Config Sync release notes

Fixed an issue where Config Sync waited longer than intended between retry attempts after failing to sync from Helm and OCI sources.

Fixed an issue impacting the Ignore object mutations feature. The client.lifecycle.config.k8s.io/mutation: ignore annotation was not always effective, causing Config Sync to potentially overwrite changes made directly to annotated resources in the cluster. Config Sync now correctly ignores mutations on these resources.

Upgraded the git-sync dependency from v4.2.4 to v4.3.0 to pick up a fix for lingering Git lock files and other vulnerability fixes.

You can now configure Config Sync fleet defaults with gcloud commands starting in gcloud version 494.0.0. See the Config Sync gcloud documentation for reference.

Config Sync now supports GitHub App authentication for GitHub repositories. See Grant access to Git for more information. This release note was added on October 4, 2024.

The spec.git and spec.enableLegacyFields fields of the ConfigManagement object have been removed. The spec.enableMultiRepo field is now set to true by default, automatically enabling the RootSync API. RootSync provides the same core functionality, along with additional features.

If you currently configure Git settings within a ConfigManagement object, to avoid disruptions, before upgrading you must migrate this configuration to a RootSync object.

Upgraded bundled Kustomize version from v5.3.0 to v5.4.2 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

When syncing from Helm, Config Sync now retries faster on errors with exponential backoff.

Installing Policy Controller 1.18.0 or newer will fail unless you first enable the anthospolicycontroller.googleapis.com API. For more information on directly installing and managing Policy Controller, see Install Policy Controller.

Dynamic namespace selection using the spec.mode field in the NamespaceSelector CRD is now generally available (GA). This feature supports deploying namespace-scoped resources in matching Namespaces statically-declared in the source of truth and dynamically present on the cluster. For more information, refer to NamespaceSelector mode.

Simplified the steps to export metrics to Cloud Monitoring. For more details, see Configure Cloud Monitoring with Workload Identity.

Updated the Open Telemetry image from 0.54.0 to 0.86.0 to address security vulnerabilities. otelcontribcol:v0.86.0 contains breaking changes. For more information about these changes, see the full changelog for opentelemetry-collector-contrib.

Added a new configsync.gke.io/deletion-propagation-policy annotation for use on RootSync and RepoSync, for configuring foreground cascading deletion as a preview feature. When set to Foreground, the resource objects managed by it will be deleted when the RootSync or RepoSync is deleted. To learn more, see Bulk delete objects.

Upgraded bundled Kustomize version from v5.0.3 to v5.1.0 to pick up vulnerability fixes. To understand the changes in each release, review the changelogs.

Config Sync now includes resource-related metrics labels in Google Cloud Monitoring. These labels were previously added to the Prometheus monitoring pipeline in Config Sync version 1.14.0. The labels are available under the "Group By" filter options in the Google Cloud Console. For more information on metrics, see Monitoring Config Sync.

Config Sync now ignores validating and applying any resource configuration that has the annotation config.kubernetes.io/local-config with any value except for "false", instead of ignoring only when the value is "true". This is consistent with its behavior in kpt.

Added a field spec.override.apiServerTimeout in RootSync and RepoSync, for configuring the timeout for requests to the API server.

Changed the default Helm release namespace from config-management-system to default, if spec.helm.namespace isn't specified. Note that the value specified in spec.helm.namespace is only used as the value of Release.Namespace declared in your Helm template; otherwise, the namespace default will be used.

Fixed a Prometheus exporter error in the otel-collector by resolving a discrepancy between components regarding the description of the pipeline_error_observed metric.

Fixed an issue that could cause accidental pruning when API resource discovery requests failed.

The Config Sync feature to sync configurations stored as OCI images in Google Artifact Registry or Container Registry is generally available (GA). To learn more, see Sync OCI artifacts from Artifact Registry.

Config Sync now supports user-provided CA certificates for verifying HTTPS connections to Git servers. To learn more, see Configuration of the Git Repository.

Fixed the issue causing reconciler to throw an error when deleting an object that was already deleted.

ConfigSync ignores the hidden directories .github, .gitlab, and the hidden file .gitlab-ci.yml.

Updated the spec.override.resources field on RootSync and RepoSync to let you override the default resource amounts (for example, CPU or memory) requested by the corresponding containers of the reconciler Deployment. To learn more, see Troubleshoot Config Sync.

The template library's K8sRestrictRoleBindings template now supports regular expression matching of role/clusterRole names by using the regexMatch field.

Fixed an issue in the hydration-controller container causing the reconciler Pod crash looping when there is a malformed or missing kustomization.yaml in the base directory.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: a478ae6).

Fixed the issue causing nomos vet --namespace to fail because it incorrectly defaults --source-format to hierarchy.

Increased git-importer memory limit to 500Mi.

Config Sync supports rendering Kustomize configurations and Helm charts in multi-repo mode. The Git repository must have a kustomization.yaml file in the root of the sync directory to trigger the rendering process. To learn more, see Use a repo with Kustomize configurations and Helm charts.

An issue that caused Config Sync monitoring Pods fail to start in a cluster with PodSecurityPolicy enabled has been fixed.

Anthos Config Management images are no longer included in Anthos on VMWare clusters. To learn more, see Changes to Anthos Config Management updates.

Hierarchy Controller is upgraded to include HNC v0.7.0. This release introduces Exceptions. Exceptions let you use Kubernetes label selectors to precisely control where certain objects are propagated.

This release also removes support for the v1alpha1 API. If you were using Hierarchy Controller 1.5.1 or earlier, you must either update to Hierarchy Controller 1.5.2 or 1.6.0, and follow the HNC v0.6.0 directions to upgrade to v1alpha2.

The default timeout for Policy Controller's ValidatingWebhookConfiguration has been reduced to avoid interference with Kubernetes leader election processes.

Anthos Config Management now includes Config Connector v1.15.1.

Config Connector has been updated in Anthos Config Management to version 1.13.1.

The use of unsecured HTTP for GitHub repo connections or in an http_proxy is now discouraged, and support for unsecured HTTP will be removed in a future release. HTTPS will continue to be supported for GitHub repo and local proxy connections.

Prior to this release, Config Sync and kubectl controllers and processes used the same annotation (kubectl.kubernetes.io/last-applied-configuration) to calculate three-way merge patches. The shared annotation sometimes resulted in resource fights, causing unnecessary removal of each other's fields. Config Sync now uses its own annotation, which prevents resource clashes.

In most cases, this change will be transparent to you. However, there are two cases where some previously unspecified behavior will change.

The first case is when you have run kubectl apply on an unmanaged resource in a cluster, and you later add that same resource to the GitHub repo. Previously, Config Sync would have pruned any fields that were previously applied but not declared in the GitHub repo. Now, Config Sync writes the declared fields to the resource and leaves undeclared fields in place. If you want to remove those fields, do one of the following:

• Get a local copy of the resource from GitHub and kubectl apply it.
• Use kubectl edit --save-config to remove the fields directly.

The second case is when you stop managing a resource on the cluster or even stop all of Config Sync on a cluster. In this case, if you want to prune fields from a previously managed resource, you will see different behavior. Previously, you could get a local copy of the resource from GitHub, remove the unwanted fields, and kubectl apply it. Now, kubectl apply no longer prunes the missing fields. If you want to remove those fields, do one of the following:

• Call kubectl apply set-last-applied with the unmodified resource from GitHub, then remove unwanted fields and kubectl apply it again without the set-last-applied flag.
• Use kubectl edit --save-config to remove the fields directly.

In error messages, links to error docs are now more concise.

Anthos Config Management is now Generally Available on AKS (Kubernetes v1.16 or higher) and EKS (Kubernetes v1.16 or higher).

Anthos Config Management images are now included in the Google-provided system images for Binary Authorization.

Anthos Config Management now supports the use of an HTTP or HTTPS proxy to connect with your Git host. More information can be found at Installing Anthos Config Management.

Previously, adding an APIService to the repo will leave Anthos Config Management in a bad state, with the error message "KNV2002: failed to get server resources: unable to retrieve the complete list of server APIs." This issue has been mitigated; Anthos Config Management will now sync APIService objects correctly.

The nomos-cluster-policy ClusterConfig has been renamed to config-management-cluster-config. After upgrading, both ClusterConfig objects both exist on the cluster. This does not impact the functionality of the cluster, but you may see spurious log messages if the older ClusterConfig is still present. You can remove the old ClusterConfig to avoid these log messages:

kubectl delete clusterconfig nomos-cluster-policy

Syncing of CustomResourceDefinitions is not currently supported. If CustomResourceDefinition has been applied to the cluster, you can sync associated CustomResources.

Update: This issue no longer exists in Anthos Config Management v1.0.0 and higher.

Anthos Config Management 13.0.0 is the second beta release of Anthos Config Management. It represents a major change from v0.11.6, is not backward-compatible with any prior release, and cannot be installed on a cluster with a previous installation of Anthos Config Management. Backward-incompatible releases will always use a new minor version number.

Added support for NamespaceSelectors.