This page shows you how to enable and use custom constraints within your GKE attached clusters environment. Google Cloud's Organization Policy Service helps you manage resource configurations and create guardrails in your cloud environment.
Overview
With custom organization policies, you can create granular resource policies across GKE Multi-Cloud environments to meet your organization's specific security and compliance requirements. You can also create organization policies in dry-run mode to test new policies without affecting your production workloads.
To learn more about organization policies, see Introduction to the Organization Policy Service.
Before you begin
Before you start, make sure you understand the following topics:
Policy inheritance
By default, organization policies are inherited by the descendants of the resources on which you enforce the policy. For example, if you enforce a policy on an organization, Google Cloud enforces the policy on all projects in the organization. To learn more about policy inheritance and how to change evaluation rules, see Hierarchy evaluation rules.
Limitations
Before you create custom constraints, keep in mind the following limitations:
- Custom constraints can only be enforced on the
CREATE
orUPDATE
methods for GKE attached clusters resources. - Newly enforced custom constraints don't automatically apply to existing resources. You must update existing resources to apply the constraint. To find existing resources that need to be updated, you can enforce a dry-run organization policy.
- To create constraints and enforce organization policies, you need the Organization Policy Administrator (
roles/orgpolicy.policyAdmin
) IAM role on your Google Cloud organization. For more information about the permissions required to manage organization policies with custom constraints, see Required roles.
Pricing
Organizational policies and custom constraints are offered at no charge.
Create custom constraints
Custom constraints must be specified by using the fields in the AttachedCluster API resource spec, excluding fields that are described as "Output only".
Create a custom constraint
To create a new custom constraint, you define the constraint in a YAML file and apply the custom constraint in your organization using the Google Cloud CLI. This constraint must encapsulate the specific policy you want to enforce across your GKE attached clusters resources.
Create a YAML file for the custom constraint:
name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME resourceTypes: - gkemulticloud.googleapis.com/AttachedCluster methodTypes: - CREATE condition: \"CONDITION\" actionType: ACTION displayName: DISPLAY_NAME description: DESCRIPTION
Replace the following:
ORGANIZATION_ID
: your organization ID, such as123456789
.CONSTRAINT_NAME
: the name of your new custom constraint. A custom constraint must start withcustom.
, and can only include uppercase letters, lowercase letters, or numbers. For example,custom.allowClusterCreateIfAnnotationPresent
. The maximum length of this field is 70 characters, not counting the prefix, for example,organizations/123456789/customConstraints/custom
.CONDITION
: a condition that is written against a representation of an attached cluster resource. Conditions are written in Common Expression Language (CEL). This field has a maximum length of 1,000 characters. For example, condition:"key" in resource.annotations && resource.annotations.key == "created-by"
.ACTION
: the action to take if the condition is met. This can be eitherALLOW
orDENY
.DISPLAY_NAME
: a display name for the constraint. This field has a maximum length of 200 characters.DESCRIPTION
: a description of the constraint to display as an error message when the policy is violated, for example,"Allow new clusters only when certain annotations are set."
This field has a maximum length of 2,000 characters.
For more information about how to create a custom constraint, see Defining custom constraints.
Associate the constraint with your resources
After you have created the YAML file for a new custom constraint, you must set it up to make the constraint available for organization policies.
To set up a custom constraint, use the
gcloud org-policies set-custom-constraint
command:gcloud org-policies set-custom-constraint PATH_TO_FILE
Replace
PATH_TO_FILE
with the path of your custom constraint YAML definition.To verify that the custom constraint is created, use the
gcloud org-policies list-custom-constraints
command:gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
The output lists the created policies:
CUSTOM_CONSTRAINT: custom.allowClusterCreateIfAnnotationPresent ACTION_TYPE: ALLOW METHOD_TYPES: CREATE RESOURCE_TYPES: gkemulticloud.googleapis.com/AttachedCluster DISPLAY_NAME: Allow new clusters only when certain annotations are set.
Enforce the custom constraint
To enforce the new custom constraint, create an organization policy that references the constraint, and then apply the organization policy.
Create a YAML file for the organization policy:
name: RESOURCE_HIERARCHY/policies/POLICY_NAME spec: rules: - enforce: true
Replace the following:
RESOURCE_HIERARCHY
: the location of the new policy, which affects the scope of enforcement. Use the Google Cloud resource hierarchy as a guide. For example, if you want to enforce the policy in a specific project, useprojects/
PROJECT_ID
. To enforce the policy in a specific organization, useorganizations/
ORGANIZATION_ID
.POLICY_NAME
: the name of the new policy.
Enforce the policy:
gcloud org-policies set-policy PATH_TO_POLICY
Replace
PATH_TO_POLICY
with the path to your policy definition file.Verify that the policy exists:
gcloud org-policies list --RESOURCE_FLAG=RESOURCE_ID
Replace the following:
RESOURCE_FLAG
: the Google Cloud resource where you enforced the policy. For example, a project or organization.RESOURCE_ID
: the ID of the resource where you enforced the policy. For example, your project ID or organization ID.
The output is similar to the following:
CONSTRAINT: custom.allowClusterCreateIfAnnotationPresent LIST_POLICY: - BOOLEAN_POLICY: SET ETAG: CPjb27wGEOijhL4B-
Test the policy
Test the organization policy by registering an AKS cluster in a restricted project.
Register an AKS cluster in a restricted project.
gcloud container attached clusters register CLUSTER_NAME \ --location=GOOGLE_CLOUD_REGION \ --fleet-project=PROJECT_NUMBER \ --platform-version=PLATFORM_VERSION \ --distribution=aks \ --issuer-url=ISSUER_URL \ --context=KUBECONFIG_CONTEXT \ --kubeconfig=KUBECONFIG_PATH
The output is similar to the following:
ERROR: (gcloud.container.attached.clusters.register) FAILED_PRECONDITION: Operation denied by org policy on resource 'projects/PROJECT_NUMBER/locations/GOOGLE_CLOUD_REGION': ["customConstraints/custom.allowClusterCreateIfAnnotationPresent": "Allow new clusters only when certain annotations are set."] '@type': type.googleapis.com/google.rpc.ErrorInfo domain: googleapis.com metadata: customConstraints: customConstraints/custom.allowClusterCreateIfAnnotationPresent service: gkemulticloud.googleapis.com reason: CUSTOM_ORG_POLICY_VIOLATION