Config Connector includes a collection of Custom Resource Definitions (CRDs). Each CRD allows you to configure a Google Cloud resource from Kubernetes. Config Connector also allows you to leverage a number of Kubernetes features for managing Google Cloud resources.
This page introduces you to how Config Connector uses Kubernetes objects and their metadata.
Kubernetes objects and Config Connector resources
For example, when you create a
kind: SQLInstance, Config Connector creates a Cloud SQL Instance.
This section describes how Config Connector extends object types.
Spec and Status
Specfield contains all the fields that define an object's desired state, with the exception of
Labels. The subfields of a
Specrefer to the associated Google Cloud resource. When you change a subfield, the Google Cloud resource's value is eventually consistent with your intended value.
- An example of a writable field is
databaseVersionin a SQLInstance resource.
Statusfield is read-only and contains the current state of your object. Config Connector periodically reads information on your Google Cloud resource and updates the
- An example read-only
Statusfield is the
connectionNameof a SQLInstance resource.
Each Config Connector resource includes a metadata field. This section describes how Config Connector uses subfields within metadata.
- Creating a Config Connector resource creates a Google Cloud resource with the same name.
- The namespace you create a Config Connector resource in determines the project that contains the Google Cloud resource. For more on namespaces, see Kubernetes Namespaces and Google Cloud Projects.
- Labels in the metadata field of a Config Connector resource are also added to the associated Google Cloud resource.
- In addition, Config Connector adds a system label named
managed-by-cnrmwith a value of
trueto your Google Cloud resources.
- Config Connector can take additional actions on your resources that are
not defined in the
Spec. These actions are defined in subfields of
metadata.annotations. Annotation values must be a string. The types of annotations Config Connector supports are described in the following sections.
By default, Config Connector deletes a resource after you delete the object from
your cluster. If you prefer to keep the resource, set the
Directives configure Config Connector to take additional actions beyond creating or deleting resources.
For example, Cloud Storage doesn't allow you to delete a
contains objects. Applying the
force-destroy annotation to the bucket and then
deleting the bucket causes Config Connector to delete all of the objects within
the bucket first, then deletes the bucket.
For example, the
force-destroy directive is declared in the following YAML
metadata: annotations: cnrm.cloud.google.com/force-destroy: "true"
To learn which resources support Directives, see Resources.
Folders and hierarchical resources
In addition to managing resources in Google Cloud products, Config Connector supports creating and managing resources within Google Cloud Folders and Organizations. For more information, see Namespaces and projects.
Using RBAC for Access Control
Kubernetes Role Based Access Control (RBAC) secures your resources. You can control creation of Google Cloud resources by assigning RBAC permissions. For more information, see Securing access to resources.
Important status changes for Config Connector resources are visible as Kubernetes events. For more information, see Viewing events.
Declarative configuration and eventual consistency
With declarative configuration, you define the desired state of the system. The system then works constantly to remain as close as possible to this state. See Declarative management of Kubernetes objects using configuration files for more information.
With Config Connector, you can create and update resources in any order, regardless of dependency relationships. GKE moves your declared configuration towards eventual consistency with the desired state.
For example, if you create a
PubSubSubscription before the corresponding
PubSubTopic, Config Connector waits until the topic is created before
creating the associated subscription.
The duration your Config Connector installation remains inconsistent depends on
the number and types of resources it manages. Changes to a
GKE cluster are typically executed in seconds. However, the time
to create Google Cloud resources can vary based upon the type
of resource. For example, a single
PubSubTopic takes seconds to create.
Google Cloud resources do not reach consistency until they are created. For example, when creating an
SQLInstance and an
SQLDatabase, the system is inconsistent for a period of minutes while the
database is created.
GKE and Config Connector reconcile each resource with every update or every 10 minutes. When there is an error in reconciling, Config Connector retries every 30 seconds with exponential backoff. You can view any errors in the Events of a given resource.