Anthos Config Management - December 11th, 2023 [Breaking, Change, Feature, Fix]

## Breaking The `nomos` command-line tool now requires the kubectl plugin `gke-gcloud-auth-plugin` to be installed to interact with GKE, and your KUBECONFIG must be configured to use it by calling `gcloud container clusters get-credentials`. Versions of the gcloud CLI older than 430.0.0 also require setting `USE_GKE_GCLOUD_AUTH_PLUGIN=True`. For reference, see [Prerequisites](https://cloud.google.com/anthos-config-management/docs/how-to/nomos-command#prerequisites) for the nomos command-line tool. ## Breaking Upgraded git-sync (Config Sync dependency for pulling from git) from v3.6.9 to v4.0.0 to pick up enhancements, such as improved efficiency and race condition fixes. This contains a breaking change that short commit SHA is no longer accepted in the `spec.git.revision` field of RootSync and RepoSync. If you want to sync from a Git commit, use a full commit SHA in the `spec.git.revision` field. For more details, please refer to [Configuration for the Git repository](https://cloud.google.com/anthos-config-management/docs/reference/rootsync-reposync-fields#configuring-git-repo). ## Feature Added a new field `spec.mode` in the NamespaceSelector CRD as a preview feature to support selecting namespace-scoped resources matching both statically-declared Namespaces in the source of truth and those dynamically present on the cluster. For more details, please refer to [Limit which namespaces a config affects](https://cloud.google.com/anthos-config-management/docs/how-to/namespace-scoped-objects#namespaceselectors). ## Feature Added a new field `spec.override.namespaceStrategy` in the RootSync API to control whether Namespaces should be created implicitly or not if Namespace configs are missing from the source of truth. For reference see [RootSync and RepoSync fields](https://cloud.google.com/anthos-config-management/docs/reference/rootsync-reposync-fields#rootsync%5Fand%5Freposync%5Ffields). ## Feature Added a new field `spec.override.roleRefs` in the RootSync API to customize root reconciler permissions other than cluster-admin. For reference see [RootSync and RepoSync fields](https://cloud.google.com/anthos-config-management/docs/reference/rootsync-reposync-fields#rootsync%5Fand%5Freposync%5Ffields). ## Feature Added known\_hosts support for Git connection over SSH in RootSync and RepoSync APIs. For more details on SSH key pair see [Install Config Sync](https://cloud.google.com/anthos-config-management/docs/how-to/installing-config-sync#ssh-key-pair). ## Feature The constraint template library includes a new template: `K8sRequireAdmissionController`. For reference, see the [Constraint template library](https://cloud.google.com/anthos-config-management/docs/latest/reference/constraint-template-library). ## Change Policy Controller bundles have been updated to the following versions: `asm-policy-v0.0.1`: `202311.0`, `cis-k8s-v1.5.1`: `202311.0`, `cost-reliability-v2023`: `202311.0`, `nist-sp-800-190`: `202311.0`, `nist-sp-800-53-r5`: `202311.0`, `nsa-cisa-k8s-v1.2`: `202311.0`, `pci-dss-v3.2.1`: `202311.0`, `policy-essentials-v2022`: `202311.0`, `psp-v2022`: `202311.0`, `pss-baseline-v2022`: `202311.0`, `pss-restricted-v2022`: `202311.0`. For reference, see [Policy Controller bundles overview](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller-bundles). ## Change The constraint template library's `K8sNoExternalServices` template now supports the `"networking.gke.io/load-balancer-type": "Internal"` annotation. For reference, see [Constraint template library](https://cloud.google.com/anthos-config-management/docs/latest/reference/constraint-template-library#k8snoexternalservices). ## Change Reduced Config Sync reconciler default CPU and memory requests on GKE Standard clusters. Increased Config Sync reconciler default CPU and memory requests to avoid throttling and reduce time to sync by up to 25%, and increased default limits on GKE Autopilot clusters to avoid out of memory errors for most workloads. For reference see [Resource requests](https://cloud.google.com/anthos-config-management/docs/how-to/installing-config-sync#resource%5Frequests). ## Fix Fixed an issue with the nomos CLI not authenticating correctly when run inside a Kubernetes Pod. Now, to authenticate to another cluster while inside a pod, you must explicitly set KUBECONFIG to point to the kubectl config, otherwise the downward API is used to authenticate with the local cluster.