Choosing an installation type
The page provides you with an overview of the different installations options you can use when installing Config Connector.
You can install Config Connector in one of three ways:
Config Controller: Config Controller is a hosted service that includes Config Connector. The Config Connector version in Config Controller is managed by Google and automatically updated regularly as versions qualify. Config Controller is a centralized and designated control plane which provides a more secure way to manage Google Cloud resources. For more information, see Quickstart: Manage resources with Config Controller or Set up Config Controller.
Manual installation: To manually install Config Connector, you need to download and use a Kubernetes Operator. Manual installation gives you flexibility on the version you want to apply and when to upgrade. If you want to install Config Connector on other Kubernetes distributions, you need to use a manual installation.
GKE Config Connector add-on: The Config Connector add-on lets you install Config Connector during cluster creation. The Config Connector add-on is available on only GKE Standard clusters, and not Autopilot. The version of Config Connector installed through the Config Connector add-on is often behind by up to 12 months or more. For more information, see Config Connector add-on upgrades. If you want to reduce the operational cost of managing a GKE Standard cluster, consider using Config Controller.
There are many factors to consider when selecting an installation method. The following table outlines some high-level considerations:
Installation methods | Advantages | Disadvantages |
---|---|---|
Config Controller | • No installation required. • Automatic version upgrades. • Includes pre-built GitOps components: Config Sync. • Managed and supported by Google Cloud. |
• Restriction on custom workloads. • Management and cluster fee. |
Manual installation | • Fully customizable. • Flexible version update schedule. • Can run with any custom workload in the same cluster. |
• Operational cost. |
GKE Config Connector add-on | • Significant lag behind the latest Config Connector version. |
Authentication
If you want to install Config Connector on GKE clusters, use Workload Identity Federation for GKE. Workload Identity Federation for GKE lets you configure a Kubernetes ServiceAccount to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services. Config Connector uses that Kubernetes ServiceAccount within your cluster to create new resources. Config Connector can only create resources with the roles that you grant the IAM service account.
If you want to install Config Connector on other deployment options, such as on-premises or multi-cloud options, use Cloud Identity to create an account and then use IAM to create a service account key and import the key's credentials as a Secret to your clusters.
Managing resources with service accounts
You can choose to manage resources with a single service account, or multiple service accounts. If you want to use multiple service accounts, you must install Config Connector in namespaced mode. For more information about using IAM service accounts with Config Connector, see Access control with IAM.
What's next
- Learn how to manage Google Cloud resources with Config Controller.
- Learn how to manually install Config Connector.
- Learn how to install Config Connector as a GKE add-on.
- Learn how to install Config Connector on other Kubernetes distributions.