubernetes Engine

  2. Next to acm-cluster, click Actions and then click Delete.

  3. When prompted to confirm, click Delete again.

What's next