When Config Connector creates a resource on Google Cloud, fields left unspecified in the spec take on values from the API unless they are not readable (for example, are not available by using a GET HTTP request).
In this case, the field is considered "externally managed", as Kubernetes is not the source of truth for this value.
Behavior with server-side apply
If server-side apply is enabled for the resource, the values of externally managed fields in the object is updated continuously to match the underlying Google Cloud resource.
If a value is present for a field in the spec in the applied configuration, the field is not externally managed.
If the field is removed, the field is externally managed.
Behavior without server-side apply
If server-side apply is not enabled, unspecified fields in the resource spec are populated with the value read from the Google Cloud API, and Config Connector enforces those initially populated values.
As an example: if the user applies a resource configuration without setting a
bar in the spec:
spec: foo: "foo"
If the value of the
bar field is
baz in the Google Cloud API, the
resource in the
is populated to that value:
# object in the api-server spec: foo: "foo" bar: "baz" # populated by first reconciliation
If the Google Cloud resource is modified directly such that
bar is now
baz-2, the Google Cloud API is corrected to the value that was
initially populated in the resource spec:
# object in the api-server spec: foo: "foo" bar: "baz" # still the originally populated value, and overrides the Google Cloud value
Behavior for list fields in resource spec
Due to technical limitation in Config Connector, list fields in your resource configuration cannot be managed externally by default. This means Config Connector always takes ownership of list fields in the resource spec, even when the field is not specified in your original resource configuration.
At the time when a resource spec is applied, Config Connector reads the value of list fields from the Google Cloud API and treats this initial value as source of truth and desired state. If the value in that list field is modified outside of Config Connector, Config Connector tries to change it back, which might not be desired.
To bypass this limitation and let list fields be managed externally,
cnrm.cloud.google.com/state-into-spec annotation. This
annotation is not supported for all resources. To see if your
resource supports the annotation, check the corresponding
resource reference page.
metadata: annotations: cnrm.cloud.google.com/state-into-spec: absent
By setting value of
absent, Config Connector ignores
list fields if they are not specified in your resource configuration. This leaves
list fields in the resource to be managed externally.
Fields that are both managed by Config Connector and automatically updated by external services can trigger endless updating on the underlying API. This can happen if the underlying API has autoscaling or autoupdating fields. Ensure that these fields are treated as externally managed by enabling server-side apply for the resource and leaving the field out of your config file when applying.