Create and manage custom constraints

This page shows you how to enable and use custom constraints within your GKE on AWS environment. Google Cloud's Organization Policy Service helps you manage resource configurations and create guardrails in your cloud environment.

Overview

With custom organization policies, you can create granular resource policies across GKE Multi-Cloud environments to meet your organization's specific security and compliance requirements. You can also create organization policies in dry-run mode to test new policies without affecting your production workloads.

To learn more about organization policies, see Introduction to the Organization Policy Service.

Before you begin

Before you start, make sure you understand the following topics.

Policy inheritance

By default, organization policies are inherited by the descendants of the resources on which you enforce the policy. For example, if you enforce a policy on an organization, Google Cloud enforces the policy on all projects in the organization. To learn more about policy inheritance and how to change evaluation rules, see Hierarchy evaluation rules.

Limitations

Before you create custom constraints, keep in mind the following limitations:

  • Custom constraints can only be enforced on the CREATE or UPDATE methods for GKE on AWS resources.
  • Newly enforced custom constraints don't automatically apply to existing resources. You must update existing resources to apply the constraint. To find existing resources that need to be updated, you can enforce a dry-run organization policy.
  • To create constraints and enforce organization policies, you need the Organization Policy Administrator (roles/orgpolicy.policyAdmin) IAM role on your Google Cloud organization. For more information about the permissions required to manage organization policies with custom constraints, see Required roles.

Pricing

Organizational policies and custom constraints are offered at no charge.

Create custom constraints

Custom constraints must be specified by using the fields in the AwsCluster and AwsNodepool API resource specs, excluding fields that are described as "Output only".

Create a custom constraint

To create a new custom constraint, you define the constraint in a YAML file and apply the custom constraint in your organization using the Google Cloud CLI. This constraint must encapsulate the specific policy you want to enforce across your GKE on AWS resources.

Create a YAML file for defining a custom constraint on your cluster:

name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resourceTypes:
- gkemulticloud.googleapis.com/AwsCluster
methodTypes: 
- CREATE
condition: CONDITION
actionType: ACTION
displayName: DISPLAY_NAME
description: DESCRIPTION

To define a custom constraint on your node pool, use the following YAML configuration:

name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resourceTypes:
- gkemulticloud.googleapis.com/AwsNodePool
methodTypes:
- CREATE
condition: CONDITION
actionType: ACTION
displayName: DISPLAY_NAME
description: DESCRIPTION

Replace the following:

  • ORGANIZATION_ID : your organization ID, such as 123456789.

  • CONSTRAINT_NAME : the name of your new custom constraint. A custom constraint must start with custom., and can only include uppercase letters, lowercase letters, or numbers. For example, custom.allowClusterCreateIfAnnotationPresent. The maximum length of this field is 70 characters, not counting the prefix, for example, organizations/123456789/customConstraints/custom.

  • CONDITION : a condition that is written against a representation of a Google Cloud resource. Conditions are written in Common Expression Language (CEL). This field has a maximum length of 1,000 characters. For example, condition: "key" in resource.annotations && resource.annotations.key == "created-by".

  • ACTION : the action to take if the condition is met. This can be either ALLOW or DENY.

  • DISPLAY_NAME : a display name for the constraint. This field has a maximum length of 200 characters.

  • DESCRIPTION : a description of the constraint to display as an error message when the policy is violated, for example, "Allow new clusters only when certain annotations are set." This field has a maximum length of 2,000 characters.

For more information about how to create a custom constraint, see Defining custom constraints.

Associate the constraint with your resources

After you have created the YAML file for a new custom constraint, you must set it up to make the constraint available for organization policies.

  1. To set up a custom constraint, use the gcloud org-policies set-custom-constraint command:

    gcloud org-policies set-custom-constraint PATH_TO_FILE
    

    Replace PATH_TO_FILE with the path of your custom constraint YAML definition.

  2. To verify that the custom constraint is created, use the gcloud org-policies list-custom-constraints command:

    gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
    

    The output lists the created policies:

    CUSTOM_CONSTRAINT: custom.allowClusterCreateIfAnnotationPresent
    ACTION_TYPE: ALLOW
    METHOD_TYPES: CREATE
    RESOURCE_TYPES: gkemulticloud.googleapis.com/AwsCluster
    DISPLAY_NAME: Allow new clusters only when certain annotations are set.
    

Enforce the custom constraint

To enforce the new custom constraint, create an organization policy that references the constraint, and then apply the organization policy.

  1. Create a YAML file for the organization policy:

    name: RESOURCE_HIERARCHY/policies/POLICY_NAME
    spec:
      rules:
      - enforce: true
    

    Replace the following:

    • RESOURCE_HIERARCHY: the location of the new policy, which affects the scope of enforcement. Use the Google Cloud resource hierarchy as a guide. For example, if you want to enforce the policy in a specific project, use projects/PROJECT_ID. To enforce the policy in a specific organization, use organizations/ORGANIZATION_ID.

    • POLICY_NAME: the name of the new policy.

  2. Enforce the policy:

    gcloud org-policies set-policy PATH_TO_POLICY
    

    Replace PATH_TO_POLICY with the path to your policy definition file.

  3. Verify that the policy exists:

    gcloud org-policies list --RESOURCE_FLAG=RESOURCE_ID
    

    Replace the following:

    • RESOURCE_FLAG: the Google Cloud resource where you enforced the policy. For example, a project or organization.

    • RESOURCE_ID: the ID of the resource where you enforced the policy. For example, your project ID or organization ID.

    The output is similar to the following:

    CONSTRAINT: custom.allowClusterCreateIfAnnotationPresent
    LIST_POLICY: -
    BOOLEAN_POLICY: SET
    ETAG: CPjb27wGEOijhL4B-
    

Test the policy

Test the organization policy by creating a new AWS cluster in a restricted project.

  1. Create an AWS cluster in a restricted project.

    gcloud container aws clusters create CLUSTER_NAME \
      --aws-region AWS_REGION \
      --location GOOGLE_CLOUD_LOCATION \
      --cluster-version CLUSTER_VERSION \
      --fleet-project FLEET_PROJECT \
      --vpc-id VPC_ID \
      --subnet-ids CONTROL_PLANE_SUBNET_1,CONTROL_PLANE_SUBNET_2,CONTROL_PLANE_SUBNET_3 \
      --pod-address-cidr-blocks POD_ADDRESS_CIDR_BLOCKS \
      --service-address-cidr-blocks SERVICE_ADDRESS_CIDR_BLOCKS \
      --role-arn API_ROLE_ARN \
      --database-encryption-kms-key-arn DB_KMS_KEY_ARN \
      --admin-users ADMIN_USERS_LIST \
      --config-encryption-kms-key-arn CONFIG_KMS_KEY_ARN \
      --iam-instance-profile CONTROL_PLANE_PROFILE \
      --tags "Name=CLUSTER_NAME-cp"
    
  2. The output is similar to the following:

    FAILED_PRECONDITION: Operation denied by org policy on resource 'projects/PROJECT_NUMBER/locations/GOOGLE_CLOUD_REGION': ["customConstraints/custom.allowClusterCreateIfAnnotationPresent": "Allow new clusters only when certain annotations are set."]
    
    '@type': type.googleapis.com/google.rpc.ErrorInfo
    domain: googleapis.com
    metadata:
      customConstraints: customConstraints/custom.allowClusterCreateIfAnnotationPresent
    service: gkemulticloud.googleapis.com
    reason: CUSTOM_ORG_POLICY_VIOLATION