The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
| Name | Description | Documentation |
|---|---|---|
| Guardrails | Base Infrastructure for 30 Day Guardrail Deployment | link |
| Organization Policy Bundle | Package of Baseline Organization Policies | link |
| Guardrails Policy Bundle | Policy Bundle to help analyze compliance for Guardrails | link |
| KCC Namespaces | This solution is a simple fork of the KCC Project Namespaces blueprint found here | link |
| Landing Zone v2 (LZv2) | (In development) PBMM Landing Zone built in collaboration with Shared Services Canada | link |
| Gatekeeper Policy (LZv2) | Policy Bundle | link |
| Core Landing Zone (LZv2) | Foundational resources building the landing zone | link |
| Client Setup (LZv2) | Package to create the initial client folder and namespaces | link |
| Client Landing Zone (LZv2) | Package to create the client folder sub-structure and a standard Shared VPC | link |
| Client Project Setup (LZv2) | Package to create a service project and host workloads | link |
| GKE Setup (LZv2) | Package to prepare a service project for GKE clusters | link |
| GKE Defaults (LZv2) | A package to deploy common GKE resources | link |
| GKE Cluster Autopilot (LZv2) | A GKE Autopilot Cluster running in a service project | link |
| Cluster Defaults (LZv2) | This package deploys default resources that have to exist on all GKE clusters | link |
| Namespace Defaults (LZv2) | This package deploys a workload namespace and it's associated configuration | link |
When getting a package you can use the @ to indicate what tag or branch you will be getting with the kpt pkg get command for example kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/core-landing-zone@main.
You can find the latest release versions in the releases page.
Deploying an example landing zone requires two steps:
- A Config Connector enabled Kubernetes cluster
- One or more solutions packages like the core-landing-zone and experimentation core-landing-zone documented in section 2 of landing-zone-v2
In order to deploy the solutions you will need a Kubernetes cluster with Config Connector installed.
We recommend using the Managed Config Controller service which comes bundled with Config Connector and Anthos Config Management, alternatively you can install Config Connector on any CNCF compliant Kubernetes cluster.
See the Google Cloud quickstart guide for getting up and running with Config Controller
A setup script is provided in the repository gcp-tools that will configure the Config Controller cluster. The instructions in the Advanced Install are automated as part of the setup-kcc.sh script.
We have also put together the following guide to deploy a standalone Config Controller instance or see the examples directory for example installation methods.
After the Kubernetes cluster is fully provisioned - proceed to Deploy a landing zone v2 package.
You may want to look at the documentation published by Shared Services Canada, providing a good level of details on how they have implemented the Landing Zone v2 solution to host workloads from any of the 43 departments of the Government of Canada.
For further documentation on the project, including the setup pre-requirements and supporting service such as Config Connector and Config Management.
- Multi-Tenancy
- Scalability Guidelines
- View Config Controller Status
- Monitor Resources
- Config Connector Resources
- Config Connector OSS on GitHub
- Known Issues
- Fleet Management at Spotify (Part 2): The Path to Declarative Infrastructure
- Awesome KRM
- I do declare! Infrastructure automation with Configuration as Data
- Rationale Behind kpt
- KRM Blueprints
- How Goldman Sachs manages Google Cloud resources with Anthos Config Management at Google Next
This is not an officially supported Google product.