Stay organized with collections
Save and categorize content based on your preferences.
Choosing an installation type
The page provides you with an overview of the different installations options
you can use when installing Config Connector.
You can install Config Connector in one of three ways:
Config Controller:
Config Controller is a hosted service that includes Config Connector. The Config Connector version
in Config Controller is managed by Google and automatically updated regularly as versions qualify.
Config Controller is a centralized and designated control
plane which provides a more secure way to manage Google Cloud resources. For more information, see
Quickstart: Manage resources with Config Controller
or Set up Config Controller.
GKE Config Connector add-on:
The Config Connector add-on lets you install Config Connector during cluster creation.
The Config Connector add-on is available on only GKE Standard
clusters, and not Autopilot.
The version of Config Connector installed through the Config Connector add-on is often behind by up to 12 months or more. For more information, see
Config Connector add-on upgrades.
If you want to reduce the operational cost of managing a GKE Standard cluster,
consider using Config Controller.
There are many factors to consider when selecting an installation method. The following table outlines some high-level considerations:
Installation methods
Advantages
Disadvantages
Config Controller
• No installation required.
• Automatic version upgrades.
• Includes pre-built GitOps components: Config Sync.
• Managed and supported by Google Cloud.
• Restriction on custom workloads.
• Management and cluster fee.
Manual installation
• Fully customizable.
• Flexible version update schedule.
• Can run with any custom workload in the same cluster.
• Operational cost.
GKE Config Connector add-on
• Significant lag behind the latest Config Connector version.
Authentication
If you want to install Config Connector on GKE clusters, use
Workload Identity Federation for GKE.
Workload Identity Federation for GKE lets you configure a Kubernetes ServiceAccount
to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud
services. Config Connector uses that Kubernetes ServiceAccount
within your cluster to create new resources. Config Connector can only create
resources with the roles that you grant the IAM service account.
You can choose to manage resources with a single service account, or multiple
service accounts. If you want to use multiple service accounts, you must
install Config Connector in namespaced mode.
For more information about using IAM service accounts with Config Connector,
see Access control with IAM.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eConfig Connector can be installed in three ways: through Config Controller, manual installation, or as a GKE Config Connector add-on.\u003c/p\u003e\n"],["\u003cp\u003eConfig Controller offers a managed service with automatic updates and built-in GitOps features, but with some restrictions on custom workloads.\u003c/p\u003e\n"],["\u003cp\u003eManual installation provides full customization and flexible version updates but comes with increased operational costs.\u003c/p\u003e\n"],["\u003cp\u003eThe GKE Config Connector add-on is available only on GKE Standard clusters and typically has significant version lag.\u003c/p\u003e\n"],["\u003cp\u003eAuthentication for Config Connector on GKE clusters utilizes Workload Identity Federation, while other deployment options may require Cloud Identity and IAM service account keys, which pose security risks if not properly managed.\u003c/p\u003e\n"]]],[],null,["# Choosing an installation type\n=============================\n\n*** ** * ** ***\n\nThe page provides you with an overview of the different installations options\nyou can use when installing Config Connector.\n\nYou can install Config Connector in one of three ways:\n\n- **[Config Controller](/anthos-config-management/docs/concepts/config-controller-overview)** :\n Config Controller is a hosted service that includes Config Connector. The Config Connector version\n in Config Controller is managed by Google and automatically updated regularly as versions qualify.\n Config Controller is a centralized and designated control\n plane which provides a more secure way to manage Google Cloud resources. For more information, see\n [Quickstart: Manage resources with Config Controller](/anthos-config-management/docs/tutorials/manage-resources-config-controller)\n or [Set up Config Controller](/anthos-config-management/docs/how-to/config-controller-setup).\n\n- **[Manual installation](/config-connector/docs/how-to/install-manually)** :\n To manually install Config Connector, you need to download and use a\n [Kubernetes Operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/).\n Manual installation gives you flexibility on the version you want to apply and when to upgrade.\n If you want to\n [install Config Connector on other Kubernetes distributions](/config-connector/docs/how-to/install-other-kubernetes),\n you need to use a manual installation.\n\n- **[GKE Config Connector add-on](/config-connector/docs/how-to/install-upgrade-uninstall)** :\n The Config Connector add-on lets you install Config Connector during cluster creation.\n The Config Connector add-on is available on only GKE Standard\n clusters, and not [Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview#add-ons).\n The version of Config Connector installed through the Config Connector add-on is often behind by up to 12 months or more. For more information, see\n [Config Connector add-on upgrades](/config-connector/docs/how-to/install-upgrade-uninstall#how-gcp-upgrades-add-on).\n If you want to reduce the operational cost of managing a GKE Standard cluster,\n consider using [Config Controller](/anthos-config-management/docs/concepts/config-controller-overview).\n\nThere are many factors to consider when selecting an installation method. The following table outlines some high-level considerations:\n\nAuthentication\n--------------\n\nIf you want to install Config Connector on GKE clusters, use\n[Workload Identity Federation for GKE](/kubernetes-engine/docs/concepts/workload-identity).\nWorkload Identity Federation for GKE lets you configure a Kubernetes ServiceAccount\nto impersonate Identity and Access Management (IAM) service accounts to access Google Cloud\nservices. Config Connector uses that Kubernetes ServiceAccount\nwithin your cluster to create new resources. Config Connector can only create\nresources with the roles that you grant the IAM service account.\n\nIf you want to install Config Connector on other\n[deployment options](/anthos/deployment-options), such as on-premises or\nmulti-cloud options, use [Cloud Identity](/identity/docs/overview) to\ncreate an account and then use IAM to\n[create a service account key and import the key's credentials as a Secret to your clusters](/iam/docs/keys-create-delete).\n| **Note:** Service account keys are a security risk if not managed correctly. You should [choose a more secure alternative to service account keys](/docs/authentication#auth-decision-tree) whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by [Best practices for managing service account keys](/iam/docs/best-practices-for-managing-service-account-keys). If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see [Managing secure-by-default organization resources](/resource-manager/docs/secure-by-default-organizations).\n|\n|\n| If you acquired the service account key from an external source, you must validate it before use.\n| For more information, see [Security requirements for externally sourced credentials](/docs/authentication/external/externally-sourced-credentials).\n\nManaging resources with service accounts\n----------------------------------------\n\nYou can choose to manage resources with a single service account, or multiple\nservice accounts. If you want to use multiple service accounts, you must\n[install Config Connector in namespaced mode](/config-connector/docs/how-to/install-namespaced).\nFor more information about using IAM service accounts with Config Connector,\nsee [Access control with IAM](/config-connector/docs/how-to/configure-iam-permissions).\n\nWhat's next\n-----------\n\n- Learn how to [manage Google Cloud resources with Config Controller](/anthos-config-management/docs/tutorials/manage-resources-config-controller).\n- Learn how to [manually install Config Connector](/config-connector/docs/how-to/install-manually).\n- Learn how to [install Config Connector as a GKE add-on](/config-connector/docs/how-to/install-upgrade-uninstall).\n- Learn how to [install Config Connector on other Kubernetes distributions](/config-connector/docs/how-to/install-other-kubernetes)."]]
