Configuring clusters and cluster-scoped objects

In the topic about working with configs, you learned how to write configs in general. This topic covers more details about using Config Sync to configure clusters and cluster-scoped objects. You can also read about configuring namespaces and namespace-scoped objects.

All configs for clusters and cluster-scoped objects are located within the cluster/ directory of the repo. If you do not include a ClusterSelector in your repo, a config in cluster/ applies to every cluster enrolled in Config Sync.

Limiting which clusters a config affects

Normally, Config Sync applies a config to each enrolled cluster. If the config is within the namespaces/ subdirectory, Config Sync first creates the namespace within each cluster and then applies all inherited configs to that namespace.

However, if you need to apply a config to a subset of clusters, you can add an annotation or ClusterSelector to your configs. To learn how to use these features, see Configuring only a subset of clusters.

Configuring the cluster's labels

You can use a Cluster config to configure a cluster's labels and annotations. If you use ClusterSelectors, each cluster needs a set of labels that the ClusterSelector can select. While you can label clusters manually, we recommend you configure labels using a Cluster config.

Example ClusterRole config

This config creates a ClusterRole called namespace-reader, which provides the ability to read all namespace objects in the cluster. A ClusterRole config is often used together with a ClusterRoleBinding config.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-reader
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]

Example ClusterRoleBinding config

This config creates a ClusterRoleBinding called namespace-readers. It grants user cheryl@foo-corp.com the namespace-reader ClusterRole across all enrolled clusters.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-readers
subjects:
- kind: User
  name: cheryl@foo-corp.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: namespace-reader
  apiGroup: rbac.authorization.k8s.io

What's next