Choosing an installation type


The page provides you with an overview of the different installations options you can use when installing Config Connector.

You can install Config Connector in one of three ways:

There are many factors to consider when selecting an installation method. The following table outlines some high-level considerations:

Installation methods Advantages Disadvantages
Config Controller • No installation required.
• Automatic version upgrades.
• Includes pre-built GitOps components: Config Sync.
• Managed and supported by Google Cloud.
• Restriction on custom workloads.
• Management and cluster fee.
Manual installation • Fully customizable.
• Flexible version update schedule.
• Can run with any custom workload in the same cluster.
• Operational cost.
GKE Config Connector add-on • Significant lag behind the latest Config Connector version.

Authentication

If you want to install Config Connector on GKE clusters, use Workload Identity. Workload Identity lets you configure a Kubernetes ServiceAccount to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services. Config Connector uses that Kubernetes ServiceAccount within your cluster to create new resources. Config Connector can only create resources with the roles that you grant the IAM service account.

If you want to install Config Connector on other deployment options, such as on-premises or multi-cloud options, use Cloud Identity to create an account and then use IAM to create a service account key and import the key's credentials as a Secret to your clusters. You must rotate the key credentials when necessary.

Managing resources with service accounts

You can choose to manage resources with a single service account, or multiple service accounts. If you want to use multiple service accounts, you must install Config Connector in namespaced mode. For more information about using IAM service accounts with Config Connector, see Access control with IAM.

What's next