Stay organized with collectionsSave and categorize content based on your preferences.
This page explains how to use the Config Sync dashboard.
This dashboard provides you with a comprehensive overview of the packages that
Config Sync manages and the status of the resources in these packages.
Before you begin
IAM permissions
To access the Config Sync dashboard, the following IAM roles are required in
the project:
roles/container.clusterViewer
roles/gkehub.viewer
Role-based access control
The user also needs the relevant Kubernetes permissions in each cluster. If you
don't want to grant users extensive permissions, such as those of the cluster
admin, you can create a custom RBAC role that includes the minimum permissions
required to use the Config Sync dashboard.
Theconfig-sync-dashboard-readerClusterRolegrants the usergetandlistpermissions on the resources needed by the dashboard.
To create theconfig-sync-dashboard-readerClusterRoleand apply it to
the cluster, run the following command:
Thedashboardtab provides you an overview of the status of your
Config Sync installations:
Reconciliation statusshows you how many packages are reconciled. A
package is reconciled if the state that you want, as expressed by the
resources in the package, has been realized.
Your packages can have the following reconciliation statuses:
Current: the actual state of the package matches the state that you
want. The reconcile process is considered complete until there are changes
to either the state you want or the actual state.
In progress: the actual state of the package hasn't yet reached the
state that you want (as expressed by the resources in the package).
Newly created packages usually start with this status.
Failed: the process of reconciling the actual state with the state
that you want has encountered an error or it has made insufficient
progress.
Unknown: Config Sync couldn't determine the reconciliation
status of a package.
Synchronization statusshows you how many packages are synced. A package
is synced when the latest observed state of the package in the source (for
example, a Git repository) is reflected in the cluster.
Your packages can have the following synchronization statuses:
Synced: the package is synced to a cluster.
Pending: the package is pending synchronization.
Reconciling: the Deployment that syncs a package is being
reconciled.
Stalled: the Deployment that syncs a package is stalled.
Error: the package encountered an error during syncing.
Unknown: Config Sync couldn't determine the synchronization
status of a package.
Config Sync statusshows you the installation status of
Config Sync on your clusters.
Your clusters can have the following status related to Config Sync:
Enabled: clusters that have Config Sync enabled.
Not enabled: clusters that don't have Config Sync enabled.
Pending: clusters that have Config Sync enabled, but are
undergoing changes. This status usually occurs during first-time
configuration or when updating to a new version.
Error: clusters that have Config Sync enabled, but there's an
issue and Config Sync isn't working.
Unknown: Config Sync's status can't be determined.
Additional tables show you issues grouped by package and cluster, provide links
to install Config Sync and view settings, and resources for getting started.
View package status
ThePackagestab enables you to view in-depth details about individual
packages and clusters. Use this tab to better understand potential causes behind
sync errors and unhealthy resources.
Edit a package
You can also use thePackagestab to edit your package configurations.
To edit a package, complete the following steps:
Beside the name of the package that you want to edit, selecteditin theEdit packagecolumn
In thePackage detailssection, from theSource typedrop-down list,
select your source type.
In theSourcesection, complete the following:
For sources hosted in a Git repository, enter the following fields:
Enter the URL of the Git repository that you're using as a source of truth
as theRepository URL.
Optional: Update theRevisionfield to check out if you're not using
the defaultHEAD.
Optional: Update thePathfield if you don't want to sync from the
root repository.
Optional: Update theBranchfield if you're not using the defaultmainbranch.
For sources hosted in an OCI image, enter the following fields:
Enter the URL of the OCI image that you're using as a source of truth
as theImage.
Enter the path of the directory to sync from,
relative to the root directory, as theDirectory.
(Optional): Expand theAdvanced settingssection to complete the following:
Select anAuthentication type:
None: Use no authentication.
SSH: Use an SSH key pair.
Cookiefile: Use acookiefile.
Token: Use a token.
Google Cloud Repository: Use a Google service account to access a
Cloud Source Repositories repository. Only select this option if
Workload Identity Federation for GKE isnotenabled in your cluster.
Workload Identity: Use a Google service account to access a
Cloud Source Repositories repository.
Enter a number in seconds to set theSync wait time, which determines
how long Config Sync waits between syncing from the source of truth.
Enter aGit proxyURL for the HTTPS proxy to be used when
communicating with the source of truth.
ChooseHierarchyto change theSource format.
The default valueUnstructuredis recommended in most cases since it
lets you organize your source of truth however you want.
When you are finished editing your package, clickSave.
You are redirected to the Config SyncPackagespage. After a few minutes, you should seeSyncedin theSync statuscolumn for the package that you configured.
View settings
TheSettingstab shows you a list of clusters, along with information
about their Config Sync settings and fleet settings.
You can also use this tab to upgrade Config Sync on a cluster:
Beside the name of the cluster that you want to upgrade, select the context
menumore_vertand then selecteditEdit Config.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["This page explains how to use the Config Sync dashboard.\n\nThis dashboard provides you with a comprehensive overview of the packages that\nConfig Sync manages and the status of the resources in these packages.\n| **Key Term:** A *package* contains all of the configs contained in each . Because you can sync your cluster from multiple sources, you might have multiple packages per cluster.\n\nBefore you begin\n\nIAM permissions\n\nTo access the Config Sync dashboard, the following IAM roles are required in\nthe project:\n\n- `roles/container.clusterViewer`\n- `roles/gkehub.viewer`\n\nRole-based access control\n\nThe user also needs the relevant Kubernetes permissions in each cluster. If you\ndon't want to grant users extensive permissions, such as those of the cluster\nadmin, you can create a custom RBAC role that includes the minimum permissions\nrequired to use the Config Sync dashboard.\n\nThe `config-sync-dashboard-reader` `ClusterRole` grants the user `get` and\n`list` permissions on the resources needed by the dashboard.\n\n1. To create the `config-sync-dashboard-reader` `ClusterRole` and apply it to\n the cluster, run the following command:\n\n cat \u003c\u003cEOF \u003e config-sync-dashboard-reader.yaml\n kind: ClusterRole\n apiVersion: rbac.authorization.k8s.io/v1\n metadata:\n name: config-sync-dashboard-reader\n rules:\n - apiGroups: [\"apiextensions.k8s.io\"]\n resources: [\"customresourcedefinitions\"]\n verbs: [\"get\", \"list\"]\n - apiGroups: [\"configmanagement.gke.io\"]\n resources: [\"configmanagements\"]\n verbs: [\"get\", \"list\"]\n - apiGroups: [\"configsync.gke.io\"]\n resources: [\"rootsyncs\", \"reposyncs\"]\n verbs: [\"get\", \"list\"]\n - apiGroups: [\"kpt.dev\"]\n resources: [\"resourcegroups\"]\n verbs: [\"get\", \"list\"]\n - apiGroups: [\"apps\"]\n resources: [\"deployments\"]\n verbs: [\"get\", \"list\"]\n - apiGroups: [\"\"]\n resources: [\"pods\", \"services\"]\n verbs: [\"get\", \"list\"]\n - apiGroups: [\"anthos.cloud.google.com\"]\n resources: [\"canonicalservices\"]\n verbs: [\"get\", \"list\"]\n - apiGroups: [\"networking.istio.io\"]\n resources: [\"virtualservices\"]\n verbs: [\"get\", \"list\"]\n\n EOF\n kubectl apply -f config-sync-dashboard-reader.yaml\n\n2. Follow the instructions for configuring [role-based access control](https://cloud.google.com/anthos/identity/setup/bearer-token-auth#configure_role-based_access_control)\n on Google Kubernetes Engine clusters to set up the `ClusterRoleBinding`.\n\nAccess the dashboard\n\n1. In the Google Cloud console, go to the **Config** page under the **Features** section.\n\n \u003cbr /\u003e\n\n [Go to Config](https://console.cloud.google.com/kubernetes/config_management)\n2. Select the project that you want to view.\n\nView the dashboard\n\nThe **dashboard** tab provides you an overview of the status of your\nConfig Sync installations:\n\n- **Reconciliation status** shows you how many packages are reconciled. A\n package is reconciled if the state that you want, as expressed by the\n resources in the package, has been realized.\n\n Your packages can have the following reconciliation statuses:\n - **Current**: the actual state of the package matches the state that you want. The reconcile process is considered complete until there are changes to either the state you want or the actual state.\n - **In progress**: the actual state of the package hasn't yet reached the state that you want (as expressed by the resources in the package). Newly created packages usually start with this status.\n - **Failed**: the process of reconciling the actual state with the state that you want has encountered an error or it has made insufficient progress.\n - **Unknown**: Config Sync couldn't determine the reconciliation status of a package.\n- **Synchronization status** shows you how many packages are synced. A package\n is synced when the latest observed state of the package in the source (for\n example, a Git repository) is reflected in the cluster.\n\n Your packages can have the following synchronization statuses:\n - **Synced**: the package is synced to a cluster.\n - **Pending**: the package is pending synchronization.\n - **Reconciling**: the Deployment that syncs a package is being reconciled.\n - **Stalled**: the Deployment that syncs a package is stalled.\n - **Error**: the package encountered an error during syncing.\n - **Unknown**: Config Sync couldn't determine the synchronization status of a package.\n- **Config Sync status** shows you the installation status of\n Config Sync on your clusters.\n\n Your clusters can have the following status related to Config Sync:\n - **Enabled**: clusters that have Config Sync enabled.\n - **Not enabled**: clusters that don't have Config Sync enabled.\n - **Pending**: clusters that have Config Sync enabled, but are undergoing changes. This status usually occurs during first-time configuration or when updating to a new version.\n - **Error**: clusters that have Config Sync enabled, but there's an issue and Config Sync isn't working.\n - **Unknown**: Config Sync's status can't be determined.\n\nAdditional tables show you issues grouped by package and cluster, provide links\nto install Config Sync and view settings, and resources for getting started.\n\nView package status\n\nThe **Packages** tab enables you to view in-depth details about individual\npackages and clusters. Use this tab to better understand potential causes behind\nsync errors and unhealthy resources.\n\nEdit a package\n\nYou can also use the **Packages** tab to edit your package configurations.\n\nTo edit a package, complete the following steps:\n\n1. Beside the name of the package that you want to edit, select *edit* in the **Edit package** column\n2. In the **Package details** section, from the **Source type** drop-down list, select your source type.\n3. In the **Source** section, complete the following:\n\n - For sources hosted in a Git repository, enter the following fields:\n\n 1. Enter the URL of the Git repository that you're using as a source of truth as the **Repository URL**.\n 2. Optional: Update the **Revision** field to check out if you're not using the default `HEAD`.\n 3. Optional: Update the **Path** field if you don't want to sync from the root repository.\n 4. Optional: Update the **Branch** field if you're not using the default `main` branch.\n - For sources hosted in an OCI image, enter the following fields:\n\n 1. Enter the URL of the OCI image that you're using as a source of truth as the **Image**.\n 2. Enter the path of the directory to sync from, relative to the root directory, as the **Directory**.\n4. (Optional): Expand the **Advanced settings** section to complete the following:\n\n 1. Select an **Authentication type**:\n\n | **Note:** for OCI, you can only select **Workload Identity** for authentication.\n - **None**: Use no authentication.\n - **SSH**: Use an SSH key pair.\n - **Cookiefile** : Use a `cookiefile`.\n - **Token**: Use a token.\n - **Google Cloud Repository** : Use a Google service account to access a Cloud Source Repositories repository. Only select this option if Workload Identity Federation for GKE is *not* enabled in your cluster.\n - **Workload Identity**: Use a Google service account to access a Cloud Source Repositories repository.\n 2. Enter a number in seconds to set the **Sync wait time**, which determines\n how long Config Sync waits between syncing from the source of truth.\n\n 3. Enter a **Git proxy** URL for the HTTPS proxy to be used when\n communicating with the source of truth.\n\n 4. Choose **Hierarchy** to change the **Source format**.\n\n The default value **Unstructured** is recommended in most cases since it\n lets you organize your source of truth however you want.\n5. When you are finished editing your package, click **Save**.\n\n You are redirected to the Config Sync **Packages** page. After a few minutes, you should see **Synced** in the **Sync status**\n column for the package that you configured.\n\nView settings\n\nThe **Settings** tab shows you a list of clusters, along with information\nabout their Config Sync settings and fleet settings.\n\nYou can also use this tab to upgrade Config Sync on a cluster:\n\n- Beside the name of the cluster that you want to upgrade, select the context menu *more_vert* and then select *edit* **Edit Config**.\n\nFor guidance on Config Sync settings, see [Configure Config Sync](/kubernetes-engine/enterprise/config-sync/docs/how-to/installing-config-sync#configuring-config-sync).\n\nWhat's next\n\n- Learn about [using the Google Cloud CLI](/kubernetes-engine/enterprise/config-sync/docs/how-to/config-sync-status-gcloud) to monitor Config Sync.\n- Learn about [using the nomos command-line tool](/kubernetes-engine/enterprise/config-sync/docs/how-to/nomos-command) to monitor Config Sync.\n- Learn how to [Monitor Config Sync with\n metrics](/kubernetes-engine/enterprise/config-sync/docs/how-to/monitoring-config-sync)."]]
