Resources

Config Connector includes a collection of Custom Resource Definitions (CRDs). Each CRD allows you to configure a Google Cloud resource from Kubernetes. Config Connector also allows you to leverage a number of Kubernetes features for managing Google Cloud resources.

This page introduces you to how Config Connector uses Kubernetes objects and their metadata.

Kubernetes objects and Config Connector resources

For example, when you create a Kubernetes Object of kind: SQLInstance, Config Connector creates a Cloud SQL Instance. This section describes how Config Connector extends object types.

Spec and Status

Each Config Connector resource is a Kubernetes object with a Spec and a Status.

Spec
The Spec field contains all the fields that define an object's desired state, with the exception of Labels. The subfields of a Spec refer to the associated Google Cloud resource. When you change a subfield, the Google Cloud resource's value is eventually consistent with your intended value.
An example of a writable field is databaseVersion in a SQLInstance resource.
Status
The Status field is read-only and contains the current state of your object. Config Connector periodically reads information on your Google Cloud resource and updates the Status. You can check a resource's error messages or readiness by looking at the Status.Condition.
An example read-only Status field is the connectionName of a SQLInstance resource.

Object metadata

Each Config Connector resource includes a metadata field. This section describes how Config Connector uses subfields within metadata.

Name
Creating a Config Connector resource creates a Google Cloud resource with the same name.
Namespace
The namespace you create a Config Connector resource in determines the project that contains the Google Cloud resource. For more on namespaces, see Kubernetes Namespaces and Google Cloud Projects.
Labels
Labels in the metadata field of a Config Connector resource are also added to the associated Google Cloud resource.
In addition, Config Connector adds a system label named managed-by-cnrm with a value of true to your Google Cloud resources.
Annotations

Config Connector can take additional actions on your resources that are not defined in the Spec. These actions are defined in subfields of metadata.annotations. Annotation values must be a string. The types of annotations Config Connector supports are described in the following sections.

Deletion

By default, Config Connector deletes a resource after you delete the object from your cluster. If you prefer to keep the resource, set the deletion-policy annotation.

Directives

Directives configure Config Connector to take additional actions beyond creating or deleting resources.

For example, Cloud Storage doesn't allow you to delete a StorageBucket that contains objects. Applying the force-destroy annotation to the bucket and then deleting the bucket causes Config Connector to delete all of the objects within the bucket first, then deletes the bucket.

For example, the force-destroy directive is declared in the following YAML snippet.

metadata:
  annotations:
    cnrm.cloud.google.com/force-destroy: "true"

To learn which resources support Directives, see Resources.

Folders and hierarchical resources

In addition to managing resources in Google Cloud products, Config Connector supports creating and managing resources within Google Cloud Folders and Organizations. For more information, see Namespaces and projects.

Using RBAC for Access Control

Kubernetes Role Based Access Control (RBAC) secures your resources. You can control creation of Google Cloud resources by assigning RBAC permissions. For more information, see Securing access to resources.

Status Condition

Config Connector uses a ready condition in status.condition for two purposes:

  • indicating when a resource is ready. When a resource is reconciled and ready, its status.condition.status will be set to True. To check when a resource is ready, see Waiting for resources to be ready
  • displaying additional error or information. The ready condition has Message and Reason fields which provide additional information on the resource's status.

Events

Important status changes for Config Connector resources are visible as Kubernetes events. For more information, see Viewing events.

Declarative configuration and eventual consistency

See Reconciliation.

What's next