The Organization Policy API uses Kubernetes custom resources and relies on the Kubernetes Resource Model (KRM). It is used to manage the lifecycle of organization policies such as creating, updating, deleting.
To use the Organization Policy API, we recommend that you use the Kubernetes CLI
kubectl
. If your application needs to use its own libraries to call this API,
use the following example, the full API definition, and the
dedicated policy match page to build your requests.
Service endpoint and discovery document
The API endpoint for the Organization Policy API is:
https://GDCH_API_SERVER_ENDPOINT/apis/constraints.gatekeeper.sh/v1beta1
where GDCH_API_SERVER_ENDPOINT
is the endpoint of the
GDC API server.
Using the kubectl proxy
command, you can access that URL in your browser or
with a tool such as curl
to get the discovery document for the Organization
Policy API. The kubectl proxy
command opens up a proxy to the Kubernetes API
server on your local machine. Once that command is running, you can access the
document at the following URL:
http://127.0.0.1:8001/apis/constraints.gatekeeper.sh/v1beta1
.
Example KRM
The following example is a GDCHRestrictedServices
object in the Organization
Policy API to restrict the use of the Database Service to projects that
have the label owner: dba-team
.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
name: db-restricted-to-dbas
spec:
match:
scope: Namespaced
namespaceSelector:
matchExpressions:
# We are restricting the use of the service in namespaces that
# DON'T have the owner: dba-team label
- key: owner
operator: NotIn
values:
- dba-team
kinds:
- apiGroups:
- "postgresql.ods.anthosapis.com"
kinds:
- Dbclusters
- Backupplans
- Imports
- Restores
- apiGroups:
- "oracle.ods.anthosapis.com"
kinds:
- Dbclusters
- Backupplans
- Imports
parameters:
disabledOperations:
- "UPDATE"
- "CREATE"