Anthos Config Management (ACM)offers cloud platform administrators a variety of techniques to streamline cluster configuration. One ACM feature, Config Sync, allows them to use a Git repository to create common configurations that are automatically applied on Kubernetes clusters in their fleet, bringing a familiar code review collaboration process to config management. Another ACM feature, Policy Controller, enforces security guardrails in compliance with their organization’s requirements. This blog series explores these offerings and how to get started using them with Terraform.
Many platform administrators prefer Infrastructure as Code to achieve repeatable and predictable deployments. This also applies to configuring ACM features on Kubernetes clusters.
In the past, platform administrators who used Terraform lacked a smooth transition from HCL to modeling cluster configuration. They had to resort to manual processes that required additional temporary permissions granted to operators to complete provisioning.
The new GKEHub API and new resources enabled in Terraform Provider for Google Cloud Platform —google_gke_hub_feature, google_hub_feature_membership and google_gke_hub_membership—make it possible to automate last mile cluster configuration, including pointing it to a Git repository and turning on the Policy Controller.
For platform administrators, this solves previous challenges of modeling cluster configuration such as namespaces, services accounts, RBAC, in a Kubernetes idiomatic way, i.e. without the awkward Terraform HCL counterparts. Better still this natural, IaC approach improves auditability and transparency and reduces risk of misconfigurations or security gaps.
In this 3 part blog series, we’ll show how you can enable Anthos features on GKE. We’ll start with Config Sync to reconcile the cluster state with the specified Git repository.
Based on a GKE cluster resource in your Terraform configuration:
You can then enable GKE Hub membership, and the configmanagement feature:
Additional settings can then be configured for each of the features – sync_repo to point at the repo storing your cluster configurations, poliy_dir to point at the root of the repo to reconcile, and the specific sync_branch in the repo.
Applying this configuration with Terraform will enable Config Sync and will automatically synchronize the state of the cluster with the repo, immediately creating the Kubernetes config objects on the cluster. Your pods, deployments, services and other native K8s objects will automatically be created. See this article for more details on how to organize configs in a repo.
The cluster now is fully provisioned and requires no “last mile” configuration steps.
This repo provides a complete example of provisioning a cluster that is synchronized with a repo that contains a popular WordPress configuration.
In the next part of the series we’ll show you how you can use Terraform to configure another ACM feature – Policy Controller.
Cloud BlogRead More