Stay organized with collections
Save and categorize content based on your preferences.
The Organization Policy API uses Kubernetes custom resources and relies on the
Kubernetes Resource Model (KRM). It is used to manage the lifecycle of
organization policies such as creating, updating, deleting.
To use the Organization Policy API, we recommend that you use the Kubernetes CLI
kubectl. If your application needs to use its own libraries to call this API,
use the following example, the full API definition, and the
dedicated policy match page to build your requests.
Service endpoint and discovery document
The API endpoint for the Organization Policy API is:
https://MANAGEMENT_API_SERVER_ENDPOINT/apis/constraints.gatekeeper.sh/v1beta1
where MANAGEMENT_API_SERVER_ENDPOINT is the endpoint of the
Management API server.
Using the kubectl proxy command, you can access that URL in your browser or
with a tool such as curl to get the discovery document for the Organization
Policy API. The kubectl proxy command opens up a proxy to the Kubernetes API
server on your local machine. Once that command is running, you can access the
document at the following URL:
http://127.0.0.1:8001/apis/constraints.gatekeeper.sh/v1beta1.
Example KRM
The following example is a GDCHRestrictedServices object in the Organization
Policy API to restrict the use of the Database Service to projects that
have the label owner: dba-team.
apiVersion:constraints.gatekeeper.sh/v1beta1kind:GDCHRestrictedServicemetadata:name:db-restricted-to-dbasspec:match:scope:NamespacednamespaceSelector:matchExpressions:# We are restricting the use of the service in namespaces that# DON'T have the owner: dba-team label-key:owneroperator:NotInvalues:-dba-teamkinds:-apiGroups:-"postgresql.ods.anthosapis.com"kinds:-Dbclusters-Backupplans-Imports-Restores-apiGroups:-"oracle.ods.anthosapis.com"kinds:-Dbclusters-Backupplans-Importsparameters:disabledOperations:-"UPDATE"-"CREATE"
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Organization Policy API uses Kubernetes custom resources and the Kubernetes Resource Model (KRM) to manage the lifecycle of organization policies.\u003c/p\u003e\n"],["\u003cp\u003eIt is recommended to use the Kubernetes CLI \u003ccode\u003ekubectl\u003c/code\u003e to interact with the Organization Policy API, but alternative methods are available using the provided API definition.\u003c/p\u003e\n"],["\u003cp\u003eThe API endpoint is located at \u003ccode\u003ehttps://<GDCH_API_SERVER_ENDPOINT>/apis/constraints.gatekeeper.sh/v1beta1\u003c/code\u003e, with a discovery document accessible via \u003ccode\u003ekubectl proxy\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eAn example of the API is shown that uses the \u003ccode\u003eGDCHRestrictedServices\u003c/code\u003e object to restrict the use of the database service to namespaces that have the \u003ccode\u003eowner: dba-team\u003c/code\u003e label.\u003c/p\u003e\n"]]],[],null,["# Organization Policy API overview\n\nThe Organization Policy API uses Kubernetes custom resources and relies on the\nKubernetes Resource Model (KRM). It is used to manage the lifecycle of\norganization policies such as creating, updating, deleting.\n\nTo use the Organization Policy API, we recommend that you use the Kubernetes CLI\n`kubectl`. If your application needs to use its own libraries to call this API,\nuse the following example, the [full API definition](/distributed-cloud/hosted/docs/latest/appliance/apis/service/org-policy/org-policy-krm-api), and the\ndedicated [policy match page](/distributed-cloud/hosted/docs/latest/appliance/apis/service/org-policy/policy-match-section) to build your requests.\n| **Warning:** While organization policies leverage an open-source API that's marked as beta (`constraints.gatekeeper.sh/v1beta1`), the organization policy system itself is in alpha. Additional APIs may be introduced in the future to facilitate the management of organisation policies.\n\nService endpoint and discovery document\n---------------------------------------\n\nThe API endpoint for the Organization Policy API is:\n`https://`\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e`/apis/constraints.gatekeeper.sh/v1beta1`\nwhere \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e is the endpoint of the\nManagement API server.\n\nUsing the `kubectl proxy` command, you can access that URL in your browser or\nwith a tool such as `curl` to get the discovery document for the Organization\nPolicy API. The `kubectl proxy` command opens up a proxy to the Kubernetes API\nserver on your local machine. Once that command is running, you can access the\ndocument at the following URL:\n`http://127.0.0.1:8001/apis/constraints.gatekeeper.sh/v1beta1`.\n\nExample KRM\n-----------\n\nThe following example is a `GDCHRestrictedServices` object in the Organization\nPolicy API to restrict the use of the Database Service to projects that\nhave the label `owner: dba-team`. \n\n apiVersion: constraints.gatekeeper.sh/v1beta1\n kind: GDCHRestrictedService\n metadata:\n name: db-restricted-to-dbas\n spec:\n match:\n scope: Namespaced\n namespaceSelector:\n matchExpressions:\n # We are restricting the use of the service in namespaces that\n # DON'T have the owner: dba-team label\n - key: owner\n operator: NotIn\n values:\n - dba-team\n kinds:\n - apiGroups:\n - \"postgresql.ods.anthosapis.com\"\n kinds:\n - Dbclusters\n - Backupplans\n - Imports\n - Restores\n - apiGroups:\n - \"oracle.ods.anthosapis.com\"\n kinds:\n - Dbclusters\n - Backupplans\n - Imports\n parameters:\n disabledOperations:\n - \"UPDATE\"\n - \"CREATE\""]]
