Installing on other Kubernetes distributions

This page shows you how to install Config Connector on a Kubernetes distribution other than Google Kubernetes Engine (GKE) on Google Cloud, for example GKE on AWS .

Before you begin

Before you start, make sure you have performed the following tasks:

Select or create a Google Cloud project to install Config Connector.
Ensure that you have permissions to create and download a service account for the project.
Create or identify a Kubernetes cluster where you have not yet installed Config Connector.
Configure kubectl to connect to your cluster .

Note: If you are installing Config Connector on a cluster not hosted on Google Cloud, you might need different kubectl configuration steps. Contact your Kubernetes provider for details.

Installing Config Connector

To install Config Connector on another Kubernetes environment, after you've created or identified a Kubernetes cluster, create an Identity and Access Management (IAM) service account, and then install the Config Connector components on your cluster.

Creating a ClusterRoleBinding

Config Connector needs permission to create Kubernetes roles before it can create resources.

Verify that you can create roles by running the following command:

 kubectl  
auth  
can-i  
create  
roles

If the output is yes , continue to the Creating an identity section.

If the output is no , create a ClusterRoleBinding in your cluster, which lets you create roles:

 kubectl  
create  
clusterrolebinding  
cluster-admin-binding  
 \ 
  
--clusterrole  
cluster-admin  
 \ 
  
--user  
 ACCOUNT_EMAIL

Replace ACCOUNT_EMAIL with the email you use to login to your Cloud Billing account.

The output should contain the phrase cluster-admin-binding created . If that phrase does not appear, contact your Cloud Billing account or GKE cluster administrator about permissions.

Creating an identity

Config Connector needs a Cloud Identity to communicate with other resources. To set up the identity, you create an IAM service account and service account key . After that, you import the key's credentials as a Secret in each cluster that runs Config Connector.

In the next set of instructions, you'll import a Google Cloud Service Account Credentials key into the Kubernetes cluster. Importing Service Account Credentials directly into a cluster is generally considered insecure, especially if you run third party or custom workloads in the same cluster. This approach can potentially take advantage of node to cluster escalation loopholes and impersonate the Google Cloud service account through this secret. If you're using a GKE cluster, we recommend using Workload Identity Federation for GKE .

Creating a service account

To create a service account, complete the following steps:

Create an IAM service account. If you have an existing service account, you can use it instead of creating a new service account.

Use the gcloud CLI to create the service account by running the following command:
```
   
gcloud  
iam  
service-accounts  
create  
 SERVICE_ACCOUNT_NAME 
 
```
Replace SERVICE_ACCOUNT_NAME with your service account's name.

To learn more about creating service accounts, see Creating and managing service accounts .
Give the IAM service account elevated permissions on your project:
```
 gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
 "serviceAccount: SERVICE_ACCOUNT_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com" 
  
 \ 
  
--role = 
 "roles/owner" 
 
```
Replace the following:
- PROJECT_ID with your Google Cloud project ID.
- SERVICE_ACCOUNT_NAME with your service account's name.
Note: If you prefer to grant editor access to the project replace roles/owner with roles/editor . Granting the editor role allows most Config Connector functionality except project and organization wide configurations such as IAM modifications.
Create a service account key and export its credentials to a file named key.json :
```
 gcloud  
iam  
service-accounts  
keys  
create  
--iam-account  
 \ 
  
 SERVICE_ACCOUNT_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com  
key.json 
```
Replace the following:
- SERVICE_ACCOUNT_NAME with your service account's name.
- PROJECT_ID with your Google Cloud project ID.

Applying the credentials to your cluster

To apply the credentials to the cluster where you want to run Config Connector, complete the following steps:

Create the cnrm-system namespace:

 kubectl  
create  
namespace  
cnrm-system

Import the key's credentials as a Secret.
```
 kubectl  
create  
secret  
generic  
 SECRET_NAME 
  
 \ 
  
--from-file  
key.json  
 \ 
  
--namespace  
cnrm-system 
```
Replace SECRET_NAME with the name you want to give your Secret.

Important: The file must be named key.json to create a valid Secret.
Remove the credentials from your system:
```
 rm  
key.json 
```

Installing Config Connector Operator

Complete the following steps to install the Config Connector Operator:

Download the latest Config Connector Operator tar file:
```
 gcloud  
storage  
cp  
gs://configconnector-operator/latest/release-bundle.tar.gz  
release-bundle.tar.gz 
```
Note: You need the bundle for uninstalling Config Connector so keep a copy of the installation bundle for later use.
Extract the tar file:
```
 tar  
zxvf  
release-bundle.tar.gz 
```

Install the Config Connector Operator on your cluster:

 kubectl  
apply  
-f  
operator-system/configconnector-operator.yaml

Configuring Config Connector

To configure Config Connector using the operator, you create a configuration file for the ConfigConnector CustomResource , then apply it using the kubectl apply command.

To configure Config Connector using the operator:

Copy the following YAML into a file named configconnector.yaml :

  apiVersion 
 : 
  
 core.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 ConfigConnector 
 metadata 
 : 
  
 # the name is restricted to ensure that there is only ConfigConnector 
  
 # instance installed in your cluster 
  
 name 
 : 
  
 configconnector.core.cnrm.cloud.google.com 
 spec 
 : 
  
 mode 
 : 
  
 cluster 
  
 credentialSecretName 
 : 
  
  SECRET_NAME 
 
  
 stateIntoSpec 
 : 
  
 Absent

Replace SECRET_NAME with the name of the Secret that you created earlier.

Apply the configuration to your cluster with kubectl apply :

 kubectl  
apply  
-f  
configconnector.yaml

Specifying where to create your resources

Config Connector can organize resources by project, folder, or organization, which is the same way you would organize resources with Google Cloud.

Before creating resources with Config Connector, you must configure where to create your resources. To determine where to create the resource, Config Connector uses an annotation on either the resource configuration or an existing Namespace. For more information, see Organizing resources .

If you do not have a Namespace for this purpose, create one with kubectl .

kubectl  
create  
namespace  
 NAMESPACE

Replace NAMESPACE with your namespace name. For example config-connector .

Select a tab to choose where you want Config Connector to create resources.

Project

To create resources in a certain project , run the following command:

  
kubectl  
annotate  
namespace  
 \ 
  
 NAMESPACE 
  
cnrm.cloud.google.com/project-id = 
 PROJECT_ID

Replace the following:

NAMESPACE with your namespace name.
PROJECT_ID with your Google Cloud project ID.

Folder

To create resources in a certain folder , run the following command:

  
kubectl  
annotate  
namespace  
 \ 
  
 NAMESPACE 
  
cnrm.cloud.google.com/folder-id = 
 FOLDER_ID

Replace the following:

NAMESPACE with your namespace name.
FOLDER_ID with your Google Cloud folder ID.

Organization

To create resources in a certain organization , run the following command:

  
kubectl  
annotate  
namespace  
 \ 
  
 NAMESPACE 
  
cnrm.cloud.google.com/organization-id = 
 ORGANIZATION_ID

Replace the following:

NAMESPACE with your namespace name.
ORGANIZATION_ID with your Google Cloud organization ID.

When you annotate your namespace, Config Connector creates resources in the corresponding project, folder or organization. To learn more about how Config Connector uses Kubernetes namespaces, see Kubernetes Namespaces and Google Cloud projects .

Verifying your installation

Config Connector runs all of its components in a namespace named cnrm-system . You can verify the Pods are ready by running the following command:

 kubectl wait -n cnrm-system \ 
--for=condition=Ready pod --all

If Config Connector is installed correctly, the output is similar to the following:

pod/cnrm-controller-manager-0 condition met

Upgrading Config Connector

To upgrade Config Connector, download and install the latest version of the Config Connector operator:

 gcloud  
storage  
cp  
gs://configconnector-operator/latest/release-bundle.tar.gz  
release-bundle.tar.gz
tar  
zxvf  
release-bundle.tar.gz
kubectl  
apply  
-f  
operator-system/configconnector-operator.yaml

Uninstalling Config Connector

Use kubectl delete to remove the Config Connector CRDs along with controller components:

 kubectl  
delete  
ConfigConnector  
configconnector.core.cnrm.cloud.google.com  
 \ 
  
--wait = 
 true

To uninstall the Config Connector operator, run the following command:

 kubectl  
delete  
-f  
operator-system/configconnector-operator.yaml  
--wait = 
 true

What's next

Learn more about choosing an installation type .
Learn how to troubleshoot Config Connector .