The Organization Policy API uses Kubernetes custom resources and relies on the Kubernetes Resource Model (KRM). It is used to manage the lifecycle of organization policies such as creating, updating, deleting.
To use the Organization Policy API, we recommend that you use the Kubernetes CLI
kubectl. If your application needs to use its own libraries to call this API,
use the following example, the full API definition, and
the dedicated policy match page to build your requests.
Service endpoint and discovery document
The API endpoint for the Organization Policy API is:
https://GDC_API_SERVER_ENDPOINT/apis/constraints.gatekeeper.sh/v1beta1
where GDC_API_SERVER_ENDPOINT is the endpoint of the
GDC API server.
Using the kubectl proxy command, you can access that URL in your browser or
with a tool such as curl to get the discovery document for the Organization
Policy API. The kubectl proxy command opens up a proxy to the Kubernetes API
server on your local machine. Once that command is running, you can access the
document at the following URL:
http://127.0.0.1:8001/apis/constraints.gatekeeper.sh/v1beta1.
Example KRM
The following is an example of a GDCHRestrictedServices object in the
Organization Policy API to restrict the use of the Database Services to projects
that have the label owner: dba-team.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
name: db-restricted-to-dbas
spec:
match:
scope: Namespaced
namespaceSelector:
matchExpressions:
# We are restricting the use of the service in namespaces that
# DON'T have the owner: dba-team label
- key: owner
operator: NotIn
values:
- dba-team
kinds:
- apiGroups:
- "postgresql.ods.anthosapis.com"
kinds:
- Dbclusters
- Backupplans
- Imports
- Restores
- apiGroups:
- "oracle.ods.anthosapis.com"
kinds:
- Dbclusters
- Backupplans
- Imports
parameters:
disabledOperations:
- "UPDATE"
- "CREATE"