Config Connector

Config Connector is a Kubernetes add-on that lets you manage Google Cloud resources using Kubernetes manifests. Instead of using the gcloud CLI, Terraform, or the Console, you define Google Cloud resources (Cloud SQL instances, Pub/Sub topics, IAM bindings, etc.) as Kubernetes custom resources. The Config Connector controller reconciles these resources with the Google Cloud API.

---

What Is Config Connector?

Config Connector extends the Kubernetes API with Custom Resource Definitions (CRDs) for Google Cloud resources. When you create, update, or delete a Config Connector resource in your cluster, the controller makes the corresponding changes in Google Cloud. This gives you a single tool (kubectl) and a single paradigm (declarative YAML) for managing both your Kubernetes workloads and your cloud infrastructure.

Key Benefits

Benefit	Description
Single workflow	Manage infrastructure and workloads together using kubectl and GitOps
Declarative	Define desired state — Config Connector reconciles actual state
Drift detection	Continuously monitors resources and corrects drift
Kubernetes-native	Use labels, annotations, namespaces, and RBAC for Google Cloud resources
GitOps compatible	Store infrastructure definitions in Git, deploy via ArgoCD or Flux

---

How It Works

1. You install Config Connector in your GKE cluster (or enable it as a cluster add-on)
2. Config Connector registers CRDs for Google Cloud resource types
3. You create Kubernetes manifests for Google Cloud resources
4. The Config Connector controller watches for changes and reconciles with Google Cloud APIs
5. Resource status (state, conditions, external references) is reflected back in the Kubernetes resource

---

Installing Config Connector

# Enable Config Connector as a GKE add-on
gcloud container clusters update my-cluster \
  --update-addons ConfigConnector=ENABLED \
  --region europe-west2

# Create a service account for Config Connector
gcloud iam service-accounts create config-connector-sa \
  --display-name="Config Connector Service Account"

# Grant the service account the necessary roles
gcloud projects add-iam-policy-binding my-project \
  --member="serviceAccount:config-connector-sa@my-project.iam.gserviceaccount.com" \
  --role="roles/editor"

# Configure Config Connector to use the service account
kubectl apply -f - <<EOF
apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnectorContext
metadata:
  name: configconnectorcontext.core.cnrm.cloud.google.com
  namespace: my-namespace
spec:
  googleServiceAccount: "config-connector-sa@my-project.iam.gserviceaccount.com"
EOF

---

Example Resources

Cloud SQL Instance

apiVersion: sql.cnrm.cloud.google.com/v1beta1
kind: SQLInstance
metadata:
  name: my-database
  namespace: production
spec:
  databaseVersion: POSTGRES_16
  region: europe-west2
  settings:
    tier: db-custom-2-8192
    availabilityType: REGIONAL
    backupConfiguration:
      enabled: true
      pointInTimeRecoveryEnabled: true
    ipConfiguration:
      privateNetworkRef:
        name: my-vpc

Pub/Sub Topic and Subscription