ConfigManagement fields

This page explains the different fields that you can set in your ConfigManagement object. You can use this object when you are configuring Config Sync using kubectl commands. You might also use these fields if you're managing Policy Controller with a ConfigManagement object instead of the Policy Controller gcloud commands.

Configuration for Config Sync features

Key Description
spec.enableMultiRepo If true, enables the RootSync and RepoSync APIs. These APIs provide you with additional Config Sync features, such as syncing from multiple repositories. and syncing Kustomize and Helm configurations. Defaults to false.
spec.preventDrift If true, enables the Config Sync admission webhook to prevent drifts by rejecting conflicting changes from being pushed to live clusters. Defaults to false. Config Sync always remediates drifts no matter the value of this field.
spec.enableLegacyFields (Shutdown in 1.19.0) If true, enables the use of deprecated spec.git fields in the ConfigManagement while still using multi-repo mode. Setting this field automatically generates a RootSync resource on the cluster.

Configuration for Policy Controller

Key Description
spec.policyController.enabled If true, enables Policy Controller. Defaults to false.
spec.policyController.templateLibraryInstalled If true, installs a library of constraint templates for common policy types. Defaults to true.
spec.policyController.referentialRulesEnabled If true, enables support for referential constraints. Be sure that you understand the caveats about eventual consistency. Defaults to false.
spec.policyController.auditIntervalSeconds Period in seconds between consecutive audits of constraint violations. Set to 0 to disable auditing. Default: 60.
spec.policyController.logDeniesEnabled If true, logs all denies and dry run failures. Defaults to false.
spec.policyController.mutation.enabled If true, enables support for mutations. Defaults to false.
spec.policyController.exemptableNamespaces A list of namespaces to remove from Policy Controller admission webhook enforcement. Any violations are still reported in audit. Defaults to an empty list.
spec.policyController.monitoring.backends A list of monitoring backends for Policy Controller to export metrics to. Default: [cloudmonitoring, prometheus].

Configuration for behavior of the ConfigManagement object

Key Description
spec.clusterName The user-defined name for the cluster used by ClusterSelectors to group clusters together. Unique within an Config Sync installation. You cannot configure this field in the Google Cloud console.

Example ConfigManagement object

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
spec:
  clusterName: my-cluster
  enableMultiRepo: true

Configuration for Git repositories (deprecated)

Key Description
spec.git.gcpServiceAccountEmail The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when spec.git.secretType is gcpserviceaccount.
spec.git.syncRepo The URL of the Git repository to use as the source of truth. Required.
spec.git.syncBranch The branch of the repository to sync from. Default: master.
spec.git.policyDir The path in the Git repository to the root directory that contains the configuration that you want to sync. Default: the root directory of the repository.
spec.git.syncWait The time duration between consecutive syncs. Default: 15s.
spec.git.syncRev Git revision (tag or hash) to check out. Default HEAD.
spec.git.secretType The type of secret configured for access to the Git repository. One of ssh, cookiefile, token, gcenode, gcpserviceaccount, or none. Required.
spec.sourceFormat The format of your Git repository. Can be unstructured or hierarchy. Default: hierarchy.

Proxy configuration for the Git repository

If your organization's security policies require you to route traffic through an HTTP(S) proxy, you can use the proxy's URI to configure Config Sync to communicate with your Git host. Proxy is only supported when using an authorization type of cookiefile, none, or token.

Key Description
spec.git.proxy.httpProxy Defines an HTTP_PROXY environment variable used to access the Git repository.
spec.git.proxy.httpsProxy Defines an HTTPS_PROXY environment variable used to access the Git repository.

If both the httpProxy and httpsProxy fields are specified, httpProxy is ignored.