If you're encountering difficulties with Config Sync, this page introduces you to some common tools and procedures that can help you identify and resolve problems that you experience.
Upgrade to a supported version
Consider upgrading Config Sync to a supported version. Upgrading often resolves common problems and gives you access to the most current functionalities.
Use the nomos
command-line tool
The nomos
command-line tool provides
essential insights into your Config Sync setup. The commands described in
the following sections are particularly helpful when you're trying to determine
the source of your problem or when you need to work with Cloud Customer Care.
View Config Sync status
The
nomos status
command provides you with aggregated data and errors to help you understand
what's happening with your Config Sync installation. The following
information is available with nomos status
:
- Installation status per cluster
- Syncing errors (both reading from Git as well as reconciling the changes)
Create a bug report
If you have a problem with Config Sync that requires help from
Cloud Customer Care, you can provide them with valuable debugging
information by using the
nomos bugreport
command.
This command generates a timestamped zip file with information on the Kubernetes
cluster set in your kubectl
context. The file also contains logs from
Config Sync Pods. It doesn't contain information from the resources synced
with Config Sync.
View the overview dashboard
The Config Sync dashboard provides you with an overview of the status of the packages that Config Sync manages and the status of the resources in these packages. Exploring this dashboard can help you to get a quick overview of the status of your Config Sync installation and discover any packages that have issues.
To access the dashboard, in the Google Cloud console go to the Config page in the Features section:
Use monitoring and log analysis
Monitoring Config Sync and exploring its logs can help you determine the source of bugs and to better understand any unexpected behavior.
Understand Config Sync metrics
Use Config Sync metrics to gain visibility into the health of Config Sync.
Monitor RootSync and RepoSync objects
When you install Config Sync using the Google Cloud console or Google Cloud CLI, Config Sync automatically creates a RootSync object for you. When you Configure syncing from multiple repositories, you can create RepoSync objects that contain configuration information about your namespace repositories.
Monitoring these objects can reveal valuable information about the state of Config Sync. To learn more, see Monitor RootSync and RepoSync objects.
Use service level indicators (SLIs)
To receive notifications when Config Sync isn't working as intended, use Config Sync SLIs.
Query logs
You can use the Logs Explorer
to retrieve, view, and analyze log data for Config Sync. These logs can
contain valuable historical data that isn't captured by nomos bugreport
when
the operator or reconciler Pods are restarted. For examples of queries that
might help you diagnose your issue, see Query Config Sync logs.
Examine resources with the kubectl
command-line tool
Config Sync is composed of multiple custom resources that you can query by
using kubectl
commands. These commands help you understand the status of each
of Config Sync's objects.
You should know the following information about the Kubernetes resources that Config Sync manages:
config-management-system
is the namespace we use to run all core system components of Config Sync.configmanagement.gke.io
andconfigsync.gke.io
are the API groups we use for all custom resources.
Examples
The following sections show you how you might use kubectl
commands to examine
Config Sync.
List custom resources
You can get a full list of the custom resources by running the following command:
kubectl api-resources | grep -E "configmanagement.gke.io|configsync.gke.io"
Individual custom resources can be consumed by running the following command:
kubectl get RESOURCE -o yaml.
Replace
RESOURCE
with the name of the resource that you want to query.For example, the output of the following command lets you check the status of a RootSync object:
kubectl get rootsync -n config-management-system -o yaml
Check an object's token annotation
You might want to know when a managed Kubernetes object was last updated by Config Sync. Each managed object is annotated with the hash of the Git commit when it was last modified, and the path to the config that contained the modification.
For example, to get the annotation of a ClusterRoleBinding named
namespace-readers
, run the following command:
kubectl get clusterrolebinding namespace-readers
The output is similar to the following:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
configmanagement.gke.io/source-path: cluster/namespace-reader-clusterrolebinding.yaml
configmanagement.gke.io/token: bbb6a1e2f3db692b17201da028daff0d38797771
name: namespace-readers
...
For more information, see labels and annotations.
Accelerate diagnosis with Gemini Cloud Assist
Sometimes, the cause of your issue isn't immediately obvious, even after using the tools discussed in the preceding sections. Investigating complex cases can be time-consuming and requires deep expertise. For scenarios like this, Gemini Cloud Assist can help. It can automatically detect hidden patterns, surface anomalies, and provide summaries to help you quickly pinpoint a likely cause.
Access Gemini Cloud Assist
To access Gemini Cloud Assist, complete the following steps:
- In the Google Cloud console, go to any page.
In the Google Cloud console toolbar, click Open or close Gemini Cloud Assist chat.
The Cloud Assist panel opens. You can click example prompts if they are displayed, or you can enter a prompt in the Enter a prompt field.
Explore example prompts
To help you understand how Gemini Cloud Assist can help you, here are some example prompts:
Theme | Scenario | Example prompt | How Gemini Cloud Assist can help |
---|---|---|---|
Initial setup | A platform engineer is setting up Config Sync for the first time so that they can manage GKE clusters from a Git repository. | How do I set up Config Sync to sync manifests from my GitHub repository to my GKE cluster? | Gemini Cloud Assist provides a step-by-step guide to setting up Config Sync, covering fleet registration and enabling the feature, and explaining details like repository URL, branch, path, and authentication methods (for example, public , token , or ssh ). |
Troubleshooting sync errors | A developer commits a new manifest, but the resource fails to apply to the cluster, and the sync status shows an error code. | My Config Sync RootSync object shows "KNV2009: the server could not find the requested resource ". What does this mean and how do I fix it? |
Gemini Cloud Assist analyzes the error code, explaining that it generally indicates Config Sync cannot locate or interact with an expected Kubernetes resource. It then details common causes, including missing RBAC permissions, exceeding resource object size limits, incorrect directory paths, external inventory conflicts, and issues with unmanaged resources, providing specific troubleshooting steps for each cause. |
Managing multiple teams | An organization needs to allow application teams to manage their own configurations in specific namespaces without giving them access to the central platform repository. | What's the difference between a RootSync and a RepoSync object in Config Sync? When should I use RepoSync ? |
Gemini Cloud Assist explains the core difference between Gemini Cloud Assist also details scenarios where |
Proactive validation | A developer wants to ensure their new manifest is valid before committing it to the repository to avoid breaking the sync in production. | How can I check my Kubernetes manifests for Config Sync errors on my local machine before I push them to the Git repository? | Gemini Cloud Assist explains how to check Kubernetes manifests for Config Sync errors by using the nomos command-line tool. It details how to use the nomos vet command for syntax validation and the nomos hydrate command for previewing rendered configurations from Kustomize or Helm. Gemini Cloud Assist also outlines a recommended workflow to integrate these checks before pushing to Git. |
For more information, see the following resources:
- Learn how to write better prompts.
- Learn how to use the Gemini Cloud Assist panel.
- Read the Gemini for Google Cloud overview.
- Learn how Gemini for Google Cloud uses your data.
Use Gemini Cloud Assist Investigations
In addition to interactive chat, Gemini Cloud Assist can perform more automated, in-depth analysis through Gemini Cloud Assist Investigations. This feature is integrated directly into workflows like Logs Explorer, and is a powerful root-cause analysis tool.
When you initiate an investigation from an error or a specific resource, Gemini Cloud Assist analyzes logs, configurations, and metrics. It uses this data to produce ranked observations and hypotheses about probable root causes, and then provides you with recommended next steps. You can also transfer these results to a Google Cloud support case to provide valuable context that can help you resolve your issue faster.
For more information, see Gemini Cloud Assist Investigations in the Gemini documentation.
Read additional troubleshooting documentation
If you're still experiencing problems, the following resources might be helpful:
If you've received an error message, see the error reference page for advice on resolving the error.
Check to see if the problem you're having is caused by a known issue.
If you're having difficulties with a specific area, one of the targeted troubleshooting guides listed in the Troubleshoot by issue type section of the table of contents might help.
What's next
If you can't find a solution to your problem in the documentation, see Get support for further help, including advice on the following topics:
- Opening a support case by contacting Cloud Customer Care.
- Getting support from the community by
asking questions on
StackOverflow.
If you use kpt or Kustomize, use the
kpt
orkustomize
tag to search for similar issues. - Opening bugs or feature requests by using the public issue tracker on GitHub.