When Config Sync manages a cluster object, it watches the object and the set of configs in the repo that affect the object, and ensures that they are in sync. This topic describes how to start managing an existing object and how to stop managing an object that is currently managed without deleting the object.
Overview
An object in a cluster is managed by Config Sync if it has the
configmanagement.gke.io/managed: enabled
annotation.
If an object does not have the configmanagement.gke.io/managed
annotation at all,
or if it is set to anything other than enabled
, the object is unmanaged.
The following flow chart describes some situations that cause an object to become managed or unmanaged:
The chart contains three separate flows: beginning to manage an object, stopping managing an object, and deleting a managed object.
- I want to manage an object.
a. Does the object have a config in the repo?
- No: Create a config for
the object. Config Sync sets the annotation
configmanagement.gke.io/managed: enabled
and begins managing the object. - Yes: Does the config set the annotation
configmanagement.gke.io/managed: disabled
?- No: The object is managed by default.
- Yes: Edit the config to remove the
configmanagement.gke.io/managed: disabled
annotation. When the change is pushed to the source repo, Config Sync notices the change, applies the annotationconfigmanagement.gke.io/managed: enabled
, and applies the config.
- No: Create a config for
the object. Config Sync sets the annotation
- I want to stop managing an object but not delete it.
- Edit the config for the object in the repo, and set the annotation
configmanagement.gke.io/managed: disabled
. When the config change is detected, Config Sync stops managing the object.
- Edit the config for the object in the repo, and set the annotation
- I want to stop managing an object and delete it.
- Delete the object's config from the repo. When you delete a config for an object that was previously managed, Config Sync deletes the object from all clusters or namespaces the config applies to.
In addition to the configmanagement.gke.io/managed: enabled
annotation,
Config Sync applies the label
app.kubernetes.io/managed-by: configmanagement.gke.io
to all objects it
manages. This label allows you to easily list
all objects by Config Sync.
Why not apply the annotation manually?
Config Sync uses a declarative model to apply configuration changes
to your clusters by reading your desired configuration from your repo.
If you attempt to apply the annotation manually (either using the kubectl
command or the Kubernetes API), Config Sync overrides the manual
automatically with the contents of your repo.
Before you begin
The following examples build upon the quickstart. Before you begin the following steps, follow the quickstart and complete all of the steps before Examine your cluster and repo.
List all managed objects
To list all objects managed by Config Sync on a given cluster or namespace, use a label selector like the following:
kubectl get object-type -l "app.kubernetes.io/managed-by=configmanagement.gke.io"
To list all objects not managed by Config Sync, use a label selector like this:
kubectl get object-type -l "app.kubernetes.io/managed-by!=configmanagement.gke.io"
For example, this command lists RoleBindings in the shipping-dev
namespace that
are managed by Config Sync:
kubectl get rolebindings -n shipping-dev \ -l "app.kubernetes.io/managed-by=configmanagement.gke.io"
NAME AGE
job-creators 12m
pod-creators 12m
sre-admin 12m
viewers 12m
This command lists RoleBindings in the kube-system
namespace that are not
managed by Config Sync:
kubectl get rolebindings -n kube-system \ -l "app.kubernetes.io/managed-by!=configmanagement.gke.io"
NAME AGE
fluentd-gcp-scaler-binding 2d21h
gce:cloud-provider 2d21h
heapster-binding 2d21h
metrics-server-auth-reader 2d21h
system::leader-locking-kube-controller-manager 2d21h
system::leader-locking-kube-scheduler 2d21h
system:controller:bootstrap-signer 2d21h
system:controller:cloud-provider 2d21h
system:controller:token-cleaner 2d21h
Start managing an existing object
In this example, you create a Role manually, then begin managing it with Config Sync.
Create the
myrole
Role in theaudit
namespace:kubectl create role -n audit myrole --verb=get --resource=pods
View the permissions granted by the
myrole
Role:kubectl describe role -n audit myrole
Name: myrole Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get]
The Role only has permission to
get
Pods.At this point, the Role exists in the cluster, but Config Sync does not know about it.
- In a terminal, go to the local clone of your repo.
Use the following command to create a YAML manifest for
myrole
and save the manifest to a new file callednamespaces/audit/myrole.yaml
.kubectl get role myrole -n audit -o yaml > namespaces/audit/myrole.yaml
Edit the
myrole.yaml
file.- Remove all fields under the
metadata
key except forname
andnamespace
. - Add the
list
verb afterget
in therules.verbs
list field.
Save the changes. The resulting file has the following contents:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: myrole namespace: audit rules: - apiGroups: - "" resources: - pods verbs: - get - list
- Remove all fields under the
Commit the change to the repo.
Wait a few moments for the Config Sync Operator to notice the commit. To verify that the
myrole
Role is now managed by Config Sync, runkubectl describe
again.kubectl describe role myrole -n audit
Notice the annotation configmanagement.gke.io/managed: enabled
, which
indicates that the object is managed by Config Sync. Also notice the
annotations that show the path and file name in the repo that caused the most
recent configuration change to the object, and the Git hash that represents the
commit.
Name: myrole
Labels: app.kubernetes.io/managed-by=configmanagement.gke.io
Annotations: configmanagement.gke.io/cluster-name: example-cluster-name
configmanagement.gke.io/managed: enabled
configmanagement.gke.io/source-path: namespaces/audit/myrole.yaml
configmanagement.gke.io/token: 0836805a09f160f12aa934b9042527e7283c7030
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list]
Stop managing a managed object
This example shows how to stop managing an object that Config Sync is
currently managing, such as the myrole
Role in
Start managing an existing object.
Edit the
namespaces/online/shipping-app-backend/shipping-dev/job-creator-rolebinding.yaml
file in the local clone of your repo, and add anannotations:
section that matches the bold text below:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: job-creators subjects: - kind: User name: sam@foo-corp.com apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: job-creator apiGroup: rbac.authorization.k8s.io annotations: configmanagement.gke.io/managed: disabled
Save the file.
Create a Git commit with your changes, and push the commit to your repo.
Wait a few moments for Config Sync to notice and apply the new commit.
Use the following command to list all the annotations on the
job-creators
RoleBinding. Output is truncated for readability.kubectl get rolebinding job-creators -n audit -o yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: configmanagement.gke.io/cluster-name: my-cluster configmanagement.gke.io/managed: disabled configmanagement.gke.io/source-path: namespaces/viewers-rolebinding.yaml configmanagement.gke.io/sync-token: fabdb51587d51a81c7e419eeb983aafcf293dc83 ...
After verifying that the object is now disabled, you could remove the config and verify that the now-unmanaged object is not deleted from the namespace. If you want to manage the object again, you must re-create its config. Because of this, you might want to unmanage objects and leave their configs in the repo.
Now that the object is not managed, it is not created or re-created on new or existing clusters, and it is not removed even if it exists. To resume managing an object that you previously stopped managing, see the next example, Resume managing a previously unmanaged object.
Resume managing a previously unmanaged object
This example shows how to resume managing an object you previously removed from
management, as in Stop managing an existing object. It
assumes that you have not removed the config for the job-creators
RoleBinding.
If you deleted the
job-creators
RoleBinding from your repo in the last commit, perform the following steps.Use
git revert
to revert the last commit:git revert HEAD~1
You are asked to confirm the revert operation.
Push the revert commit to your repo.
git push
Edit the
namespaces/online/shipping-app-backend/shipping-dev/job-creator-rolebinding.yaml
file in the local clone of your repo and remove theconfigmanagement.gke.io/managed: disabled
annotation. Save the file.Commit and push your change. Config Sync does the following:
- Notices the change
- Applies the
configmanagement.gke.io/managed: enabled
annotation; the object is now managed. - Applies the config, as would happen with any managed object.
To verify that the object is now managed, list its annotations:
kubectl get rolebinding job-creators -n audit -o yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: configmanagement.gke.io/cluster-name: my-cluster configmanagement.gke.io/managed: enabled ...
Stop managing a namespace
You can stop managing a namespace in the same way as you stop managing any type of object. If you want to stop managing other resources within the namespace, perform the following steps:
Add the
configmanagement.gke.io/managed:disabled
annotation to the namespace config and all configs in the same namespace.Commit and push your changes to the repo. Wait for the Operator to sync with the repo.
Delete the unmanaged resources from the repository.
If configs for managed configs exist within an unmanaged namespace directory, the syncer logs errors, but other configs continue to sync normally.
What's next
- Learn about creating configs