Upgraded the Open Telemetry image from v0.127.0 to v0.133.0 to pick up vulnerability fixes. This change promotes the pkg.translator.prometheus.NormalizeName feature gate to stable.
To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.
Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
Upgraded bundled Helm version from v3.18.6 to v3.20.0 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.
]]>Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
]]>Upgraded the Open Telemetry image from v0.119.0 to v0.127.0. This version removes the deprecated OpenCensus receiver. This change impacts only custom metric solutions that use the OpenCensus receiver. To understand the changes in each release, review the change logs
Resolved an issue where metrics for deleted ResourceGroups continued to show outdated values.
Upgraded bundled Helm version from v3.15.3 to 3.18.6 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.
Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
]]>You can now control the scheduling of Config Sync pods using the Kubernetes-native resource MutatingAdmissionPolicy. For more information, see Customize node placement of Config Sync system pods to get started.
Config Sync's internal observability library has been updated from OpenCensus to OpenTelemetry, improving performance and aligning with industry standards with no breaking changes to metrics or functionality.
Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
Config Sync now supports the client.lifecycle.config.k8s.io/mutation: ignore annotation for compatibility with other controllers. This enhancement provides more consistent behavior and correctly reports the resource status.
Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
]]>Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
Upgraded the Open Telemetry image from v0.118.0 to v0.119.0 to pick up vulnerability fixes. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.
]]>Config Sync is now available as part of the standard GKE offering and no longer requires GKE Enterprise. For more details on the removal of GKE Enterprise, see the GKE release notes.
]]>Config Sync now supports syncing from Secure Source Manager git repositories. For more information, see Grant access to Git.
Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
Announcing experimental features: help shape the future of Config Sync features by providing direct feedback.
Fixed a regression introduced in 1.21.0 that occasionally caused Config Sync to become stuck when applying mutation ignored objects.
Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
Fixed an issue where Config Sync waited longer than intended between retry attempts after failing to sync from Helm and OCI sources.
Updated the git-sync image from v4.3.0 to v4.4.2, which fixes an issue that could cause the git-sync container to crash loop. For more information see git-sync releases.
]]>Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
Fixed an issue which prevented a resource conflict metric from being recorded in rare cases.
Fixed an issue with the nomos CLI which prevented setting up autocomplete by using the nomos completion command. For more information see Use the nomos command-line tool.
Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
]]>Installing Policy Controller through the ConfigManagement API is no longer supported. For instructions installing Policy Controller, see Installing Policy Controller. For instructions migrating existing Policy Controller instances, see Migrate from the ConfigManagement API to the PolicyController API. This note was added on May 16, 2025.
Fixed an issue impacting the Ignore object mutations feature. The client.lifecycle.config.k8s.io/mutation: ignore annotation was not always effective, causing Config Sync to potentially overwrite changes made directly to annotated resources in the cluster. Config Sync now correctly ignores mutations on these resources.
The nomos vet command now supports a --threshold flag to proactively validate the number of objects in your Config Sync repository. You can use this flag in validation pipelines to prevent sync failures caused by exceeding the underlying etcd size limits when your repository contains a large number of objects. For more information, see Enforce the maximum number of objects to sync.
The Config Sync auto-upgrades feature is now unavailable. You can no longer configure auto-upgrade settings and must manually upgrade the Config Sync version. If you currently use auto-upgrades, you must first disable auto-upgrades before you can manually update Config Sync.
Upgraded the Open Telemetry Collector image from v0.103.0 to v0.118.0. This upgrade includes a breaking change where the default OTLP component endpoint is now localhost instead of 0.0.0.0. You will be impacted only if you use a customized configuration for the built-in Otel Collector within Config Sync, and you can explicitly specify 0.0.0.0 for endpoints to ensure that your monitoring solution continues to function correctly. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.
Fixed an issue where drift prevention incorrectly blocked modifications of abandoned resources.
Fixed an issue preventing ResourceGroup objects from being garbage collected when their corresponding RootSync or RepoSync objects were deleted.
Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
Deleting a RootSync or RepoSync now removes its management metadata from all managed objects. This allows objects to be adopted by their new managers, simplifying the procedure for splitting a large configuration repository across multiple RootSync or RepoSync objects. For more information, see Break up a repository into multiple repositories.
Fixed several issues to improve ResourceGroup status reporting and reliability.
]]>Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
]]>Fixed an issue where ConfigManagement uninstall could get stuck when Policy Controller was enabled via ConfigManagement. This was caused by Policy Controller finalizers not being properly removed during the uninstallation process.
]]>Fixed an issue that was causing Container Registry and Artifact Registry authentication tokens to expire before being refreshed. For more information, see known issue Unable to generate access token for OCI source.
Fixed an issue that incorrectly reported managed resources as "Not Found" when an API Service backend became unhealthy. For more information, see known issue API discovery errors can cause managed objects to incorrectly be marked as "Not Found".
Improved the manual installation process for Config Sync. When you install Config Sync manually using kubectl (not recommended), Config Sync is now deployed directly without relying on the Config Management Operator. This change results in simplified architecture and reduced resource use on your cluster. If you manually installed Config Sync using kubectl, follow the guide to uninstall the Config Management Operator before you upgrade.
Hierarchy Controller is no longer available to install. If Hierarchy Controller is still configured, Config Sync upgrades are blocked. To upgrade Config Sync, disable Hierarchy Controller. This release note was updated on May 9, 2025. The previous note suggested Hierarchical Namespace Controller (HNC) as a migration option, but HNC is now archived.
When you use Config Sync to manage configurations that are stored in OCI repositories (such as Artifact Registry), you can now enhance your security posture with custom signature verification. Config Sync integrates with your existing signature verification server deployed as a Kubernetes admission webhook, which helps ensure only trusted OCI images are used in your deployments. See the Sync OCI artifacts guide for setup instructions.
Introduced a new field for stopping and resuming syncing. This field is available on clusters with Config Sync auto-upgrades or with Config Sync version 1.20.0. The new field makes it easier to pause syncing by setting the spec.configSync.stopSyncing field to true.
Fixed an issue that could cause sync delays due to retry backoff problems. This fix helps ensure more timely and consistent updates to your clusters.
Upgraded the git-sync dependency from v4.2.4 to v4.3.0 to pick up a fix for lingering Git lock files and other vulnerability fixes.
To optimize resource use, Config Sync installations managed through Fleet no longer include the ConfigManagement Operator or the ConfigManagement CRD. These components are automatically removed when you upgrade to version 1.20.0 or later. This change reduces Config Sync's resource consumption in your cluster. See Config Sync architecture for details.
Fixed a bug that prevented the applyset.kubernetes.io/part-of label from being correctly removed from managed objects when they were no longer managed by Config Sync. This fix improves the accuracy of label information.
Improved the security of the git-sync container by upgrading the base image to address known vulnerabilities.
Config Sync now supports GitHub App authentication for GitHub repositories. See Grant access to Git for more information. This release note was added on October 4, 2024.
You can now configure Config Sync fleet defaults with gcloud commands starting in gcloud version 494.0.0. See the Config Sync gcloud documentation for reference.
Upgraded the git-sync dependency from v4.2.3 to v4.2.4.
The spec.git and spec.enableLegacyFields fields of the ConfigManagement object have been removed. The spec.enableMultiRepo field is now set to true by default, automatically enabling the RootSync API. RootSync provides the same core functionality, along with additional features.
If you currently configure Git settings within a ConfigManagement object, to avoid disruptions, before upgrading you must migrate this configuration to a RootSync object.
Terraform version 5.41.0 introduced a new field to the google_gke_hub_feature_membership: config_sync.enabled. Because the default value of this field is false, it causes Config Sync installations to fail when Terraform is upgraded to version 5.41.0. For more information, including workarounds, see the known issue entry. This issue affects all supported Config Sync versions. This note was added on September 11, 2024.
Hierarchy Controller will not be available after December, 2024. After December, 2024, you can't install Hierarchy Controller and Config Sync will be blocked from upgrades if Hierarchy Controller is configured as a configmanagement fleet feature or through the ConfigManagement API. To continue using similar functionality, migrate from Hierarchy Controller to Hierarchical Namespace Controller.
This note was added on September 6, 2024 and edited on September 9, 2024 for clarification.
Optimized Config Sync resource usage by implementing watch filtering with ApplySet ("applyset.kubernetes.io/" labels and annotations). This reduces reconciler Deployment memory consumption by limiting events and cached objects to those relevant to the managed package. For more information on the resource usage optimization, see Config Sync Watch Filtering v1.18 vs v1.19.
Upgraded the Open Telemetry image from 0.102.0 to 0.103.0 to pick up vulnerability fixes. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.
Config Sync now enables loading files from directories beyond the Kustomize root during rendering. For more information, refer to Configure Kubernetes with Kustomize.
Fixed some inaccuracies in status updates and metrics reports.
Upgraded bundled Helm version from v3.14.4 to v3.15.3 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.
Improved support for private registries. If you've configured a private registry for your cluster, Config Sync now automatically detects and updates the image references within its reconciler Deployments to point to the corresponding images in your private registry.
]]>Fixed a regression in 1.17.3 causing SSH authentication failures with GitHub. This was resolved by upgrading the git-sync dependency from v4.2.1 to v4.2.3. For more details, please refer to Fixed: Git SSH Authentication Failure with GitHub.
Fixed a regression introduced in 1.17.0 that caused Config Sync to crash when connecting to certain Kubernetes clusters. GKE clusters were not affected by this issue. For more details, please refer to Fixed: Config Sync reconciler is crashlooping.
Improved error handling in the oci-sync container by adding exponential backoff.
Upgraded bundled Kustomize version from v5.3.0 to v5.4.2 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.
]]>Resolved an issue that prevented the declared_resources metric from decrementing when an object became unmanaged by Config Sync.
Upgraded the Open Telemetry image from v0.99.0 to v0.102.0 to pick up vulnerability fixes. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.
Reverted an undocumented change to a metric name. The Cloud Monitoring metric current_declared_resources (introduced in version 1.16.1) has been renamed to its original name, declared_resources. For reference see Monitor Config Sync with Cloud Monitoring.
Upgraded the Open Telemetry image from v0.91.0-gke.9 to v0.99.0-gke.1 to pick up vulnerability fixes. To understand the changes in each release, review the full changelog for opentelemetry-collector-contrib.
Fixed an issue where Config Sync installation would fail when using a private registry with a specified port in the image URL.
Upgraded bundled Helm version from v3.14.3 to v3.14.4 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.
]]>Manually installing Policy Controller through the ConfigManagement object is no longer supported. Instead, use Policy Controller Google Cloud CLI commands to install and configure Policy Controller. This note was added on July 2, 2024.
Dynamic namespace selection using the spec.mode field in the NamespaceSelector CRD is now generally available (GA). This feature supports deploying namespace-scoped resources in matching Namespaces statically-declared in the source of truth and dynamically present on the cluster. For more information, refer to NamespaceSelector mode.
Reduced memory footprint in reconcilers by not loading the OpenAPI when the Config Sync admission webhook is disabled.
When syncing from Helm, Config Sync now retries faster on errors with exponential backoff.
Mitigated an issue periodically occurring that could cause an error when the authentication token expires for Cloud Source Repositories, prompted by a race condition between the gcenode-askpass-sidecar container validating the credentials and the git-sync container trying to use those credentials. This note was added on June 18, 2024.
Policy Controller now has its own release notes page. For future announcements, visit Policy Controller release notes.
On Autopilot clusters, the helm-sync container CPU request is changed from 150m to 250m, and memory request is changed from 256Mi to 384Mi. For information on resource requirements, see Resource requests.
Installing Policy Controller 1.18.0 or newer will fail unless you first enable the anthospolicycontroller.googleapis.com API. For more information on directly installing and managing Policy Controller, see Install Policy Controller.
Policy Controller bundles have been updated to the following versions: cis-gke-v1.5.0: 202403.0, nist-sp-800-190: 202403.0, nist-sp-800-53-r5: 202403.0, pci-dss-v3.2.1: 202403.0, pci-dss-v4.0: 202403.0, policy-essentials-v2022: 202403.0, pss-baseline-v2022: 202403.1, pss-restricted-v2022: 202403.1. For reference, see Policy Controller bundles overview.
Config Sync now supports specifying CA certificates for helm and OCI source types. This is surfaced on the caCertSecretRef field on the RootSync and RepoSync APIs. For more information, refer to RootSync and RepoSync fields.
Upgraded bundled Helm version from v3.13.3 to v3.14.3 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.
]]>The constraint template library includes a new template: K8sPSSRunAsNonRoot. For reference, see the Constraint template library.
Fixed a regression introduced in 1.16.0 that limits the length of the Secret name referenced in the spec.git.secretRef.name field of the RootSync object.
Policy Controller bundles have been updated to the following versions: cis-gke-v1.4.0: 202402.0-preview, nist-sp-800-190: 202402.0, nist-sp-800-53-r5: 202402.0, pci-dss-v3.2.1: 202402.0, pss-baseline-v2022: 202402.0, pss-restricted-v2022: 202402.0. For reference, see Policy Controller bundles overview.
Fixed a regression introduced in 1.17.0 that caused Config Sync to sometimes fail to pull the latest commit from a Git branch by upgrading git-sync (Config Sync dependency for pulling from git) from v4.1.0 to v4.2.1.
]]>The constraint template library includes a new template: K8sCronJobAllowedRepos. For reference, see the Constraint template library.
The constraint template library includes a new template: K8sRestrictAdmissionController. For reference, see the Constraint template library.
Added the authentication type k8sserviceaccount for syncing from OCI images and Helm charts hosted in Artifact Registry. For more details, see Grant Config Sync read-only access to OCI and Grant Config Sync read-only access to Helm.
Fixed the unrecognized label error in the otel-collector configuration that caused kustomize metrics to be rejected.
Simplified the steps to export metrics to Cloud Monitoring. For more details, see Configure Cloud Monitoring with Workload Identity.
]]>Upgraded git-sync (Config Sync dependency for pulling from git) from v3.6.9 to v4.1.0 to pick up enhancements, such as improved efficiency and race condition fixes. This contains a breaking change that short commit SHA is no longer accepted in the spec.git.revision field of RootSync and RepoSync. If you want to sync from a Git commit, use a full commit SHA in the spec.git.revision field. For more details, please refer to Configuration for the Git repository. This release note was updated February 16, 2024 with a correction to the version number.
Fixed a performance issue where the config-management-operator was continuously updating the webhook definition, causing unnecessary churn in the apiserver and etcd.
Fixed a race condition that could cause deadlock when uninstalling Config Sync. This issue could sometimes occur if a RepoSync was managed by a RootSync with foreground deletion propagation enabled.
Upgraded bundled Helm version from v3.13.1 to v3.13.3 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.
The constraint template library includes a new template: K8sDisallowInteractiveTTY. For reference, see the Constraint template library.
Fixed an issue that could cause RootSyncs and RepoSyncs to be reported as Current before they had been reconciled.
Fixed an issue where RepoSync Secrets were not garbage collected when switching between Secret refs or types.
Upgraded bundled Kustomize version from v5.1.1 to v5.3.0 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.
Fixed an issue where the log level could not be set for the otel-agent container.
Policy Controller bundles have been updated to the following versions: cis-k8s-v1.5.1: 202312.1, cost-reliability-v2023: 202312.0, nist-sp-800-190: 202312.1, nist-sp-800-53-r5: 202312.1, nsa-cisa-k8s-v1.2: 202312.1, pci-dss-v3.2.1: 202312.1, psp-v2022: 202312.0. For reference, see Policy Controller bundles overview.
Added validation to block declaration in the source of truth of the Config Sync controller namespaces, including resource-group-system and config-management-monitoring namespaces. For reference see KNV1034: IllegalNamespaceError. This note was updated on January 10, 2024
The constraint template library's K8sNoExternalServices template now supports the "networking.gke.io/load-balancer-type": "Internal" annotation. For reference, see Constraint template library.
The nomos command-line tool now requires the kubectl plugin gke-gcloud-auth-plugin to be installed to interact with GKE, and your KUBECONFIG must be configured to use it by calling gcloud container clusters get-credentials. Versions of the gcloud CLI older than 430.0.0 also require setting USE_GKE_GCLOUD_AUTH_PLUGIN=True. For reference, see Prerequisites for the nomos command-line tool.
The constraint template library includes a new template: K8sRequireAdmissionController. For reference, see the Constraint template library.
Added a new field spec.mode in the NamespaceSelector CRD as a preview feature to support selecting namespace-scoped resources matching both statically-declared Namespaces in the source of truth and those dynamically present on the cluster. For more details, please refer to Limit which namespaces a config affects.
Reduced Config Sync reconciler default CPU and memory requests on GKE Standard clusters. Increased Config Sync reconciler default CPU and memory requests to avoid throttling and reduce time to sync by up to 25%, and increased default limits on GKE Autopilot clusters to avoid out of memory errors for most workloads. For reference see Resource requests.
Added known_hosts support for Git connection over SSH in RootSync and RepoSync APIs. For more details on SSH key pair see Install Config Sync.
Policy Controller bundles have been updated to the following versions: asm-policy-v0.0.1: 202311.0, cis-k8s-v1.5.1: 202311.0, cost-reliability-v2023: 202311.0, nist-sp-800-190: 202311.0, nist-sp-800-53-r5: 202311.0, nsa-cisa-k8s-v1.2: 202311.0, pci-dss-v3.2.1: 202311.0, policy-essentials-v2022: 202311.0, psp-v2022: 202311.0, pss-baseline-v2022: 202311.0, pss-restricted-v2022: 202311.0. For reference, see Policy Controller bundles overview.
Upgraded git-sync (Config Sync dependency for pulling from git) from v3.6.9 to v4.0.0 to pick up enhancements, such as improved efficiency and race condition fixes. This contains a breaking change that short commit SHA is no longer accepted in the spec.git.revision field of RootSync and RepoSync. If you want to sync from a Git commit, use a full commit SHA in the spec.git.revision field. For more details, please refer to Configuration for the Git repository. This release note is incorrect; see entry for February 16, 2024.
Fixed an issue with the nomos CLI not authenticating correctly when run inside a Kubernetes Pod. Now, to authenticate to another cluster while inside a pod, you must explicitly set KUBECONFIG to point to the kubectl config, otherwise the downward API is used to authenticate with the local cluster.
Added a new field spec.override.namespaceStrategy in the RootSync API to control whether Namespaces should be created implicitly or not if Namespace configs are missing from the source of truth. For reference see RootSync and RepoSync fields.
Added a new field spec.override.roleRefs in the RootSync API to customize root reconciler permissions other than cluster-admin. For reference see RootSync and RepoSync fields.
Policy Controller bundles have been updated to the following versions: asm-policy-v0.0.1: 202310.0, cis-k8s-v1.5.1: 202310.0, cost-reliability-v2023: 202310.0-preview, nist-sp-800-190: 202310.0, nist-sp-800-53-r5: 202310.0, nsa-cisa-k8s-v1.2: 202310.0, pci-dss-v3.2.1: 202310.0, policy-essentials-v2022: 202310.0, psp-v2022: 202310.0, pss-baseline-v2022: 202310.0, pss-restricted-v2022: 202310.0. For reference, see Policy Controller bundles overview.
The constraint template library's K8sPSPAllowedUsers, K8sPSPAllowPrivilegeEscalationContainer, K8sPSPAutomountServiceAccountTokenPod, K8sPSPCapabilities, K8sPSPFlexVolumes, K8sPSPForbiddenSysctls, K8sPSPFSGroup, K8sPSPHostFilesystem, K8sPSPHostNamespace, K8sPSPHostNetworkingPorts, K8sPSPPrivilegedContainer, K8sPSPProcMount, K8sPSPReadOnlyRootFilesystem, K8sPSPSELinuxV2, K8sPSPVolumeTypes, and K8sRequiredProbes no longer raise violations during updates of existing objects for immutable fields.
Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: a1f01f4 ).
Updated the Open Telemetry image from 0.86.0 to 0.87.0 to address security vulnerabilities. For more information about these changes, see the full changelog for opentelemetry-collector-contrib.
]]>Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 3e66ee2).
Policy Controller bundles have been updated to the following versions: asm-policy-v0.0.1: 202309.0, cis-k8s-v1.5.1: 202309.0, cost-reliability-v2023: 202309.0, nist-sp-800-190: 202309.0, nist-sp-800-53-r5: 202309.0, nsa-cisa-k8s-v1.2: 202309.0, pci-dss-v3.2.1: 202309.0, policy-essentials-v2022: 202309.0, psp-v2022: 202309.0, pss-baseline-v2022: 202309.0, pss-restricted-v2022: 202309.0. For reference, see Policy Controller bundles overview.
Fixed a recurring transient error in the RootSync and RepoSync API. Transient errors are retried internally and surfaced to RootSync and RepoSync if failed eventually.
Updated the Open Telemetry image from 0.54.0 to 0.86.0 to address security vulnerabilities. otelcontribcol:v0.86.0 contains breaking changes. For more information about these changes, see the full changelog for opentelemetry-collector-contrib.
The constraint template library includes a new template: K8sPSPWindowsHostProcess. For reference, see the Constraint template library.
The constraint template library includes a new template: K8sAvoidUseOfSystemMastersGroup. For reference, see the Constraint template library.