Organization-scoped resources


Config Connector can manage your resources at the project, folder, or organization level. In order for Config Connector to determine where to create your resources, it first checks for a scope-defining field in your resource spec, if not found, then checks for a scope-defining annotation.

Specify organizationRef field

Most organization-scoped Config Connector resources support a field named organizationRef in its CRD spec. Use this field to specify the Google Cloud organization that you want to create the resource in.

You can use the external field to specify the organization ID. The exact format of the value may be different depending on the resource type. Two most common formats are "ORGANIZATION_ID" and "organizations/ORGANIZATION_ID". See an example of "ORGANIZATION_ID" below:

...
spec:
  organizationRef:
    external: "ORGANIZATION_ID"
...

Annotate resource configuration

If the Config Connector resource is organization-scoped but does not support organizationRef field, you can set the organization ID to the resource configuration using the organization-id annotation:

...
metadata:
  annotations:
    cnrm.cloud.google.com/organization-id: ORGANIZATION_ID
...

Here is an example of what a resource's YAML will look like with this annotation in it:

apiVersion: foo.cnrm.cloud.google.com/v1beta1
kind: FooBar
metadata:
  annotations:
    cnrm.cloud.google.com/organization-id: ORGANIZATION_ID
  name: foobarname

Annotate namespace configuration

You can set a default organization ID for newly-created resources by annotating your Kubernetes namespace. If any of the resources in the namespace have this annotation explicitly set in its own configuration, the resource level annotation overwrites the namespace-level annotation.

To annotate the namespace using command line, run the following command:

kubectl annotate namespace NAMESPACE_NAME cnrm.cloud.google.com/organization-id=ORGANIZATION_ID

Replace the following:

  • NAMESPACE_NAME: your namespace name
  • ORGANIZATION_ID: your Google Cloud organization ID

Alternatively, you can apply a YAML manifest containing the annotation. Copy the YAML below into a file:

apiVersion: v1
kind: Namespace
metadata:
  annotations:
    cnrm.cloud.google.com/organization-id: ORGANIZATION_ID
  name: NAMESPACE_NAME

Replace the following:

  • ORGANIZATION_ID: your Google Cloud organization ID
  • NAMESPACE_NAME: your namespace name

After you have created the file, apply it to your cluster.