僅在使用 Cloud Functions v2 API 時保護函式。您也可以透過 Cloud Run API 修改 Cloud Run functions。如要進一步保護服務,您可能也需要在 Cloud Run 上套用自訂限制。
常見的機構政策範例
下表提供一些實用的自訂機構政策語法:
說明
限制語法
禁止以特定語言建立函式
name:organizations/ORGANIZATION_ID/customConstraints/custom.cloudFunctionRuntimeBlockresource_types:cloudfunctions.googleapis.com/Functionmethod_types:-CREATE-UPDATEcondition:resource.buildConfig.runtime == "python312"action_type:DENYdisplay_name:Deny functions using Python 3.12description:Functions cannot be created with Python 3.12 as the language runtime
要求函式使用特定工作站集區
name:organizations/ORGANIZATION_ID/customConstraints/custom.cloudFunctionsWorkerPoolresource_types:cloudfunctions.googleapis.com/Functionmethod_types:-CREATE-UPDATEcondition:resource.buildConfig.workerPool == "WORKER_POOL"action_type:DENYdisplay_name:Require worker pooldescription:Functions must use a worker pool
將 WORKER_POOL 替換為 Cloud Build 工作站集區的名稱。
要求函式將所有容器映像檔儲存在特定映像檔存放區
name:organizations/ORGANIZATION_ID/customConstraints/custom.cloudFunctionsRepositoryresource_types:cloudfunctions.googleapis.com/Functionmethod_types:-CREATE-UPDATEcondition:resource.buildConfig.dockerRepository.startsWith("REPO_PATH")action_type:DENYdisplay_name:Image repository constraintdescription:Functions must push images to a central image repository under REPO_PATH
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-05 (世界標準時間)。"],[[["\u003cp\u003eOrganization administrators can create custom constraints for Cloud Run functions using Organization Policy, allowing for granular control over specific fields at the project, folder, or organization level.\u003c/p\u003e\n"],["\u003cp\u003eCustom constraints offer benefits like cost management, enforcing security requirements, and governing automation scripts by restricting VM instance types, requiring specific firewall rules, or verifying label expressions.\u003c/p\u003e\n"],["\u003cp\u003eCustom constraints are defined in YAML files specifying resources, methods, conditions (using Common Expression Language), and actions, and they can be enforced at the project level using the \u003ccode\u003egcloud\u003c/code\u003e command-line tool or the Google Cloud console.\u003c/p\u003e\n"],["\u003cp\u003eCustom constraints are only enforced on Cloud Functions v2 APIs, not Cloud Run functions (1st gen), and are only applied to the \u003ccode\u003eCREATE\u003c/code\u003e method for Compute Engine resources.\u003c/p\u003e\n"],["\u003cp\u003eCustom organization policies can be set to deny the creation of functions with a specific language, require functions to use a specific worker pool, and require functions to store container images in a specific image repository.\u003c/p\u003e\n"]]],[],null,["# Manage function resources using custom constraints\n==================================================\n\nThis page provides supplemental information for setting custom constraints on\nfunctions created using\n[`gcloud functions`](/sdk/gcloud/reference/functions) commands or the\n[Cloud Functions v2 API](/functions/docs/reference/rest).\n\nIf you've created or deployed functions using Cloud Run, see\nCloud Run's\n[Manage custom constraints for projects](/run/docs/securing/custom-constraints)\nguide for a detailed description of how to use custom constraints.\n\nLimitations\n-----------\n\nThe following limitations apply to using custom organization policies for\n[Cloud Functions v2 API](/functions/docs/reference/rest) functions:\n\n- Not enforced for VM instance names when you use the [bulk insert API](/compute/docs/instances/multiple/about-bulk-creation).\n- Only enforced on the `CREATE` method for Compute Engine resources.\n- Only available on [Cloud Functions\n v2 API](/functions/docs/reference/rest). They can't be applied on Cloud Run functions (1st gen).\n- Only protects functions when using the Cloud Functions v2 API. Cloud Run functions can also be modified from the Cloud Run API as well. For additional protection, you might need to also [apply custom constraints on Cloud Run](/run/docs/securing/custom-constraints) as well.\n\nCommon organization policy examples\n-----------------------------------\n\nThe following table provides the syntax of some custom organization policies\nthat you might find useful:\n\nWhat's next\n-----------\n\n- See [Introduction to the Organization Policy Service](/resource-manager/docs/organization-policy/overview) to learn more about organization policies.\n- Learn more about how to [create and manage organization policies](/resource-manager/docs/organization-policy/using-constraints).\n- See the full list of predefined [organization policy constraints](/resource-manager/docs/organization-policy/org-policy-constraints)."]]
