Create and manage custom constraints

This page shows you how to enable and use custom constraints within your GKE attached clusters environment. Google Cloud's Organization Policy Service helps you manage resource configurations and create guardrails in your cloud environment.

Overview

With custom organization policies, you can create granular resource policies across GKE Multi-Cloud environments to meet your organization's specific security and compliance requirements. You can also create organization policies in dry-run mode to test new policies without affecting your production workloads.

To learn more about organization policies, see Introduction to the Organization Policy Service.

Before you begin

Before you start, make sure you understand the following topics:

Policy inheritance

By default, organization policies are inherited by the descendants of the resources on which you enforce the policy. For example, if you enforce a policy on an organization, Google Cloud enforces the policy on all projects in the organization. To learn more about policy inheritance and how to change evaluation rules, see Hierarchy evaluation rules.

Limitations

Before you create custom constraints, keep in mind the following limitations:

• Custom constraints can only be enforced on the CREATE or UPDATE methods for GKE attached clusters resources.
• Newly enforced custom constraints don't automatically apply to existing resources. You must update existing resources to apply the constraint. To find existing resources that need to be updated, you can enforce a dry-run organization policy.
• To create constraints and enforce organization policies, you need the Organization Policy Administrator (roles/orgpolicy.policyAdmin) IAM role on your Google Cloud organization. For more information about the permissions required to manage organization policies with custom constraints, see Required roles.

Pricing

Organizational policies and custom constraints are offered at no charge.

Create custom constraints

Custom constraints must be specified by using the fields in the AttachedCluster API resource spec, excluding fields that are described as "Output only".

Create a custom constraint

To create a new custom constraint, you define the constraint in a YAML file and apply the custom constraint in your organization using the Google Cloud CLI. This constraint must encapsulate the specific policy you want to enforce across your GKE attached clusters resources.

1. Create a YAML file for the custom constraint:

   name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
   resourceTypes:
   - gkemulticloud.googleapis.com/AttachedCluster
   methodTypes: 
   - CREATE
   condition: \"CONDITION\"
   actionType: ACTION
   displayName: DISPLAY_NAME
   description: DESCRIPTION
   

   Replace the following:

   • ORGANIZATION_ID : your organization ID, such as 123456789.

   • CONSTRAINT_NAME : the name of your new custom constraint. A custom constraint must start with custom., and can only include uppercase letters, lowercase letters, or numbers. For example, custom.allowClusterCreateIfAnnotationPresent. The maximum length of this field is 70 characters, not counting the prefix, for example, organizations/123456789/customConstraints/custom.

   • CONDITION : a condition that is written against a representation of an attached cluster resource. Conditions are written in Common Expression Language (CEL). This field has a maximum length of 1,000 characters. For example, condition: "key" in resource.annotations && resource.annotations.key == "created-by".

   • ACTION : the action to take if the condition is met. This can be either ALLOW or DENY.

   • DISPLAY_NAME : a display name for the constraint. This field has a maximum length of 200 characters.

   • DESCRIPTION : a description of the constraint to display as an error message when the policy is violated, for example, "Allow new clusters only when certain annotations are set." This field has a maximum length of 2,000 characters.

   For more information about how to create a custom constraint, see Defining custom constraints.

Associate the constraint with your resources

After you have created the YAML file for a new custom constraint, you must set it up to make the constraint available for organization policies.

1. To set up a custom constraint, use the gcloud org-policies set-custom-constraint command:

   gcloud org-policies set-custom-constraint PATH_TO_FILE
   

   Replace PATH_TO_FILE with the path of your custom constraint YAML definition.

2. To verify that the custom constraint is created, use the gcloud org-policies list-custom-constraints command:

   gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
   

   The output lists the created policies:

   CUSTOM_CONSTRAINT: custom.allowClusterCreateIfAnnotationPresent
   ACTION_TYPE: ALLOW
   METHOD_TYPES: CREATE
   RESOURCE_TYPES: gkemulticloud.googleapis.com/AttachedCluster
   DISPLAY_NAME: Allow new clusters only when certain annotations are set.
   

Enforce the custom constraint

To enforce the new custom constraint, create an organization policy that references the constraint, and then apply the organization policy.

1. Create a YAML file for the organization policy:

   name: RESOURCE_HIERARCHY/policies/POLICY_NAME
   spec:
     rules:
     - enforce: true
   

   Replace the following:

   • RESOURCE_HIERARCHY: the location of the new policy, which affects the scope of enforcement. Use the Google Cloud resource hierarchy as a guide. For example, if you want to enforce the policy in a specific project, use projects/PROJECT_ID. To enforce the policy in a specific organization, use organizations/ORGANIZATION_ID.

   • POLICY_NAME: the name of the new policy.

2. Enforce the policy:

   gcloud org-policies set-policy PATH_TO_POLICY
   

   Replace PATH_TO_POLICY with the path to your policy definition file.

3. Verify that the policy exists:

   gcloud org-policies list --RESOURCE_FLAG=RESOURCE_ID
   

   Replace the following:

   • RESOURCE_FLAG: the Google Cloud resource where you enforced the policy. For example, a project or organization.

   • RESOURCE_ID: the ID of the resource where you enforced the policy. For example, your project ID or organization ID.

   The output is similar to the following:

   CONSTRAINT: custom.allowClusterCreateIfAnnotationPresent
   LIST_POLICY: -
   BOOLEAN_POLICY: SET
   ETAG: CPjb27wGEOijhL4B-
   

Test the policy

Test the organization policy by registering an AKS cluster in a restricted project.

1. Register an AKS cluster in a restricted project.

   gcloud container attached clusters register CLUSTER_NAME \
     --location=GOOGLE_CLOUD_REGION \
     --fleet-project=PROJECT_NUMBER \
     --platform-version=PLATFORM_VERSION \
     --distribution=aks \
     --issuer-url=ISSUER_URL \
     --context=KUBECONFIG_CONTEXT \
     --kubeconfig=KUBECONFIG_PATH
   
   

2. The output is similar to the following:

   ERROR: (gcloud.container.attached.clusters.register) FAILED_PRECONDITION: Operation denied by org policy on resource 'projects/PROJECT_NUMBER/locations/GOOGLE_CLOUD_REGION': ["customConstraints/custom.allowClusterCreateIfAnnotationPresent": "Allow new clusters only when certain annotations are set."]
   
   '@type': type.googleapis.com/google.rpc.ErrorInfo
   domain: googleapis.com
   metadata:
     customConstraints: customConstraints/custom.allowClusterCreateIfAnnotationPresent
   service: gkemulticloud.googleapis.com
   reason: CUSTOM_ORG_POLICY_VIOLATION