Install Config Connector in namespaced mode

This page explains how to install Config Connector in namespaced mode.

Installing in namespaced mode is an extension of the Config Connector installation. Namespaced mode supports managing multiple projects, each with their own Google Cloud identities.

Before you begin

Before configuring Config Connector to run in namespaced mode, ensure that you have installed Config Connector.

Configure Config Connector to run in namespaced mode

To enable namespaced mode, complete the following steps:

Copy the following YAML manifest into a file named configconnector.yaml:

apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnector
metadata:
  # the name is restricted to ensure that there is only ConfigConnector resource installed in your cluster
  name: configconnector.core.cnrm.cloud.google.com
spec:
  mode: namespaced
  stateIntoSpec: Absent

Apply the configuration to your cluster with kubectl apply:
```
kubectl apply -f configconnector.yaml
```

Configure Config Connector to manage resources in your namespaces

In the following sections, the Google Cloud project where you install Config Connector is known as the host project, or HOST_PROJECT_ID. The other projects where you manage resources are known as the managed projects, or MANAGED_PROJECT_ID. These could be the same project if you only intend to use Config Connector to create Google Cloud resources in the same project as your cluster.

Creating a namespace

You can skip this step if you already have a namespace to use to organize Google Cloud resources.

Use kubectl to create a new namespace by running the following command:

kubectl create namespace NAMESPACE

Replace NAMESPACE with a name for the namespace.

Creating an Identity

Create an Identity and Access Management (IAM) service account and create a binding between the IAM Service Account and Config Connector's Kubernetes service account:

Create an IAM service account. If you have an existing service account, you can use it instead of creating a new service account. Use gcloud to create the service account by running the following command:
```
gcloud iam service-accounts create NAMESPACE_GSA --project HOST_PROJECT_ID
```
Replace the following:
- NAMESPACE_GSA with the name of the Google service account (GSA) bound to your namespace.
- HOST_PROJECT_ID with your host project's ID.
To learn more about creating service accounts, see Creating and managing service accounts.
Give the IAM service account elevated permissions on your managed project.
```
gcloud projects add-iam-policy-binding MANAGED_PROJECT_ID \
    --member="serviceAccount:NAMESPACE_GSA@HOST_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/owner"
```
Replace the following:
- MANAGED_PROJECT_ID with your managed project's ID.
- NAMESPACE_GSA with the name of the Google service account bound to your namespace.
- HOST_PROJECT_ID with your host project's ID.
Note: If you prefer to grant editor access to the project replace roles/owner with roles/editor. Granting the editor role allows most Config Connector functionality except Project or Organization wide configurations such as IAM modifications.
Create an IAM policy binding between the IAM service account and the Config Connector Kubernetes service account. You bind the service accounts by running the following gcloud command:
```
gcloud iam service-accounts add-iam-policy-binding \
NAMESPACE_GSA@HOST_PROJECT_ID.iam.gserviceaccount.com \
    --member="serviceAccount:HOST_PROJECT_ID.svc.id.goog[cnrm-system/cnrm-controller-manager-NAMESPACE]" \
    --role="roles/iam.workloadIdentityUser" \
    --project HOST_PROJECT_ID
```
Replace the following:
- HOST_PROJECT_ID with your host project's ID.
- NAMESPACE_GSA with the name of the Google service account bound to your namespace.
- NAMESPACE with your namespace.
Give the IAM service account permissions to publish Prometheus metrics to Google Cloud Observability on your host project.
```
gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
    --member="serviceAccount:NAMESPACE_GSA@HOST_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/monitoring.metricWriter"
```
Replace the following:
- HOST_PROJECT_ID with your host project's ID.
- NAMESPACE_GSA with the name of the Google service account bound to your namespace.

Creating a ConfigConnectorContext

To create Google Cloud resources, you need to configure Config Connector to watch your namespace by adding a ConfigConnectorContext object in the namespace you want to use.

To create a ConfigConnectorContext, complete the following steps:

Copy the following YAML manifest into a file named configconnectorcontext.yaml:

apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnectorContext
metadata:
  # you can only have one ConfigConnectorContext per namespace
  name: configconnectorcontext.core.cnrm.cloud.google.com
  namespace: NAMESPACE
spec:
  googleServiceAccount: "NAMESPACE_GSA@HOST_PROJECT_ID.iam.gserviceaccount.com"
  stateIntoSpec: Absent

Replace the following:

NAMESPACE with the name of your namespace.
NAMESPACE_GSA with the name of the Google service account bound to your namespace.
HOST_PROJECT_ID with your host project's ID.

Apply the file to your cluster with kubectl:

kubectl apply -f configconnectorcontext.yaml

Verify that the Config Connector Operator created a Kubernetes service account for your namespace with kubectl by running the following command:
```
kubectl get serviceaccount/cnrm-controller-manager-NAMESPACE  -n cnrm-system
```
Replace NAMESPACE with the name of your namespace.

Verify that the Config Connector controller Pod is running for your namespace with kubectl by running the following command:

kubectl wait -n cnrm-system \
    --for=condition=Ready pod \
    -l cnrm.cloud.google.com/component=cnrm-controller-manager \
    -l cnrm.cloud.google.com/scoped-namespace=NAMESPACE

Replace NAMESPACE with the name of your namespace.

If the Config Connector controller is running, the output is similar to:

cnrm-controller-manager-abcdefghijk-0 condition met.

Configure Config Connector to no longer manage resources in your namespace

To configure Config Connector to no longer manage your namespace, you remove all Config Connector resources in your namespace and delete the ConfigConnectorContext in your namespace.

Remove the Config Connector resources in your namespace

To finalize the removal of ConfigConnectorContext, remove all Config Connector resources from your namespace.

To discover all Config Connector resources in your namespace, for each Config Connector Custom Resource Definition, list all resources.
```
kubectl get gcp -n NAMESPACE
```
Replace NAMESPACE with the name of your namespace.
To remove all Config Connector resources, for each resource in the output of the previous step, issue a delete command.
```
kubectl delete -n NAMESPACE KIND NAME
```
Replace the following:
- NAMESPACE: the name of your namespace
- KIND: the kind of the resource discovered in the previous step
- NAME: the name of the resource discovered in the previous step

Remove the ConfigConnectorContext

To configure Config Connector to no longer manage the Config Connector resources in your namespace, delete ConfigConnectorContext in your namespace.

  kubectl delete -n NAMESPACE ConfigConnectorContext configconnectorcontext.core.cnrm.cloud.google.com

Replace NAMESPACE with the name of your namespace.

The deletion of ConfigConnectorContext will not finalize until all Config Connector resources are removed from your namespace.

Uninstalling Config Connector

Don't use the following the steps to uninstall a Config Controller cluster.

Use kubectl delete to remove the Config Connector CRDs along with controller components:

kubectl delete ConfigConnectorContext --all -A –wait=false

kubectl delete ConfigConnector configconnector.core.cnrm.cloud.google.com \
    --wait=true

To uninstall the Config Connector operator, run the following command:

kubectl delete -f operator-system/configconnector-operator.yaml  --wait=true

What's next

Get started with Config Connector.
Learn about best practices for Config Connector.