Skip to content

Latest commit

 

History

History
139 lines (109 loc) · 5.06 KB

File metadata and controls

139 lines (109 loc) · 5.06 KB

Config Sync Hierarchical Root Repository Example - Basic Cluster Configuration

This example shows how a cluster admin can use a Config Sync hierarchical root repository to manage the configuration of a Kubernetes cluster shared by two different teams, team-1 and team-2. The cluster configuration is under the config/ directory.

The compiled/ directory (which is not required for using Config Sync) contains the output of nomos hydrate, which compiles the configs under the config/ directory to the exact form that would be sent to the APIServer to apply.

Before you begin

Configuring syncing from the repository

You can configure syncing from the Git repository using GCP console or gcloud.

Using GCP Console

Following the console instructions for configuring Config Sync, you need to

  • Select None in the Git Repository Authentication for ACM section
  • Select Enable Config Sync in the ACM settings for your clusters section
    • If you're using your forked repo, the URL should be the Git repository url for your fork: https://github.com/<YOUR_ORGANIZATION>/anthos-config-management-samples.git; otherwise the URL should be https://github.com/GoogleCloudPlatform/anthos-config-management-samples.git
    • the Branch should be init.
    • the Tag/Commit should be HEAD.
    • the Source format field should hierarchy.
    • the Policy directory field should be hierarchical-format/config.

Using gcloud

You can also configure the Git repository information in a YAML file and use gcloud to apply the file.

  1. Create a file named config-management.yaml and copy the following YAML file into it:
    # config-management.yaml
    
    apiVersion: configmanagement.gke.io/v1
    kind: ConfigManagement
    metadata:
     name: config-management
    spec:
     sourceFormat: hierarchy
     git:
       syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples/
       syncBranch: init
       secretType: none
       policyDir: hierarchical-format/config
  2. Apply the config-management.yaml file:
    gcloud alpha container hub config-management apply \
        --membership=CLUSTER_NAME \
        --config=CONFIG_YAML_PATH \
        --project=PROJECT_ID

Replace the following:

  • CLUSTER_NAME: the name of the registered cluster that you want to apply this configuration to
  • CONFIG_YAML_PATH: the path to config-management.yaml
  • PROJECT_ID: your project ID

Verifying the installation

Using GCP Console

  1. In the Cloud Console, go to the Anthos Config Management page.
  2. View the Status column. A successful installation has a status of Synced.

Using gcloud

Run the following command to get the status

gcloud alpha container hub config-management status --project=PROJECT_ID

Replace PROJECT_ID with your project's ID.

A successful installation has a status of SYNCED.

Using nomos

Run the following command to get the status

nomos status

Example Output:

*your-cluster
  --------------------
  <root>   https://github.com/GoogleCloudPlatform/anthos-config-management-samples/hierarchical-format/config@init   
  SYNCED   c4fee081 

Examining your configs

The config directory includes ClusterRoles, ClusterRoleBindings, CRDs, Namespaces, RoleBindings, ServiceAccounts, ResourceQuotas, NetworkPolicies, LimitRanges and CRs. These configs are applied as soon as the Config Sync is configured to read from the repo.

All objects managed by Config Sync have the app.kubernetes.io/managed-by label set to configmanagement.gke.io.

  • List namespaces managed by Config Sync

    kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.io

    Example Output:

    NAME        STATUS   AGE
    team-1      Active   28m
    team-2      Active   28m
  • List CRDs managed by Config Sync

    kubectl get crds -A -l app.kubernetes.io/managed-by=configmanagement.gke.io

    Example Output:

    NAME                          CREATED AT
    crontabs.stable.example.com   2021-05-04T14:58:14Z
  • List rolebindings managed by Config Sync

    kubectl get rolebindings -A -l app.kubernetes.io/managed-by=configmanagement.gke.io

    Example Output:

    NAMESPACE   NAME                            ROLE                        AGE
    team-1      secret-reader                   ClusterRole/secret-reader   29m
    team-2      secret-admin                    ClusterRole/secret-admin    29m