Organization policies give you centralized and programmatic control over your organization's resources. As the organization policy administrator, you can configure policies across your entire organization.
In this version of Google Distributed Cloud Hosted (GDCH), there is no UI or CLI for
organization policies. You must use the API or
kubectl CLI to manage them.
Configuring organization policies provides several benefits:
- Centralize control to configure restrictions on how to use your organization's resources.
- Define and establish guardrails for your development teams to stay within compliance boundaries.
- Help project owners and their teams move quickly without breaking compliance.
Differences from Identity and Access Management
Identity and Access Management focuses on who, and lets the administrator authorize who can take action on specific resources based on permissions.
Organization policies focus on what, and let the administrator set restrictions on specific resources to determine how to configure them.
List of available organization policy types
In this release of GDCH, you can use the following policy type.
GDCHRestrictedService policy type lets you restrict which service you can use on
GDCH. When applied, the policy prevents the use of the APIs
that it references. For example, you can use this policy type to restrict the
use of a given service to certain projects. You can also use the policy to
completely restrict the access to a new GDCH service that you
want to run tests on before allowing your teams to use it.
Create this policy in the same cluster as the service resources. You can create multiple instances of this policy for different services or different projects.
The following is a template for this policy:
Replace the following:
POLICY_NAME: the name of the organization policy.
MATCH_SCHEMA: the resources to match for this constraint. See the Define the scope of an organization policy within a cluster section for more information.
DISABLED_OPERATION: the groups of operations that this policy blocks. The allowed values are
UPDATE. The default value for the
GDCHRestrictedService policy only supports the
CREATE operations. To
DELETE operations, we recommend that you
use IAM to assign roles.
GDCHRestrictedService policy only supports the following subset of the available
services on GDCH.
|Vertex AI Workbench
|Database Service - Postgres
|Database Service - Oracle
|Dataproc Container for Spark (Marketplace service)
You do not have to specify all of the kinds for a given service. You can restrict the usage of a subset of a service's features by specifying only the corresponding kinds.
For example, to restrict updates to marketplace services, create the following policy:
This policy prevents any
UPDATE operation on any
group with the value of
MarketplaceService for its kind. In effect, this
policy prevents anyone from modifying any Marketplace service.
To completely disable a service, list both
UPDATE in the
disabledOperations parameter, and list all the kinds documented here.
Grant IAM roles to manage organization policies
Each organization policy has an associated IAM role. Grant the IAM role to the
users and groups that you want to manage that specific organization policy. To
allow a user or group the ability to create, update, or delete policies of
GDCHRestrictedService, assign the user or group the
Define the scope of an organization policy within a cluster
When defining an organization policy, decide if it should impact all
namespaces, only specific namespaces, or all namespaces except a given list. To
achieve this, use a combination of the
.spec.match.scope parameters of the policy definition.
organization policy match section page
to learn more about these parameters. For example, to allow the creation of
databases only in namespaces that have the label
owner: dba-team, create the
# We are restricting the use of the service in namespaces that
# don't have the owner: dba-team label
- key: owner
Roll back an existing policy
To stop enforcing an existing policy, delete it using the
kubectl CLI. Use a
kubeconfig file that gives you access to the cluster where the policy is
defined and to the
gdchrestrictedservice-policy-manager IAM role.
To delete an organization policy, run:
kubectl --kubeconfig CLUSTER_KUBECONFIG delete \
Replace the following:
CLUSTER_KUBECONFIG: the kubeconfig file of the cluster where the organization policy resides.
POLICY_NAME: the name of the organization policy to delete.
Test a policy in an audit mode
You can test a policy without enforcing it. Test a policy to make sure that
a policy does not break existing systems before rolling it out, or to get an
estimation of how widespread a behavior is. To add a test, add an
enforcementAction to your policy definition. There are three possible values
for this parameter:
deny: the policy is enforced. This is the default setting.
dryrun: the action is allowed, but you can see that there is a policy violation in both the audit logs and the policy status. Examine the violation with
kubectl --kubeconfig CLUSTER_KUBECONFIG get POLICY_TYPE/POLICY_NAME.
warn: equivalent to
dryrunexcept the test also shows a warning in response to the request that triggered a policy violation.
For example, to test a policy that disables the Marketplace, create the following policy:
- apiGroups: ["marketplace.gdc.goog"]