Config Sync is a GitOps service offered as a part of Google Kubernetes Engine (GKE) Enterprise edition. Config Sync is built on an open source core and lets cluster operators and platform administrators deploy configurations from a source of truth. The service has the flexibility to support one or many clusters and any number of repositories per cluster or namespace. The clusters can be in a hybrid or multi-cloud environment.
Config Sync is available with a Google Kubernetes Engine (GKE) Enterprise edition license.
Config Sync benefits
GitOps is considered a universal best practice for organizations managing Kubernetes configuration at scale. The benefits of improved stability, better readability, consistency, audit and security are common to all GitOps tools. Config Sync is a part of Google Kubernetes Engine (GKE) Enterprise edition, which provides you with a set of unique advantages:
- Integrated with Google Kubernetes Engine (GKE) Enterprise edition: platform admins can install Config Sync using a few clicks in the Google Cloud console, using Terraform, or by using Google Cloud CLI on any cluster connected to your fleet. The service is pre-configured to work with other Google Kubernetes Engine (GKE) Enterprise edition and Google Cloud services like Policy Controller, Workload Identity Federation for GKE and Cloud Monitoring.
- Built-in observability: Config Sync has an observability dashboard that is built into the Google Cloud console, requiring no additional setup. Platform administrators can view the state of their synchronization and reconciliation by visiting the Google Cloud console or by using the Google Cloud CLI.
- Multi-cloud and hybrid support: Config Sync is tested across several cloud providers and in hybrid environments prior to every GA release. To view the support matrix, see Google Kubernetes Engine (GKE) Enterprise edition version and upgrade support.
Understanding Config Sync
The following diagram shows you an overview of how teams might sync their clusters to a single root repository (managed by an admin) and multiple namespace repositories (managed by application operators):
A central administrator manages the centralized infrastructure for the organization and enforces policies on the cluster and on all namespaces in the organization. The application operators, who are responsible for managing live deployments, apply configurations to the applications in the namespaces that they work on.
Configuring clusters
Config Sync lets you create a common set of configuration and policies, such as Policy Controller constraints, and consistently apply them across registered and connected clusters from a single source of truth.
Instead of repeatedly running the kubectl apply
command manually, you can
orchestrate deployment of configuration changes to fleets of clusters through
GitOps-style tools. For more information, see
Safe rollouts with Config Sync.
While this and other tutorials use a Git repository as the source of truth, it's
also possible to use an
OCI image
or Helm chart.
Configuring namespaces
Configuring namespaces with Config Sync provides you with the following capabilities:
- You can consistently provision Kubernetes namespaces with namespace-scoped policies, such as RBAC roles, across registered and connected clusters. Namespace-scoped policies make it easier to implement and manage multi-tenancy within your clusters.
- Apply policies to multiple related namespaces, without duplicating configs, and with the ability to override or extend a config for a given namespace or set of namespaces, making it easier to apply consistent policies across tenants.