This page provides a high-level explanation of Config Sync and its benefits.
Config Sync can help you to simplify management of Kubernetes configuration objects. You can use Config Sync to centralize your configuration files in a single source of truth, such as a Git repository, which helps to ensure consistency and eliminate configuration drift.
This page is for Operators who want to implement GitOps tools to centralize configuration management for their teams. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.
Pricing
Config Sync requires a Google Kubernetes Engine (GKE) Enterprise edition license.
Config Sync benefits
Config Sync is a GitOps service for platform administrators that centralizes configuration management by letting teams sync resources across clusters or namespaces from a single source of truth.
GitOps is considered a universal best practice for organizations managing Kubernetes configuration at scale. The benefits of improved stability, better readability, consistency, audit and security are common to all GitOps tools. Config Sync is a part of Google Kubernetes Engine (GKE) Enterprise edition, which provides you with a set of unique advantages:
- Integrated with Google Kubernetes Engine (GKE) Enterprise edition: platform admins can install Config Sync using a few clicks in the Google Cloud console, using Terraform, or by using Google Cloud CLI on any cluster connected to your fleet. The service is pre-configured to work with other Google Kubernetes Engine (GKE) Enterprise edition and Google Cloud services like Policy Controller, Workload Identity Federation for GKE and Cloud Monitoring.
- Built-in observability: Config Sync has an observability dashboard that is built into the Google Cloud console, requiring no additional setup. Platform administrators can view the state of their synchronization and reconciliation by visiting the Google Cloud console or by using the Google Cloud CLI.
- Multi-cloud and hybrid support: Config Sync is tested across several cloud providers and in hybrid environments prior to every GA release. To view the support matrix, see Google Kubernetes Engine (GKE) Enterprise edition version and upgrade support.
How Config Sync works
The following diagram shows you an overview of how teams might sync their clusters to a single root repository (managed by an admin) and multiple namespace repositories (managed by application operators):
A central administrator manages the centralized infrastructure for the organization and enforces policies on the cluster and on all namespaces in the organization. The application operators, who are responsible for managing live deployments, apply configurations to the applications in the namespaces that they work on.
Configuring clusters
Config Sync lets you create a common set of configuration and policies, such as Policy Controller constraints, and consistently apply them across registered and connected clusters from a single source of truth.
Instead of repeatedly running the kubectl apply
command manually, you can
orchestrate deployment of configuration changes to fleets of clusters through
GitOps-style tools. For more information, see
Safe rollouts with Config Sync.
While this and other tutorials use a Git repository as the source of truth, it's
also possible to use an
OCI image
or Helm chart.
Configuring namespaces
Configuring namespaces with Config Sync provides you with the following capabilities:
- You can consistently provision Kubernetes namespaces with namespace-scoped policies, such as RBAC roles, across registered and connected clusters. Namespace-scoped policies make it easier to implement and manage multi-tenancy within your clusters.
- Apply policies to multiple related namespaces, without duplicating configs, and with the ability to override or extend a config for a given namespace or set of namespaces, making it easier to apply consistent policies across tenants.