이 페이지에서는 신뢰할 수 있는 이미지 정책 제약조건을 구성하는 방법을 설명합니다.
이렇게 하면 모든 Compute Engine 가상 머신(VM) 인스턴스의 부팅 디스크를 만드는 데 사용할 수 있는 운영체제(OS) 이미지에 대한 액세스를 제어할 수 있습니다.
기본적으로 사용자는 Batch 작업을 실행하는 Compute Engine VM에 대해 공유된 모든 공개 이미지 또는 커스텀 이미지를 사용할 수 있습니다.
신뢰할 수 있는 이미지 정책 제약조건이 사용 설정되어 있지 않고 VM OS 이미지를 제한하고 싶지 않다면 이 문서 읽기를 중지해도 됩니다.
프로젝트, 폴더 또는 조직의 모든 사용자가 정책 또는 보안 요구사항을 충족하는 승인된 소프트웨어가 포함된 VM을 만들도록 요구하려면 신뢰할 수 있는 이미지 정책 제약조건을 사용 설정하세요.
신뢰할 수 있는 이미지 정책 제약조건이 사용 설정되면 작업의 VM OS 이미지가 허용되지 않는 한 영향을 받는 사용자는 Batch 작업을 실행할 수 없습니다.
신뢰할 수 있는 이미지 정책 제약조건이 사용 설정되었을 때 작업을 만들고 실행하려면 다음 중 하나 이상을 수행하세요.
정책 값 목록에서 지정하지 않은 모든 이미지 프로젝트에 대한 액세스를 허용하거나, 지정되지 않은 모든 이미지 프로젝트에 대한 액세스를 거부하거나, 액세스 허용 또는 거부할 프로젝트의 커스텀 집합을 지정하는 규칙을 추가할지 선택할 수 있습니다. Batch의 모든 이미지를 허용하려면 다음을 수행하세요.
텍스트 편집기에서 policy.yaml 파일을 엽니다. 그런 다음 allowedValues 필드에 projects/batch-custom-image를 추가하여 compute.trustedImageProjects 제약조건을 수정합니다.
예를 들어 Batch의 VM OS 이미지만 허용하려면 compute.trustedImageProjects 제약조건을 다음과 같이 설정하세요.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-02-11(UTC)"],[[["\u003cp\u003eThis document guides users on configuring the trusted image policy constraint to control which operating system images can be used for creating boot disks for Compute Engine VM instances.\u003c/p\u003e\n"],["\u003cp\u003eBy default, users can utilize any public or shared custom image unless the trusted image policy constraint is enabled, which then restricts access to only approved images.\u003c/p\u003e\n"],["\u003cp\u003eEnabling this constraint requires users to either specify an already-approved VM OS image or allow the default VM OS images provided by Batch, in order to run Batch jobs.\u003c/p\u003e\n"],["\u003cp\u003eThe process to allow all VM OS images from Batch involves modifying the trusted image policy constraint through the Google Cloud console or Google Cloud CLI, specifically by adding \u003ccode\u003eprojects/batch-custom-image\u003c/code\u003e to the allowed projects.\u003c/p\u003e\n"],["\u003cp\u003eOnce configured, the document recommends testing the constraints and references a few documents to create and run jobs, or learn more about VM OS images.\u003c/p\u003e\n"]]],[],null,["# Control access to VM OS images for Batch\n\nThis page describes how to configure the trusted image policy constraint.\nThis lets you control access to the operating system (OS) images that can be\nused to create the boot disks for any Compute Engine\nvirtual machine (VM) instances.\n\nBy default, a user can use any public image or any custom image that is\nshared with them for the Compute Engine VMs that run their\nBatch jobs.\nIf the trusted image policy constraint is not enabled and you don't want to\nrestrict VM OS images, you can stop reading this document.\n\nEnable the trusted image policy constraint\nif you want to require all the users in a project, folder, or organization to\ncreate VMs that contain approved software that meets your policy or\nsecurity requirements.\nIf the trusted image policy constraint is enabled, affected users\n[can't run Batch jobs](/batch/docs/troubleshooting#constraint-violated-trusted-images)\nunless the VM OS image for their job is allowed.\nTo create and run jobs when the trusted image policy constraint is enabled,\ndo at least one of the following:\n\n- Have users [specify a VM OS image](/batch/docs/specify-vm-os-image) that is already allowed.\n- Allow the default VM OS images from Batch, as shown in this document.\n\nTo learn more about VM OS images and boot disks, see\n[VM OS environment overview](/batch/docs/vm-os-environment-overview).\nTo learn about which policy constraints have been\nenabled for your project, folder, or organization,\n[view your organization policies](/resource-manager/docs/organization-policy/creating-managing-policies).\n\nBefore you begin\n----------------\n\n1. If you haven't used Batch before, review [Get started with Batch](/batch/docs/get-started) and enable Batch by completing the [prerequisites for projects and users](/batch/docs/get-started#prerequisites).\n2.\n\n To get the permissions that\n you need to configure organization policies,\n\n ask your administrator to grant you the\n\n\n [Organization Policy Administrator](/iam/docs/roles-permissions/orgpolicy#orgpolicy.policyAdmin) (`roles/orgpolicy.policyAdmin`)\n IAM role on the organization.\n\n\n For more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\n You might also be able to get\n the required permissions through [custom\n roles](/iam/docs/creating-custom-roles) or other [predefined\n roles](/iam/docs/roles-overview#predefined).\n\n\u003cbr /\u003e\n\nAllow images from Batch\n-----------------------\n\nThe following steps describe how to modify the trusted image policy constraint\nto allow all VM OS images from Batch by using the\nGoogle Cloud console or Google Cloud CLI.\n\nFor more instructions on how to use the trusted image\n(`compute.trustedImageProjects`) policy constraint, see\n[Setting up trusted image policies](/compute/docs/images/restricting-image-access)\nin the Compute Engine documentation. \n\n### Console\n\n1. Go to the **Organization policies** page.\n\n [Go to Organization policies](https://console.cloud.google.com/iam-admin/orgpolicies/)\n2. From the policies list, click **Define trusted image projects**.\n\n The **Policy details** page opens.\n3. On the **Policy details** page, click edit **Manage Policy** . The **Edit policy**\n page opens.\n\n4. On the **Edit policy** page, select **Customize**.\n\n5. For **Policy enforcement**, select an enforcement option.\n\n6. Click **Add rule**.\n\n7. In the **Policy values** list, you can select whether to add a rule that\n allows access to all unspecified image projects, denies access to all\n unspecified image projects, or specifies a custom set of projects to\n allow or deny access to. To allow all images from Batch,\n do the following:\n\n 1. In the **Policy values** list, select **Custom** . A **Policy type** and **Custom values** field appears.\n 2. In the **Policy type** list, select **Allow**.\n 3. In the **Custom values** field, enter `projects/batch-custom-image`.\n8. To save the rule, click **Done**.\n\n9. To save and apply the organization policy, click **Save**.\n\n### gcloud\n\nThe following example describes how to allow images\nfrom Batch for a specific project:\n\n1. To get the existing policy settings for a project, run the\n [`resource-manager org-policies describe` command](/sdk/gcloud/reference/resource-manager/org-policies/describe):\n\n ```\n gcloud resource-manager org-policies describe \\\n compute.trustedImageProjects --project=PROJECT_ID \\\n --effective \u003e policy.yaml\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID of the project\n that you want to update.\n2. Open the `policy.yaml` file in a text editor. Then, modify the\n `compute.trustedImageProjects` constraint by adding\n `projects/batch-custom-image` to the `allowedValues` field.\n For example, to allow only VM OS images from Batch\n set the `compute.trustedImageProjects` constraint to the following:\n\n ```\n constraint: constraints/compute.trustedImageProjects\n listPolicy:\n allowedValues:\n - projects//batch-custom-image\n ```\n\n When you have finished editing the `policy.yaml` file, save your changes.\n3. To apply the `policy.yaml` file to your project, use the\n [`resource-manager org-policies set-policy` command](/sdk/gcloud/reference/resource-manager/org-policies/set-policy):\n\n ```\n gcloud resource-manager org-policies set-policy \\\n policy.yaml --project=PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID of the project\n that you want to update.\n\nWhen you finish updating constraints, testing those constraints is\nrecommended to verify that they are working as intended.\n\nWhat's next\n-----------\n\n- Create and run jobs, such as the following:\n - [Create and run a basic job](/batch/docs/create-run-basic-job), which uses a VM OS image from Batch by default.\n - [Create and run a job that uses a specific VM OS image](/batch/docs/specify-vm-os-image).\n- Learn more about [VM OS images and boot disks](/batch/docs/vm-os-environment-overview)."]]