Configure a cluster with Anthos Config Management
Imagine you are a platform engineer for a large enterprise, supporting multiple app development teams building on Google Kubernetes Engine (GKE). You are in charge of maintaining the base-layer GKE environment and the org-wide policies that apply to all development teams.
You can simplify your cluster management with Anthos Config Management's Policy Controller and Config Sync. With Policy Controller, you can enforce customizable policies for your clusters. With Config Sync, you can consistently configure your clusters. When you use these components together, you can continuously enforce your policies.
In this tutorial you create a cluster and then you install Policy Controller and Config Sync on that cluster. Next, you explore an example Git repository that contains the Policy Controller constraints and Config Sync configs that you apply to your cluster to ensure consistent policy enforcement and configuration.
For step-by-step guidance on this task directly in Cloud console, click Guide me:
The following sections take you through the same steps as clicking Guide me.
Before you begin
-
Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
Prepare your environment
In the following sections, you create and configure a cluster that you can use with Policy Controller and Config Sync. Although in a real world scenario you would likely be managing multiple clusters, to simplify this tutorial you only create and manage one cluster.
Create a cluster
To create a cluster that you can use with Config Sync, complete the following steps:
In the Google Cloud console, go to the Google Kubernetes Engine page.
If you're using GKE for the first time, click Enable to enable the Kubernetes Engine API.
Click add_box Create.
In the Standard section, click Configure.
In the Cluster basics section, add
acm-cluster
in the Name field and leave all other fields with their recommended defaults.In the left-hand menu, under Cluster, select Security.
In the Security page, select the Enable Workload Identity checkbox and leave all other fields with their default values.
Click Create. It can take several minutes for your cluster to be created.
Give yourself admin permissions
After creating your cluster, grant yourself the GKE Hub Admin.
In the Cloud console, go to the IAM page.
Click Add.
In the New principals field, enter the email address that you used to register with Google Cloud.
In the Select a role drop-down list, search for and select GKE Hub Admin.
Click Save.
Enable Anthos Config Management
To enable Anthos Config Management, complete the following steps:
In the Cloud console, go to the Config Management page.
Click Set up Config Management.
To enable the Config Management API, click Next. After you click Next, you are taken to the Select registered clusters for Config Management page where you can register your cluster.
Register your cluster
After your cluster is created, register your cluster to a fleet:
- In the Select registered clusters for Config Management page, locate
the Unregistered clusters from this project table, and find
acm-cluster
. Next to
acm-cluster
, click Register.Once the cluster is successfully registered, it appears in the Select registered clusters for Config Management table.
Configure your cluster
To configure Policy Controller and Config Sync on the Google Cloud console, complete the following steps:
- In the Select registered clusters for Config Management table, select
acm-cluster
and click Next. - In the Policy Controller page that appears, leave the Enable Policy Controller checkbox enabled and click Next.
- In the Config Sync page that appears, leave the Enable Config Sync checkbox enabled.
- In the Repository drop-down list, select Custom.
- In the URL field that appears, add:
https://github.com/GoogleCloudPlatform/anthos-config-management-samples
. This is a sample repository created by Google. - Click Show Advanced Settings.
- In the Authentication Type drop-down list, select None.
- In the Branch field, add
main
. - Leave the Tag / Commit field with its default value of
HEAD
. - In the Configuration directory field, add
/quickstart/config-sync
. This directory contains the example constraints and configs that you use in the following sections. - Leave the Sync wait, Git proxy, Source format, and Config Management version fields with their default values.
- Click Complete and you are taken back to the Config Management page.
After a few minutes, check the status of acm-cluster
in the table. You should
see Synced in the Config Sync status column and Installed in the
Policy Controller status column.
Test Anthos Config Management capabilities
The repository that you added in the previous section contains the Config Sync configs and Policy Controller constraints that are now being applied to your cluster. The following sections show you how to confirm that the configs and constraints are being applied to your cluster.
Verify that a config is syncing
A config is a Kubernetes configuration declaration written in YAML or JSON that is stored in your Git repository. After you have finished configuring your cluster, Config Sync continuously applies these configs to your clusters.
The quickstart repository contains the following config for a namespace:
This config gives all clusters that are synced to the repository the hello
namespace and the following sections show you how to verify that this config
is synced to your cluster.
Open Cloud Shell
To run the gcloud CLI and kubectl
commands in the following
sections use Cloud Shell. To launch Cloud Shell, run the following
commands:
Go to the Google Cloud console.
From the upper-right corner of the console, click the Activate Cloud Shell button:
A Cloud Shell session opens inside a frame lower on the console.
List namespaces that Config Sync manages
To confirm that Config Sync is managing the hello
namespace, run the
following commands in Cloud Shell:
Configure
kubectl
command-line access:gcloud container clusters get-credentials acm-cluster \ --zone ZONE \ --project PROJECT_ID
Replace the following:
ZONE
: the zone that you created your cluster inPROJECT_ID
: your project ID
List the namespaces that Config Sync is managing:
kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.io
The output is similar to the following:
NAME STATUS AGE hello Active 7m7s
This output means that Config Sync is watching your Git repository and continuously syncing the configs in your repository to your GKE cluster.
Try to violate a constraint
You can ensure your clusters are compliant with your policies by using Policy Controller constraints. Policy Controller comes with a constraint template library that you can use to help you create your constraints.
The quickstart repository contains the no-ext-services.yaml
constraint, which
uses the
K8sNoExternalServices
constraint template
from the library:
This constraint prohibits the creation of an external Service and Config Sync is syncing this constraint from the repository to your cluster.
To test that Config Sync is syncing the constraint, get a list of constraints:
kubectl get constraint
The output is similar to the following:
NAME AGE k8snoexternalservices.constraints.gatekeeper.sh/no-internet-services 7m39s
The quickstart repository also contains an external Service named
service.yaml
that would violate this constraint:
To test that Policy Controller is enforcing your no-ext-services.yaml
constraint, try to apply service.yaml
by running the following commands:
Clone the Anthos Config Management sample repository:
git clone https://github.com/GoogleCloudPlatform/anthos-config-management-samples
Navigate to the folder that contains the samples used in this tutorial:
cd anthos-config-management-samples/quickstart/
Try to apply
service.yaml
:kubectl apply -f resources/service.yaml
Since the Service that you tried to create was an external Service, you cannot create it and the output is the following:
Error from server ([no-internet-services] Creating services of type `LoadBalancer` without Internal annotation is not allowed): error when creating "resources/service.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [no-internet-services] Creating services of type `LoadBalancer` without Internal annotation is not allowed ```
By using Policy Controller and Config Sync together, your policies are
consistently enforced on your clusters. Config Sync synced the
K8sNoExternalServices
policy to your cluster and Policy Controller enforced the
policy at the admission controller level, blocking you from applying a resource
that violated the policy.
You've now learned how to complete the following tasks for Anthos Config Management:
- Install Policy Controller and Config Sync.
- Use Config Sync to sync a config from a GitHub repository to your GKE cluster.
- Use Config Sync to sync a Policy Controller constraint to your cluster.
- Use Policy Controller to enforce an org-wide policy on your cluster.
Clean up
To avoid incurring charges, delete the cluster that you created for this quickstart:
Go to the GKE menu in the Cloud console.
Next to
acm-cluster
, click more_vert Actions and then click delete Delete.When prompted to confirm, click Delete again.
What's next
- Learn more about Policy Controller.
- Learn more about Config Sync.
- Create your own repository and configs.
- Write constraints to enforce your policies.
- Sync configs to multiple clusters.