Config Sync release notes

Upgraded the git-sync dependency from v4.2.3 to v4.2.4.

Upgraded bundled Helm version from v3.14.4 to v3.15.3 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Upgraded the Open Telemetry image from 0.102.0 to 0.103.0 to pick up vulnerability fixes. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.

Improved error handling in the oci-sync container by adding exponential backoff.

Upgraded bundled Kustomize version from v5.3.0 to v5.4.2 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Upgraded the Open Telemetry image from v0.99.0 to v0.102.0 to pick up vulnerability fixes. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.

Upgraded bundled Helm version from v3.14.3 to v3.14.4 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Upgraded the Open Telemetry image from v0.91.0-gke.9 to v0.99.0-gke.1 to pick up vulnerability fixes. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.

Policy Controller bundles have been updated to the following versions: cis-gke-v1.5.0: 202403.0, nist-sp-800-190: 202403.0, nist-sp-800-53-r5: 202403.0, pci-dss-v3.2.1: 202403.0, pci-dss-v4.0: 202403.0, policy-essentials-v2022: 202403.0, pss-baseline-v2022: 202403.1, pss-restricted-v2022: 202403.1. For reference, see Policy Controller bundles overview.

When syncing from Helm, Config Sync now retries faster on errors with exponential backoff.

Reduced memory footprint in reconcilers by not loading the OpenAPI when the Config Sync admission webhook is disabled.

On Autopilot clusters, the helm-sync container CPU request is changed from 150m to 250m, and memory request is changed from 256Mi to 384Mi. For information on resource requirements, see Resource requests.

Upgraded bundled Helm version from v3.13.3 to v3.14.3 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Policy Controller bundles have been updated to the following versions: cis-gke-v1.4.0: 202402.0-preview, nist-sp-800-190: 202402.0, nist-sp-800-53-r5: 202402.0, pci-dss-v3.2.1: 202402.0, pss-baseline-v2022: 202402.0, pss-restricted-v2022: 202402.0. For reference, see Policy Controller bundles overview.

Policy Controller bundles have been updated to the following versions: cis-k8s-v1.5.1: 202312.1, cost-reliability-v2023: 202312.0, nist-sp-800-190: 202312.1, nist-sp-800-53-r5: 202312.1, nsa-cisa-k8s-v1.2: 202312.1, pci-dss-v3.2.1: 202312.1, psp-v2022: 202312.0. For reference, see Policy Controller bundles overview.

Upgraded bundled Helm version from v3.13.1 to v3.13.3 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Upgraded bundled Kustomize version from v5.1.1 to v5.3.0 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Policy Controller bundles have been updated to the following versions: asm-policy-v0.0.1: 202311.0, cis-k8s-v1.5.1: 202311.0, cost-reliability-v2023: 202311.0, nist-sp-800-190: 202311.0, nist-sp-800-53-r5: 202311.0, nsa-cisa-k8s-v1.2: 202311.0, pci-dss-v3.2.1: 202311.0, policy-essentials-v2022: 202311.0, psp-v2022: 202311.0, pss-baseline-v2022: 202311.0, pss-restricted-v2022: 202311.0. For reference, see Policy Controller bundles overview.

The constraint template library's K8sNoExternalServices template now supports the "networking.gke.io/load-balancer-type": "Internal" annotation. For reference, see Constraint template library.

Reduced Config Sync reconciler default CPU and memory requests on GKE Standard clusters. Increased Config Sync reconciler default CPU and memory requests to avoid throttling and reduce time to sync by up to 25%, and increased default limits on GKE Autopilot clusters to avoid out of memory errors for most workloads. For reference see Resource requests.

Policy Controller bundles have been updated to the following versions: asm-policy-v0.0.1: 202310.0, cis-k8s-v1.5.1: 202310.0, cost-reliability-v2023: 202310.0-preview, nist-sp-800-190: 202310.0, nist-sp-800-53-r5: 202310.0, nsa-cisa-k8s-v1.2: 202310.0, pci-dss-v3.2.1: 202310.0, policy-essentials-v2022: 202310.0, psp-v2022: 202310.0, pss-baseline-v2022: 202310.0, pss-restricted-v2022: 202310.0. For reference, see Policy Controller bundles overview.

The constraint template library's K8sPSPAllowedUsers, K8sPSPAllowPrivilegeEscalationContainer, K8sPSPAutomountServiceAccountTokenPod, K8sPSPCapabilities, K8sPSPFlexVolumes, K8sPSPForbiddenSysctls, K8sPSPFSGroup, K8sPSPHostFilesystem, K8sPSPHostNamespace, K8sPSPHostNetworkingPorts, K8sPSPPrivilegedContainer, K8sPSPProcMount, K8sPSPReadOnlyRootFilesystem, K8sPSPSELinuxV2, K8sPSPVolumeTypes, and K8sRequiredProbes no longer raise violations during updates of existing objects for immutable fields.

Updated the Open Telemetry image from 0.86.0 to 0.87.0 to address security vulnerabilities. For more information about these changes, see the full changelog for opentelemetry-collector-contrib.

Policy Controller bundles have been updated to the following versions: asm-policy-v0.0.1: 202309.0, cis-k8s-v1.5.1: 202309.0, cost-reliability-v2023: 202309.0, nist-sp-800-190: 202309.0, nist-sp-800-53-r5: 202309.0, nsa-cisa-k8s-v1.2: 202309.0, pci-dss-v3.2.1: 202309.0, policy-essentials-v2022: 202309.0, psp-v2022: 202309.0, pss-baseline-v2022: 202309.0, pss-restricted-v2022: 202309.0. For reference, see Policy Controller bundles overview.

Updated the Open Telemetry image from 0.54.0 to 0.86.0 to address security vulnerabilities. otelcontribcol:v0.86.0 contains breaking changes. For more information about these changes, see the full changelog for opentelemetry-collector-contrib.

Supported configuring the period that Config Sync waits before re-pulling the latest chart with the field spec.helm.period in RootSync or RepoSync. The default is 1 hour. For more information, see RootSync and RepoSync fields.

The constraint template library's K8sRequireDaemonsets template now supports restricting the use of NodeSelector in required Daemonset using the new restrictNodeSelector parameter. For reference, see Constraint template library.

Policy Controller bundles have been updated to the following versions: cis-k8s-v1.5.1: 202307.1, pci-dss-v3.2.1: 202307.0, policy-essentials-v2022: 202307.1, pss-baseline-v2022: 202307.0, pss-restricted-v2022: 202307.0. For reference, see Policy Controller bundles overview.

Upgraded bundled Kustomize version from v5.1.0 to v5.1.1 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Reduced the resource requirements for the reconciler Pod when no Kustomize rendering is needed. For information on resource requirements, see Resource requests.

Increased the default timeout for Kubernetes API requests from 5 seconds to 15 seconds. This allows more requests to succeed with fewer retries when the control plane is under load, and reduces the need to override the timeout with spec.override.apiServerTimeout in RootSync and RepoSync. To learn more, see Configuration for overriding the resource requests and limits of a root or namespace reconciler.

The constraint template library has been updated to use the templates.gatekeeper.sh/v1 API, which includes strict validation of parameter fields, for all templates. For a list of template parameter fields, see the Constraint template library.

Upgraded bundled Kustomize version from v5.0.3 to v5.1.0 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Upgraded bundled Helm version from v3.11.3 to v3.12.2 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

The constraint template library's K8sStorageClass template now supports an allowed list of storage classes using the new allowedStorageClasses parameter. For reference, see Constraint template library.

Upgraded bundled Kustomize version from v5.0.1 to v5.0.3 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Changed error message ResourceFightWarning to ResourceFightError so that resource fighting conflict can be exposed as errors in nomos status and RootSync/RepoSync status.

Upgraded bundled Helm version from v3.6.3 to v3.11.3. Config Sync leverages the Helm executable to render the configurations under the hood. For more information, see the changelog for Helm v3.11.3. This note was updated on May 22, 2023.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: effa347).

The constraint template library's K8sPodsRequireSecurityContext template now supports an exempt-list of Images using the new exemptImages parameter. For reference, see Constraint template library.

The constraint template library's K8sRequireCosNodeImage template now supports an exempt-list of OS images using the new exemptOsImages parameter. For reference, see Constraint template library.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 8170c5f).

Stopped exposing the "unable to load /repo/source/error.json" transient error in the RootSync and RepoSync API.

Config Sync disallows RootSync and RepoSync to do self management and a KNV1069 SelfManageError will be reported. This note was updated on April 12, 2023 and on May 11, 2023.

The constraint template library's K8sPSPForbiddenSysctls template now supports an allow-list of sysctls using the new allowedSysctls parameter. For reference, see Constraint template library.

Config Sync now includes resource-related metrics labels in Google Cloud Monitoring. These labels were previously added to the Prometheus monitoring pipeline in Config Sync version 1.14.0. The labels are available under the "Group By" filter options in the Google Cloud Console. For more information on metrics, see Monitoring Config Sync.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: c61db24).

The constraint template library's K8sHttpsOnly template now supports Ingress blocks which do not include tls: using the new tlsOptional: true parameter. For reference, see Constraint template library.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 600a68d).

The contraint template library's K8sEmptyDirHasSizeLimit template now supports regular expression matching of exempt volume names by using the new exemptVolumesRegex parameter. For reference see Constraint template library.

The contraint template library's K8sMemoryRequestEqualsLimit template now supports regular expression matching of exempt container names by using the new exemptContainersRegex parameter. For reference see Constraint template library.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 8f1ef8c).

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: c370036).

The template library's K8sProhibitRoleWildcardAccess template now supports regular expression matching of clusterRole names by using the new regexMatch field.

The template library's K8sNoExternalServices template supports a new field: cloudPlatform.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 206bbe9).

This release includes several Config Sync performance improvements:

• Config Sync reconciler now watches resources for status updates instead of polling, leading to faster, more responsive, and more efficient detection of object failure and reconciliation. This change also significantly reduces memory allocations for unchanged objects.
• Disable client-side throttling when server-side throttling is enabled (enabled by default on Kubernetes v1.20 and later). This significantly reduced sync latency at scale.

Config Sync removed resource limits from reconciler-manager, reconciler, and git-importer to make them burstable.

Config Sync increased resource limits of admission-webhook (cpu: 1, memory: 2Gi) and otel-agent (cpu: 1, memory: 1Gi).

Increased the config-management-operator container memory request to 100Mi.

Increased the reconciler-manager container memory request to 50Mi and memory limit to 200Mi.

Increased the admission-webhook container memory request to 100Mi and memory limit to 250Mi.

The template library's K8sContainerRatios template supports a new field: cpuRatio.

The template library's K8sRestrictRoleBindings template now supports regular expression matching of role/clusterRole names by using the regexMatch field.

The template library's K8sProhibitRoleWildcardAccess template now allows roles and clusterRoles specified in the constraint to be exempted from the policy.

A set of template library's templates now include the exemptImages parameter, which exempts specific containers from the policy. Those templates are:

• K8sPSPAllowPrivilegeEscalationContainer
• K8sPSPAppArmor
• K8sPSPCapabilities
• K8sContainerLimits
• K8sContainerRatios
• K8sPSPHostNetworkingPorts
• K8sImageDigests
• K8sPSPPrivilegedContainer
• K8sPSPProcMount
• K8sPSPReadOnlyRootFilesystem
• K8sPSPSeccomp
• K8sPSPSELinuxV2
• K8sPSPAllowedUsers
• K8sContainerLimits

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: a478ae6).

This release note was updated on January 31, 2022. The update removed information about two new templates K8sPSPAutomountServiceAccountTokenPod and RestrictNetworkExclusions that are not yet available.

This release note was updated on January 31, 2022. The update removed information about a new field cpuRatio that is not yet available.

This release note was updated on January 28, 2022. The update removed information about a change to the K8sRestrictRoleBindings template that is not yet available.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: c36e3d8).

Increased memory request for git-sync container to 200Mi.

Config Sync will not block deletion requests if the object has non-nil metadata.deletionTimestamp.

Increased git-importer memory limit to 500Mi.

When encountering KNV1021: UnknownObjectError, Config Sync applies other resources that aren't affected by this error.

Updated Config Sync CPU requests to fit inside a default GKE cluster and for better resource utilization.

kube-rbac-proxy has been removed since Hierarchy Controller does not expose any sensitive metrics, and kube-rbac-proxy is no longer actively maintained.

This note was updated on August 5, 2021: the issue in the ResourceGroup Controller was fixed.

Cluster selectors and namespace selectors annotations are removed from the result of nomos hydrate so that it can pass nomos vet and can be synced directly to the cluster by Config Sync.

This release note was updated on September 29, 2021:

• The issue with Config Sync causing excessive updates of resources has been fixed.

This release note was updated on August 5, 2021:

• The issue in nomos hydrate has been fixed.
• A bug in nomos hydrate has been identified.
• nomos status has been updated to show resource level status when MultiRepo is enabled.

The following commands have been promoted to beta:

• gcloud container hub config-management apply
• gcloud container hub config-management disable
• gcloud container hub config-management enable
• gcloud container hub config-management status
• gcloud container hub config-management unmanage
• gcloud container hub config-management upgrade
• gcloud container hub config-management version

The Config Sync admission webhook serving port is switched from 8676 to 10250. If you use Config Sync in multi-repo mode in private GKE clusters, you no longer need to add a firewall rule to open port 8676.

The Hierarchy Controller admission webhook serving port has switched from 9443 to 10250. If you use Hierarchy Controller in private GKE clusters you no longer need to add a firewall rule to open port 9443.

The Anthos Policy Controller admission webhook serving port is switched from 8443 to 10250. If you use Policy Controller in private GKE clusters you no longer need to add a firewall rule to open port 8443.

Editing rights to Hierarchical Resource Quotas are now aggregated into the cluster-wide 'edit' and 'admin' Cluster Roles.

Hierarchy Controller has been updated to use HNC v0.8.0.

Increased reconciler memory limit to 300Mi.

This release note was updated on September 29, 2021:

• An issue with Config Sync causing excessive updates of resources has been identified.

Anthos Config Management images are no longer included in Anthos on VMWare clusters. To learn more, see Changes to Anthos Config Management updates.

This release note was updated on August 27, 2021. The update adds information about how to resolve an upgrade issue.

This release note was updated on March 5, 2021. The update removed information about a feature that is not yet available.

This release note was updated on April 24, 2021. The update adds information about how to resolve an issue.

This release note was updated on August 27, 2021. The update adds information about how to resolve an upgrade issue.

Hierarchy Controller is upgraded to include HNC v0.6.0. This release introduces support for v1alpha2, and will automatically update all your existing HNC objects. We recommend backing up these objects before upgrading in case there are any problems with the upgrade process. For more information, see the release notes for HNC v0.6.0.

The nomos status output has been modified significantly to provide a consistent experience for both mono-repo and multi-repo clusters.

The syncer and importer Containers now both run in the git-importer Pod in the importer Container. Any resource patches that were previously targeted to the syncer container will need to be updated to target the importer container.

The nomos CLI tool is now available via gcloud. Please see the downloads page for more information.

This release includes several logging and performance improvements.

This release includes several logging and performance improvements.

Policy Controller users may now enable --log-denies to log all denies and dryrun failures. This is useful when trying to see what is being denied or fails dry-run and for keeping a log to debug cluster problems without looking through the status of all constraints. This is configured by setting spec.policyController.logDeniesEnabled: true in the configuration file for the Operator. There is an example in the section on Installing Policy Controller.

This release includes several logging and performance improvements.

This release includes several fixes and improvements for the nomos command line utility.

The use of unsecured HTTP for GitHub repo connections or in an http_proxy is now discouraged, and support for unsecured HTTP will be removed in a future release. HTTPS will continue to be supported for GitHub repo and local proxy connections.

This release improves the handling of GitHub repositories with very large histories.

Prior to this release, Config Sync and kubectl controllers and processes used the same annotation (kubectl.kubernetes.io/last-applied-configuration) to calculate three-way merge patches. The shared annotation sometimes resulted in resource fights, causing unnecessary removal of each other's fields. Config Sync now uses its own annotation, which prevents resource clashes.

In most cases, this change will be transparent to you. However, there are two cases where some previously unspecified behavior will change.

The first case is when you have run kubectl apply on an unmanaged resource in a cluster, and you later add that same resource to the GitHub repo. Previously, Config Sync would have pruned any fields that were previously applied but not declared in the GitHub repo. Now, Config Sync writes the declared fields to the resource and leaves undeclared fields in place. If you want to remove those fields, do one of the following:

• Get a local copy of the resource from GitHub and kubectl apply it.
• Use kubectl edit --save-config to remove the fields directly.

The second case is when you stop managing a resource on the cluster or even stop all of Config Sync on a cluster. In this case, if you want to prune fields from a previously managed resource, you will see different behavior. Previously, you could get a local copy of the resource from GitHub, remove the unwanted fields, and kubectl apply it. Now, kubectl apply no longer prunes the missing fields. If you want to remove those fields, do one of the following:

• Call kubectl apply set-last-applied with the unmodified resource from GitHub, then remove unwanted fields and kubectl apply it again without the set-last-applied flag.
• Use kubectl edit --save-config to remove the fields directly.

The following Policy Controller constraint templates have been added to the Default Template Library:

• allowedserviceportname
• destinationruletlsenabled
• disallowedauthzprefix
• policystrictonly
• sourcenotallauthz

The following constraint templates have been updated:

• k8sblockprocessnamespacesharing
• k8sdisallowedrolebindingsubjects
• k8semptydirhassizelimit
• k8slocalstoragerequiresafetoevict
• k8smemoryrequestequalslimit
• k8snoexternalservices
• k8spspallowedusers
• k8spspallowprivilegeescalationcontainer
• k8spspapparmor
• k8spspcapabilities
• k8spspflexvolumes
• k8spspforbiddensysctls
• k8spspfsgroup
• k8spsphostfilesystem
• k8spsphostnamespace
• k8spsphostnetworkingports
• k8spspprivilegedcontainer
• k8spspprocmount
• k8spspreadonlyrootfilesystem
• k8spspseccomp
• k8spspselinux
• k8spspvolumetypes

See the Default Template Library documentation for more information.

Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 25ca799).

This new build of OPA Gatekeeper includes a number of bug fixes and performance improvements, and adds three new monitoring metrics:

• gatekeeper_sync
• gatekeeper_sync_duration_seconds
• gatekeeper_sync_last_run_time

This release includes several logging and performance improvements.

This release includes several performance and memory improvements.

In order to help prevent accidental deletion, Anthos Config Management will no longer allow a user to remove all namespaces or cluster-scoped resources in a single commit. If you wish to delete the full set of resources under management, it now requires two steps: remove all but one in a first commit, allow ACM to sync those changes, then remove the final resource in a second commit.

Error documentation has been updated to add more information on error codes. Errors that are no longer encountered in the product have been removed. Most error references have been embellished with examples and steps for remediation.

Anthos Config Management now supports a GKE-only authentication mechanism based on the service account of the cluster's node pool. Documentation on its use is here.

Anthos Config Management will now attempt to detect when resources that it manages are also managed by other controllers. Documentation on this behavior is available in error knv2005 which ACM will log in that case.

Policy Controller has been upgraded to include a newer version of Open Policy Agent Gatekeeper.

This version includes updates to improve the management of policy resources. As a consequence, finalizers are no longer used to manage Constraints and Constraint Templates.

The following metrics have been made obsolete due to these changes and have been removed:

• gatekeeper_watch_manager_is_running

• gatekeeper_watch_manager_last_restart_check_time

• gatekeeper_watch_manager_last_restart_time

• gatekeeper_watch_manager_restart_attempts

The following metrics were removed and will be re-implemented in a later version:

• gatekeeper_watch_manager_intended_watch_gvk

• gatekeeper_watch_manager_watched_gvk

Anthos Config Management images are now included in the Google-provided system images for Binary Authorization.

You can now exempt Namespaces from Policy Controller enforcement

Anthos Policy Controller is now Generally Available

Anthos Config Management now includes the generally-available version of Config Connector.

Anthos Config Management now supports the use of a Personal Access Tokens for authentication against supported Git providers. More information can be found in Installing Anthos Config Management.

Anthos Config Management now supports the use of an HTTP or HTTPS proxy to connect with your Git host. More information can be found at Installing Anthos Config Management.

The apiVersion for the ConfigManagement CustomResource has changed. No action is required; the CustomResource is upgraded automatically when you upgrade to v1.1.0. You can read more about configuring Anthos Config Management.

Managed CRDs (CustomResourceDefinitions) are now Namespace-scoped by default, instead of cluster-scoped. This matches the semantics of the kubectl command.

If a CRD explicitly specifies a scope, Anthos Config Management honors that scope.

The nomos hydrate command is a replacement for the nomos view command, and reports your Anthos Config Management configuration in a human-readable way.

To use nomos hydrate, upgrade the nomos command to v1.1.

If you need to continue using nomos view, do not upgrade the nomos command from v1.0. It will remain forward-compatible for the foreseeable future.

You can read about a known issue with nomos view.

Anthos Config Management can now be installed on clusters using PodSecurityPolicies.

The product name is now Anthos Config Management.

The nomos version command now provides version details for the Config Management Operator on each configured cluster, as well as the version of the nomos command itself.

New metrics allow you to monitor counts, latencies, and timestamps of specific operations.

The following changes have been made to the canonical example repository:

• The canonical example repo has moved. If you use this repo or a fork, update your Git repository's remotes or create a separate clone of the new repo to ensure that you receive updates.

• The filesystem standard and the value of the Repo object's spec.version for this version of Anthos Config Management are both 1.0.0.

• A new branch named 1.0.0 contains configs compatible with Anthos Config Management v1.0.0.

An example NetworkPolicy illustrates some methods for enforcing good security practices across your clusters.

We improved the instructions for setting up SSH keys for authenticating to a Git repository.

The git-policy-importer application has been renamed to git-importer.

The nomos-cluster-policy ClusterConfig has been renamed to config-management-cluster-config. After upgrading, both ClusterConfig objects both exist on the cluster. This does not impact the functionality of the cluster, but you may see spurious log messages if the older ClusterConfig is still present. You can remove the old ClusterConfig to avoid these log messages:

kubectl delete clusterconfig nomos-cluster-policy

Syncs are no longer required, and are now silently ignored by the Config Management Operator. You can now create a config for any object in your cluster except a CustomResourceDefinition or the Config Management Operator itself.

The nomos-system Namespace has been renamed to config-management-system.

The nomos.dev/ API group has been renamed to configmanagement.gke.io/.

The Nomos object has been renamed to the ConfigManagement object and is now cluster-scoped.

The nomos-resource-quota object, which combines all of a Namespace's effective ResourceQuotas into a single one that is more efficient for Kubernetes to check and enforce, has been renamed to config-management-resource-quota.

Prometheus now uses the gkeconfig Namespace.

Annotations, rather than labels, are now used to determine that Anthos Config Management is managing a Kubernetes object.

Moved repository format to Filesystem Standard v0.1.0.

Moved installation to use the Config Management Operator.