This page explains how to configure clusters and cluster-scoped objects. You can also read about configuring namespaces and namespace-scoped objects.
Configure clusters and cluster-scoped objects
In unstructured repositories, you can organize configs for clusters and cluster-scoped objects in the way that's most convenient for you. All configs organized this way apply to every cluster enrolled in Config Sync.
In hierarchical repositories, all
configs for clusters and cluster-scoped objects are located within the
cluster/
directory. All configs within cluster/
apply to every cluster
enrolled in Config Sync.
Configure CustomResourceDefinitions
Config Sync lets you sync CustomResourceDefinitions (CRDs) the same way you would sync any other resource. There are a few things to keep in mind when syncing CRDs:
CRDs in hierarchical repositories, even when declaring a namespaced Custom Resource, must be placed in the
cluster/
directory.Updates to CRDs and their corresponding CustomResources do not occur in any predictable order. If you modify CRDs and the corresponding CustomResources in the same commit, there is no expectation that CRD updates occur before Custom Resource updates. This might cause the
nomos status
to report a transient error for a brief period of time, until both the CustomResource and the CRD are present in the cluster.Config Sync does not allow removal of a CRD if any CustomResource in the repo depends on it. To remove a CRD, you also need to remove its CustomResource. We recommend that you remove them both in the same commit to the repo.
You can sync a CustomResource without syncing its CRD, as long as you can guarantee that the CRD already exists in the cluster.
Limit which clusters a config affects
By default, Config Sync applies a config to every enrolled cluster. However, if you need to apply a config to only a subset of clusters, you can either add a cluster-name-selector annotation or a ClusterSelector config to your repository.
The cluster-name-selector
annotation provides a simple way to specify a subset
of clusters to apply a config to. This option only supports selecting clusters
by names.
The ClusterSelector
object supports selecting clusters by labels, but it
requires more complex configurations.
Configure using the cluster-name-selector
annotation
You can apply a config to a subset of clusters with the
configsync.gke.io/cluster-name-selector
annotation. You can use
this annotation to apply a config to a set of clusters, denoted by cluster names.
The value of the annotation is a comma-separated list of target cluster names.
You can apply the annotation on cluster-scoped objects and namespace-scoped
objects. Namespace objects are selected when the annotation matches the cluster
name and when the namespace that the clusters belong to is also selected.
Select a single cluster
The following config creates a Role called namespace-reader
that defines a set
of permissions for reading namespaces. This Role is only applied on the cluster
that has the name cluster-1
.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my-namespace
name: namespace-reader
annotations:
configsync.gke.io/cluster-name-selector: cluster-1
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "watch", "list"]
Select a list of clusters
The following config creates the same Role as the previous example, but this
Role is only applied on the clusters that have the name cluster-1
,
cluster-2
, or cluster-3
.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my-namespace
name: namespace-reader
annotations:
configsync.gke.io/cluster-name-selector: cluster-1,cluster-2,cluster-3
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "watch", "list"]
Configure using the ClusterSelector
object
A ClusterSelector is a special type of config that uses Kubernetes labelSelectors. You can use a ClusterSelector to limit which clusters a particular config applies to, based on the cluster's labels. You can also use ClusterSelectors to limit which clusters instantiate a namespace-scoped object.
Like other labelSelectors, ClusterSelectors operate using AND logic. Since ClusterSelectors use AND logic, objects are only selected when they match all of the labels that you define.
A ClusterSelector config does not persist in a cluster. Instead, you reference it in another config using an annotation, and that config only applies to clusters that match the ClusterSelector.
Before you can use ClusterSelectors, each cluster must have a unique name and a set of labels that can be selected. The cluster metadata is specified in a Cluster config in your source of truth.
Next, you add labels to a cluster, create the ClusterSelector, then reference it in another config.
Add labels to a cluster
To use ClusterSelectors, each cluster must have a set of labels that can be
selected. In unstructured repositories, Cluster configs can be stored
arbitrarily in the config directory or its descendant directories.
In hierarchical repositories, Cluster configs are stored in the clusterregistry/
directory.
To apply configs to a cluster, the metadata.name
field of the Cluster config
must match the
clusterName
field
of your ConfigManagement object.
The following example Cluster config declares that cluster-2
has the
environment: prod
and location: central
labels.
kind: Cluster
apiVersion: clusterregistry.k8s.io/v1alpha1
metadata:
name: cluster-2
labels:
environment: prod
location: central
You can also apply annotations using a Cluster config.
Create a ClusterSelector
A ClusterSelector selects only clusters with a given label or combination
of labels. In unstructured repositories, ClusterSelectors can be stored
arbitrarily in the sync directory or its descendant directories. In hierarchical
repositories, ClusterSelectors are stored in the top level clusterregistry/
directory in the repository.
The following ClusterSelector selects only clusters with the
environment: prod
label.
kind: ClusterSelector
apiVersion: configmanagement.gke.io/v1
metadata:
name: selector-env-prod
spec:
selector:
matchLabels:
environment: prod
The following ClusterSelector selects any clusters with the
location: central
or location: west
labels.
kind: ClusterSelector
apiVersion: configmanagement.gke.io/v1
metadata:
name: selector-central-or-west
spec:
selector:
matchExpressions:
- key: location
operator: In
values:
- central
- west
A ClusterSelector has no effect until you reference it in another config.
Reference a ClusterSelector
To reference a ClusterSelector in another config, set the annotation
configmanagement.gke.io/cluster-selector: CLUSTERSELECTOR-NAME
.
The following config creates a ClusterRole called namespace-reader
that
defines a set of permissions for reading namespaces. This ClusterRole is only
instantiated on clusters that match the selector-env-prod
ClusterSelector.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: namespace-reader
annotations:
configmanagement.gke.io/cluster-selector: selector-env-prod
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "watch", "list"]
Limit the clusters a namespace-scoped config affects
By default, Config Sync applies configs inherited by a namespace to that namespace in each cluster where it exists. You can use a ClusterSelector to apply the config to only a subset of those clusters.
For example, you can configure clusters differently based on their geographic
location or the geographic location of their clients. This configuration can
be useful for localization or for legal compliance. The examples in this section
apply locale-specific configs to only clusters with the label location: france
.
The following Cluster config adds an location: france
label to a
cluster called cluster-1
:
kind: Cluster
apiVersion: clusterregistry.k8s.io/v1alpha1
metadata:
name: cluster-1
labels:
location: france
Create a ClusterSelector config that references the labels you want to
select. The following ClusterConfig selects the location: france
label:
kind: ClusterSelector
apiVersion: configmanagement.gke.io/v1
metadata:
name: selector-location-france
spec:
selector:
matchLabels:
location: france
A ClusterSelector has no effect until you reference it in another config.
The following RoleBinding config selects only clusters that match the
selector-location-france
ClusterSelector. This configuration might be useful,
for instance, if a compliance guideline only allowed a particular service
account to view information on clusters in their designated geographic region.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: viewers
annotations:
configmanagement.gke.io/cluster-selector: selector-location-france
subjects:
- kind: Group
name: system:serviceaccounts:foo
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
If you place this config in an abstract namespace or a namespace directory, such
as namespaces/eng
, it is applied to the namespaces that inherit it, but only
on clusters with the location: france
label.
What's next
- Learn more about configuring namespaces and namespace-scoped objects