Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Last Updated: Mar 27, 2024

Anthos Config Management

Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM


Anthos Config Management is a service for policy and configuration management that combines these components; Config Sync, Policy Controller, and Config Controller. Together, these three components make it possible for Anthos Config Management to continuously configure and protect your Kubernetes and Google Cloud resources as shown in the following diagram:

Workflow for Anthos Config Management

Benefits of using Anthos Config Management

  • Simplify management: Without having to start from scratch, Anthos Config Management enables you to develop and deploy settings and rules across environments.
  • Consistent configurations and policy administration: Anthos Config Management is an auditable and version-controlled system that controls the cluster configuration within your company.
  • Scalable across environments: Anthos Config Management centralises configuration and governance across environments, resulting in an automated, dependable, and scalable approach to managing sophisticated modern systems in production.
  • Secure and legal: Platform administrators may lessen security concerns with Anthos Config Management. You can create a completely unique set of regulations and make sure that they are consistently applied in different situations. In addition, Anthos Config Management constantly checks environments to make sure the required configuration is in place and that no governance controls are being violated.
  • Open source technologies: Anthos Config Management is based on Kubernetes and Cloud Native open source tools and projects. 
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

How to configure a cluster with Anthos Config Management

We need to follow the following broad steps:

Prepare your environment

Given below, you will create and configure a cluster that you can use with Policy Controller and Config Sync. Although in a real-world scenario you would likely be managing multiple clusters, to simplify this tutorial you will only create and manage one cluster.

  1. Create a cluster
  2. Give yourself admin permissions
  3. Enable Anthos Config Management
  4. Register your cluster

Configure your cluster

To configure Policy Controller and Config Sync on the Google Cloud console, complete the following steps:

  1. Select acm-cluster and then click Next in the table titled "Select registered clusters for Configuration Management."
  2. Keep the Enable Policy Controller checkbox selected and click Next on the Policy Controller page that displays.
  3. Keep the Enable Config Sync checkbox selected on the resulting Config Sync page.
  4. Choose Custom from the Repository drop-down list.
  5. In the URL field that appears, add: This is a sample repository created by Google.
  6. Choose Show Advanced Settings.
  7. In the Authentication Type drop-down list, choose None.
  8. In the Branch field, select main.
  9. Leave the Tag / Commit field with its default value of HEAD.
  10. In the Configuration directory field, add /quickstart/config-sync. This directory contains the example constraints and configs that you use in the following sections.
  11. Leave the Source formatSync waitGit proxy, and Config Management version fields with their default values.
  12. Select Complete and you are taken back to the Config Management page.

Test Anthos Config Management capabilities

The following sections show you how to confirm that the configs and constraints are being applied to your cluster.

Verify that a config is syncing

A config is a Kubernetes configuration declaration that is kept in your Git repository and is written in YAML or JSON. Config Sync keeps applying these configurations to your clusters after you have done configuring them.

The following namespace configuration may be found in the quickstart repository:

apiVersion: v1
kind: Namespace
name: hello

The next section will teach you how to check that this configuration has been synced to your cluster. This configuration gives the hello namespace to all clusters that are synchronized to the repository.

Try to violate a constraint

Using Policy Controller restrictions, you can make sure your clusters follow your policies. You can utilise the constraint template library provided by the Policy Controller to assist in the creation of your constraints.

kind: K8sNoExternalServices
  name: no-internet-services
    internalCIDRs: []

This constraint prohibits the creation of an external Service and Config Sync is syncing this constraint from the repository to your cluster.

Setting up Config Controller 

We will now learn how to set up Config Controller. Config Controller is a hosted service that offers an API endpoint that can provision, actuate, and orchestrate Google Cloud resources as part of Anthos Config Management.

  1. Set up Config Controller
  2. Config Controller is automatically upgraded by Google because it is a managed service.
  3. Utilize Config Controller to manage Google Cloud resources: Using Kubernetes tooling and APIs, you may use Config Connector after installing Config Controller to manage a variety of Google Cloud services and resources.
  4. Set up GitOps: Config Sync allows you to sync configurations from your Git repository to your Config Controller.
  5. Check for success
  6. Delete your Config Controller: You should clean away all resources created if you decide to discontinue using Config Controller. Before uninstalling the Config Controller itself, you need first remove all of its resources.
  7. Production considerations: When going to production, you should first review the high availability considerations for Config Controller.

Installing Config Sync

Using files called configs that are kept in one or more Git repositories, you can use Config Sync to manage Kubernetes resources. You can enable Config Sync and set it up on this page to sync from your root repository. If you utilise Anthos or Google Kubernetes Engine, configuration sync is supported (GKE).

Prepare Config Sync

You authorise Config Sync access to your repository in the sections that follow. You configure the installation for your root repository once access has been granted.

Grant access to Git

To read the configurations committed to the repository and apply them to your clusters, Config Sync requires read-only access to your Git repository.

Configure Config Sync

You set up your root repository's settings in this part. The installation procedure is walked you through by the Google Cloud console, which also automates a lot of the steps. To finish the installation, you can alternatively employ the Google Cloud CLI.

Verify the installation

You may confirm that the installation of Config Sync was successful once you have installed and configured it.

Upgrade Config Sync

Every time you upgrade Anthos Config Management, Config Sync is upgraded as well.

Resource requests

Summary of total resource requests

The following tables list the combined amount of resource requests for each supported version of Config Sync, depending on what features you are using.

Feature, CPU and memory utilisation- table

Config Controller 

A hosted service called Config Controller is used to provision and coordinate resources on Google Cloud and Anthos. As part of Anthos Config Management, it provides an API endpoint that may provision, activate, and orchestrate Google Cloud resources.

Config Controller makes use of Config Connector, which uses the appropriate Google Cloud API calls to map resources utilising the Kubernetes Resource Model (KRM) to their Google Cloud counterparts. Config Sync, which connects to a Git repository and makes configuration changes as simple as git push, is also included. The Policy Controller component, which allows you to create unique policies to enforce the security and compliance of your resource setups, is the last one included.

You can see how Config Controller works in the following diagram:

Config Controller workflow

Config Controller lets you operate and define with a simple configuration in Kubernetes style. This configuration approach has a number of benefits:

  • Simplify management: Leverage the tools and workflows for Kubernetes to manage Anthos and Google Cloud resources.
  • Declare desired state: Focus on what your resources look like rather than the specifics of how they are created.
  • Automatically detect and repair drift: Continuously monitor your infrastructure for drift from the desired state and enable automatic repairs.
  • Consistency with GitOps: Collaborate with your colleagues on potential changes and preview modifications before they are made.
  • Enforce policy guardrails: Enforce policies earlier in the development cycle and detect violations before they are deployed.
  • Audit continuously: Maintain an audit trail of all changes which can be used to understand the provenance of infrastructure.
  • Codifying best practices: Codify common patterns as blueprints that can be rolled out across your organization.
  • Increase velocity: Improve the safety and velocity of your cloud adoption journey by reusing existing best practices.

Config Sync 

Cluster operators and platform managers can install uniform configurations and policies using the open source application Config Sync. These configurations and policies can be applied to specific Kubernetes clusters, a number of clusters that can span numerous clouds and hybrid environments, and many namespaces within a cluster. At scale, this method streamlines and automates configuration and policy management. Additionally, Config Sync permits independent namespace management by development teams within clusters while still subject to administratively-imposed policy constraints.

In the following diagram, a platform administrator creates consistent configurations for three different clusters by applying configs to the clusters and namespaces within the cluster:

Configs and cluster workflow

Policy Controller 

Your clusters may impose completely programmable policies thanks to Policy Controller. These guidelines serve as "guardrails," preventing any alterations to the Kubernetes API's configuration from going against security, operational, or compliance rules.

You can configure policies to verify your clusters' setup and report violations, or you can simply set them to actively block non-compliant API requests. Based on the open source Open Policy Agent Gatekeeper project, Policy Controller includes a comprehensive library of pre-built policies for standard security and compliance measures.

You can optionally utilize Policy Controller to examine settings for compliance before deployment in addition to actively managing your Kubernetes cluster. This facilitates the process of making configuration changes and guarantees that any non-compliant modifications are discovered early, preventing the possibility of them being rejected during application.


A blueprint is a package of deployable, reusable configuration and policy that implements and documents a specific opinionated solution. Blueprints enable developers to design infrastructure, platforms, and application services by composing and connecting cloud resources with declarative configuration. They codify knowledge and expertise for rapidly deploying new systems and environments.

Also read, kubernetes interview questions

Frequently Asked Questions

What are Google Cloud Labs?

The Google Cloud Self-Paced Labs are interactive labs that take place online. These laboratories include a series of guidelines that lead through a real-world, scenario-based use case in real-time.

What is the use of Qwiklabs?

To provide you the opportunity to work on several cloud platforms and gain practical experience, Qwiklabs offers temporary credentials to both Google Cloud Platform and Amazon Web Services.

What is container migration?

The process of moving an application between the different physical machines or clouds without disconnecting the client is known as live container migration.

What is migrate for Anthos?

In Google Kubernetes Engine (GKE) or Anthos, Migrate to Containers is used to convert VM-based workloads into containers.

What does a hybrid cloud mean?

A hybrid cloud combines on-premises, private cloud, and public cloud. It simultaneously makes use of all three resources to support a single application. Hybrid Cloud is one of the deployment methods included in multi-cloud.


In this article, we have extensively discussed the details of Anthos Config Management along with the details of config controller and config sync, Advantages of using anthos config, policy controller, blueprints, and anthos, setting up config controller, and installing config sync.

We hope that this blog has helped you enhance your knowledge regarding Migrate to Containers, and if you would like to learn more, check out our articles on Google Cloud Certification. You can refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSADBMSCompetitive ProgrammingPythonJavaJavaScript, etc. To practice and improve yourself in the interview, you can also check out Top 100 SQL problemsInterview experienceCoding interview questions, and the Ultimate guide path for interviews. Do upvote our blog to help other ninjas grow. Happy Coding!!

Thank you image

Grammarly Report: Report

Topics covered
Benefits of using Anthos Config Management
How to configure a cluster with Anthos Config Management
Prepare your environment
Configure your cluster
Test Anthos Config Management capabilities
Setting up Config Controller 
Installing Config Sync
Prepare Config Sync
Grant access to Git
Configure Config Sync
Verify the installation
Upgrade Config Sync
Resource requests
Summary of total resource requests
Config Controller 
Config Sync 
Policy Controller 
Frequently Asked Questions
What are Google Cloud Labs?
What is the use of Qwiklabs?
What is container migration?
What is migrate for Anthos?
What does a hybrid cloud mean?