Install Config Connector in namespaced mode

This page explains how to install Config Connector in namespaced mode.

Installing in namespaced mode is an extension of the Config Connector installation. Namespaced mode supports managing multiple projects, each with their own Google Cloud identities.

Before you begin

Before configuring Config Connector to run in namespaced mode, ensure that you have installed Config Connector.

Configure Config Connector to run in namespaced mode

To enable namespaced mode, complete the following steps:

1. Copy the following YAML manifest into a file named configconnector.yaml:

   apiVersion: core.cnrm.cloud.google.com/v1beta1
   kind: ConfigConnector
   metadata:
     # the name is restricted to ensure that there is only ConfigConnector resource installed in your cluster
     name: configconnector.core.cnrm.cloud.google.com
   spec:
     mode: namespaced
     stateIntoSpec: Absent
   

2. Apply the configuration to your cluster with kubectl apply:

   kubectl apply -f configconnector.yaml
   

Configure Config Connector to manage resources in your namespaces

In the following sections, the Google Cloud project where you install Config Connector is known as the host project, or HOST_PROJECT_ID. The other projects where you manage resources are known as the managed projects, or MANAGED_PROJECT_ID. These could be the same project if you only intend to use Config Connector to create Google Cloud resources in the same project as your cluster.

Creating a namespace

You can skip this step if you already have a namespace to use to organize Google Cloud resources.

Use kubectl to create a new namespace by running the following command:

kubectl create namespace NAMESPACE

Replace NAMESPACE with a name for the namespace.

Configure an IAM policy to connect to Google Cloud APIs

To let Config Connector manage your Google Cloud resources using Workload Identity Federation for GKE, create an IAM policy.

To configure the policy binding, create an IAM allow policy that references the Kubernetes ServiceAccount that is automatically created when you install Config Connector on your cluster:

gcloud projects add-iam-policy-binding projects/PROJECT_ID \
    --role=roles/iam.workloadIdentityUser \
    --member=principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/subject/ns/NAMESPACE/sa/cnrm-system/cnrm-controller-manager \
    --condition=None

Replace the following:

• PROJECT_ID: your Google Cloud project ID.
• PROJECT_NUMBER: your numerical Google Cloud project number.
• NAMESPACE: the name of the Kubernetes namespace for the Config Connector ServiceAccount. If you didn't explicitly create a namespace, the value is default.

Creating a ConfigConnectorContext

To create Google Cloud resources, you need to configure Config Connector to watch your namespace by adding a ConfigConnectorContext object in the namespace you want to use.

To create a ConfigConnectorContext, complete the following steps:

1. Copy the following YAML manifest into a file named configconnectorcontext.yaml:

   apiVersion: core.cnrm.cloud.google.com/v1beta1
   kind: ConfigConnectorContext
   metadata:
     # you can only have one ConfigConnectorContext per namespace
     name: configconnectorcontext.core.cnrm.cloud.google.com
     namespace: NAMESPACE
   spec:
     googleServiceAccount: "NAMESPACE_GSA@HOST_PROJECT_ID.iam.gserviceaccount.com"
     stateIntoSpec: Absent
   

   Replace the following:

   • NAMESPACE with the name of your namespace.
   • NAMESPACE_GSA with the name of the Google service account bound to your namespace.
   • HOST_PROJECT_ID with your host project's ID.

2. Apply the file to your cluster with kubectl:

   kubectl apply -f configconnectorcontext.yaml
   

3. Verify that the Config Connector Operator created a Kubernetes service account for your namespace with kubectl by running the following command:

   kubectl get serviceaccount/cnrm-controller-manager-NAMESPACE  -n cnrm-system
   

   Replace NAMESPACE with the name of your namespace.

4. Verify that the Config Connector controller Pod is running for your namespace with kubectl by running the following command:

   kubectl wait -n cnrm-system \
       --for=condition=Ready pod \
       -l cnrm.cloud.google.com/component=cnrm-controller-manager \
       -l cnrm.cloud.google.com/scoped-namespace=NAMESPACE
   

   Replace NAMESPACE with the name of your namespace.

   If the Config Connector controller is running, the output is similar to:

   cnrm-controller-manager-abcdefghijk-0 condition met.
   

Configure Config Connector to no longer manage resources in your namespace

To configure Config Connector to no longer manage your namespace, you remove all Config Connector resources in your namespace and delete the ConfigConnectorContext in your namespace.

Remove the Config Connector resources in your namespace

To finalize the removal of ConfigConnectorContext, remove all Config Connector resources from your namespace.

1. To discover all Config Connector resources in your namespace, for each Config Connector Custom Resource Definition, list all resources.

   kubectl get gcp -n NAMESPACE
   

   Replace NAMESPACE with the name of your namespace.

2. To remove all Config Connector resources, for each resource in the output of the previous step, issue a delete command.

   kubectl delete -n NAMESPACE KIND NAME
   

   Replace the following:

   • NAMESPACE: the name of your namespace
   • KIND: the kind of the resource discovered in the previous step
   • NAME: the name of the resource discovered in the previous step

Remove the ConfigConnectorContext

To configure Config Connector to no longer manage the Config Connector resources in your namespace, delete ConfigConnectorContext in your namespace.

  kubectl delete -n NAMESPACE ConfigConnectorContext configconnectorcontext.core.cnrm.cloud.google.com

Replace NAMESPACE with the name of your namespace.

The deletion of ConfigConnectorContext will not finalize until all Config Connector resources are removed from your namespace.

Uninstalling Config Connector

Don't use the following the steps to uninstall a Config Controller cluster.

Use kubectl delete to remove the Config Connector CRDs along with controller components:

kubectl delete ConfigConnectorContext --all -A –wait=false

kubectl delete ConfigConnector configconnector.core.cnrm.cloud.google.com \
    --wait=true

To uninstall the Config Connector operator, run the following command:

kubectl delete -f operator-system/configconnector-operator.yaml  --wait=true

What's next

• Get started with Config Connector.
• Learn about best practices for Config Connector.