Open in app

Sign up

Sign in

Write

Sign up

Sign in

Config Connector for managing Google Cloud Resources with GKE

Chaithanya Kopparthi
Reputation Developers
Published in
3 min readJun 5, 2023

--

Kubernetes is getting a lot of adoption in recent times. We here at Reputation deploy hundred plus microservices using kubernetes daily. Often these micro-service architectures are complex and may need to connect to different services outside of kubernetes. To manage these external resources we end up using different tools.

Photo by Mitchell Luo on Unsplash

Config Connector:

Config connector is a open-source tool that allows to manage google cloud resources with in kubernetes. This uses the crd framework in kubernetes to create resources in google cloud.

All the crds will have controllers that will create, update and delete the resources based on the objects created in the kubernetes, these controllers will also reconcile the resources at regular intervals and make sure that the state of the resource created using config connector is always maintained.

Getting Started:

In this article we will be creating a service account and assigning a role to the service account.

There are multiple ways to install and config connector the best and easiest way is to enable it as an add-on on your GKE cluster. There is no additional pricing for using the config connector as an add-on for GKE.

For config connector to configure resources in google cloud it needs an service account with elevated privileges that can create, update and delete resources. To add the service account add the below configuration to the operator

apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnectorContext
metadata:
  # you can only have one ConfigConnectorContext per namespace
  name: configconnectorcontext.core.cnrm.cloud.google.com
  namespace: cc-test
spec:
  googleServiceAccount: "privileged-account@test-project.iam.gserviceaccount.com"

For creating the resources in certain projects you can annotate the namespace with the project name

kubectl annotate namespace \
   cc-test cnrm.cloud.google.com/project-id=test-project

For creating the service account in the test-project , create an object in kubernetes with the below yaml.

# Source: helm-serviceaccount/templates/serviceaccount.yaml
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: test-project
  name: test-cloudconfig

As soon as you apply this cloud config connector will take all the details and create a service account in the test-project. The below service account will be reconciled in regular time intervals and gets updated if there are any deviations.

$ kubectl get iamserviceaccount -o yaml
apiVersion: v1
items:
- apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    annotations:
      cnrm.cloud.google.com/management-conflict-prevention-policy: none
      cnrm.cloud.google.com/project-id: test-project
      cnrm.cloud.google.com/state-into-spec: merge
    finalizers:
    - cnrm.cloud.google.com/finalizer
    - cnrm.cloud.google.com/deletion-defender
    generation: 2
    name: test-cloudconfig
    namespace: cc-test
  spec:
    resourceID: test-cloudconfig
  status:
    conditions:
    - message: The resource is up to date
      reason: UpToDate
      status: "True"
      type: Ready
    email: test-cloudconfig@test-project.iam.gserviceaccount.com
    member: serviceAccount:test-cloudconfig@test-project.iam.gserviceaccount.com
    name: projects/test-project/serviceAccounts/test-cloudconfig@test-project.iam.gserviceaccount.com
    observedGeneration: 2
kind: List
metadata:
  resourceVersion: ""

Now for assigning a role to the newly created service account, another object is required.

# Source: helm-serviceaccount/templates/serviceaccount-policy.yaml
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: test-cloudconfig-bucket
spec:
  member: "serviceAccount:test-cloudconfig@test-project.iam.gserviceaccount.com"
  role: roles/storage.objectViewer
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    external: test-project_configconnect

Once the above resource is created it will assign objectViewer role for the test-cloudconfig service account on bucket test-project_configconnect

With Config Connector, we can leverage how Kubernetes manages Resources like

  • RBAC for access control.
  • Events for visibility.
  • Single source of configuration and desired state management for reduced complexity.
  • Eventual consistency for loosely coupling dependencies.

Resources:

Installing with the GKE add-on | Config Connector Documentation | Google Cloud

This page describes how to install Config Connector on a Google Kubernetes Engine (GKE) cluster using the Config…

cloud.google.com

Config Connector resources | Config Connector Documentation | Google Cloud

Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve…

cloud.google.com

Kubernetes
Gke
Iac
Configuration Management

--

--

Chaithanya Kopparthi
Reputation Developers
Follow

Written by Chaithanya Kopparthi

36 Followers

Lead DevOps Engineer at Reputation.com

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams