This example shows how a cluster admin can use a Config Sync hierarchical root repository to manage the configuration of a
Kubernetes cluster shared by two different teams, team-1 and team-2.
The cluster configuration is under the config/ directory.
The compiled/ directory (which is not required for using Config Sync) contains the output of nomos hydrate, which compiles
the configs under the config/ directory to the exact form that would be sent to the APIServer to apply.
- You’ll need a cluster that has Config Sync installed. Please follow the instructions to install Config Sync if it is not set up yet.
- Install the
nomoscommand
You can configure syncing from the Git repository using GCP console or gcloud.
Following the console instructions for configuring Config Sync, you need to
- Select None in the Git Repository Authentication for ACM section
- Select Enable Config Sync in the ACM settings for your clusters section
- If you're using your forked repo, the URL should be the Git repository url for your fork:
https://github.com/<YOUR_ORGANIZATION>/anthos-config-management-samples.git; otherwise the URL should behttps://github.com/GoogleCloudPlatform/anthos-config-management-samples.git - the Branch should be
init. - the Tag/Commit should be
HEAD. - the Source format field should hierarchy.
- the Policy directory field should be
hierarchical-format/config.
- If you're using your forked repo, the URL should be the Git repository url for your fork:
You can also configure the Git repository information in a YAML file and use gcloud to apply the file.
- Create a file named
config-management.yamland copy the following YAML file into it:# config-management.yaml apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: name: config-management spec: sourceFormat: hierarchy git: syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples/ syncBranch: init secretType: none policyDir: hierarchical-format/config
- Apply the config-management.yaml file:
gcloud beta container fleet config-management apply \ --membership=CLUSTER_NAME \ --config=CONFIG_YAML_PATH \ --project=PROJECT_ID
Replace the following:
CLUSTER_NAME: the name of the registered cluster that you want to apply this configuration toCONFIG_YAML_PATH: the path toconfig-management.yamlPROJECT_ID: your project ID
- In the Cloud Console, go to the Anthos Config Management page.
- View the Status column. A successful installation has a status of
Synced.
Run the following command to get the status
gcloud beta container fleet config-management status --project=PROJECT_IDReplace PROJECT_ID with your project's ID.
A successful installation has a status of SYNCED.
Run the following command to get the status
nomos statusExample Output:
*your-cluster
--------------------
<root> https://github.com/GoogleCloudPlatform/anthos-config-management-samples/hierarchical-format/config@init
SYNCED c4fee081 The config directory includes ClusterRoles, ClusterRoleBindings, CRDs, Namespaces, RoleBindings, ServiceAccounts,
ResourceQuotas, NetworkPolicies, LimitRanges and CRs.
These configs are applied as soon as the Config Sync is configured to read from the repo.
All objects managed by Config Sync have the app.kubernetes.io/managed-by label set to configmanagement.gke.io.
-
List namespaces managed by Config Sync
kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.ioExample Output:
NAME STATUS AGE team-1 Active 28m team-2 Active 28m
-
List CRDs managed by Config Sync
kubectl get crds -A -l app.kubernetes.io/managed-by=configmanagement.gke.ioExample Output:
NAME CREATED AT crontabs.stable.example.com 2021-05-04T14:58:14Z
-
List rolebindings managed by Config Sync
kubectl get rolebindings -A -l app.kubernetes.io/managed-by=configmanagement.gke.ioExample Output:
NAMESPACE NAME ROLE AGE team-1 secret-reader ClusterRole/secret-reader 29m team-2 secret-admin ClusterRole/secret-admin 29m