Google Cloud 组织政策可让您以编程方式集中控制组织的资源。作为组织政策管理员,您可以定义组织政策,这是一组称为限制条件的限制,会应用于 Google Cloud 资源层次结构中的 Google Cloud 资源及其后代。您可以在组织、文件夹或项目级强制执行组织政策。
组织政策为各种 Google Cloud 服务提供预定义限制条件。但是,如果您想要更精细地控制和自定义组织政策中受限的特定字段,还可以创建自定义限制条件并在自定义组织政策中使用这些自定义限制条件。
以下负载均衡组件支持自定义约束条件:
优势
- 费用管理:使用自定义组织政策限制健康检查探测频率。
安全、合规性和治理:您可以使用自定义组织政策强制执行政策。例如:
- 强制使用特定的健康检查协议或端口范围
- 禁止使用特定后端流量协议
- 若要要求后端存储分区启用 Cloud CDN,请执行以下操作:
- 要求转发规则使用特定的 Network Service Tiers
Cloud Load Balancing 支持的资源
对于 Cloud Load Balancing,您可以对以下资源和字段设置自定义约束条件。
后端存储分区
后端存储分区:compute.googleapis.com/BackendBucket
resource.name
resource.description
resource.bucketName
resource.enableCdn
resource.cdnPolicy
resource.cdnPolicy.bypassCacheOnRequestHeaders
resource.cdnPolicy.bypassCacheOnRequestHeaders.headerName
resource.cdnPolicy.cacheKeyPolicy
resource.cdnPolicy.cacheKeyPolicy.includeHttpHeaders
resource.cdnPolicy.cacheKeyPolicy.queryStringWhitelist
resource.cdnPolicy.signedUrlCacheMaxAgeSec
resource.compressionMode
resource.customResponseHeaders
后端服务
后端服务:compute.googleapis.com/BackendService
resource.name
resource.description
resource.port
resource.portName
resource.protocol
resource.backends
resource.backends.balancingMode
resource.backends.capacityScaler
resource.backends.description
resource.backends.failover
resource.backends.maxConnections
resource.backends.maxConnectionsPerEndpoint
resource.backends.maxConnectionsPerInstance
resource.backends.maxRate
resource.backends.maxRatePerEndpoint
resource.backends.maxRatePerInstance
resource.backends.maxUtilization
resource.backends.preference
resource.enableCDN
resource.cdnPolicy
resource.cdnPolicy.bypassCacheOnRequestHeaders
resource.cdnPolicy.bypassCacheOnRequestHeaders.headerName
resource.cdnPolicy.cacheKeyPolicy
resource.cdnPolicy.cacheKeyPolicy.includeHost
resource.cdnPolicy.cacheKeyPolicy.includeHttpHeaders
resource.cdnPolicy.cacheKeyPolicy.includeNamedCookies
resource.cdnPolicy.cacheKeyPolicy.includeProtocol
resource.cdnPolicy.cacheKeyPolicy.includeQueryString
resource.cdnPolicy.cacheKeyPolicy.queryStringBlacklist
resource.cdnPolicy.cacheKeyPolicy.queryStringWhitelist
resource.cdnPolicy.cacheMode
resource.cdnPolicy.clientTtl
resource.cdnPolicy.defaultTtl
resource.cdnPolicy.maxTtl
resource.cdnPolicy.negativeCaching
resource.cdnPolicy.negativeCachingPolicy
resource.cdnPolicy.negativeCachingPolicy.code
resource.cdnPolicy.negativeCachingPolicy.ttl
resource.cdnPolicy.requestCoalescing
resource.cdnPolicy.serveWhileStale
resource.cdnPolicy.signedUrlCacheMaxAgeSec
resource.circuitBreakers
resource.circuitBreakers.maxConnections
resource.circuitBreakers.maxPendingRequests
resource.circuitBreakers.maxRequests
resource.circuitBreakers.maxRequestsPerConnection
resource.circuitBreakers.maxRetries
resource.compressionMode
resource.connectionDraining
resource.connectionDraining.drainingTimeoutSec
resource.connectionTrackingPolicy
resource.connectionTrackingPolicy.connectionPersistenceOnUnhealthyBackends
resource.connectionTrackingPolicy.enableStrongAffinity
resource.connectionTrackingPolicy.idleTimeoutSec
resource.connectionTrackingPolicy.trackingMode
resource.consistentHash
resource.consistentHash.httpCookie
resource.consistentHash.httpCookie.name
resource.consistentHash.httpCookie.path
resource.consistentHash.httpCookie.ttl
resource.consistentHash.httpCookie.ttl.nanos
resource.consistentHash.httpCookie.ttl.seconds
resource.consistentHash.minimumRingSize
resource.customRequestHeaders
resource.customResponseHeaders
resource.affinityCookieTtlSec
resource.failoverPolicy
resource.failoverPolicy.disableConnectionDrainOnFailover
resource.failoverPolicy.dropTrafficIfUnhealthy
resource.failoverPolicy.failoverRatio
resource.iap
resource.iap.enabled
resource.iap.oauth2ClientId
resource.ipAddressSelectionPolicy
resource.loadBalancingScheme
resource.localityLbPolicies
resource.localityLbPolicies.customPolicy
resource.localityLbPolicies.customPolicy.data
resource.localityLbPolicies.customPolicy.name
resource.localityLbPolicies.policy
resource.localityLbPolicies.policy.name
resource.logConfig
resource.logConfig.enable
resource.logConfig.optionalFields
resource.logConfig.optionalMode
resource.logConfig.sampleRate
resource.maxStreamDuration
resource.maxStreamDuration.nanos
resource.maxStreamDuration.seconds
resource.outlierDetection
resource.outlierDetection.baseEjectionTime
resource.outlierDetection.baseEjectionTime.nanos
resource.outlierDetection.baseEjectionTime.seconds
resource.outlierDetection.consecutiveGatewayFailure
resource.outlierDetection.enforcingConsecutiveErrors
resource.outlierDetection.enforcingConsecutiveGatewayFailure
resource.outlierDetection.enforcingSuccessRate
resource.outlierDetection.maxEjectionPercent
resource.outlierDetection.successRateMinimumHosts
resource.outlierDetection.successRateRequestVolume
resource.outlierDetection.successRateStdevFactor
resource.securitySettings
resource.securitySettings.awsV4Authentication
resource.securitySettings.awsV4Authentication.accessKeyId
resource.securitySettings.awsV4Authentication.accessKeyVersion
resource.securitySettings.subjectAltNames
resource.sessionAffinity
resource.subsetting
resource.subsetting.policy
resource.timeoutSec
resource.strongSessionAffinityCookie
resource.strongSessionAffinityCookie.name
resource.strongSessionAffinityCookie.path
resource.strongSessionAffinityCookie.ttl
resource.strongSessionAffinityCookie.ttl.nanos
resource.strongSessionAffinityCookie.ttl.seconds
转发规则
转发规则:compute.googleapis.com/ForwardingRule
resource.name
resource.description
resource.allowGlobalAccess
resource.allowPscGlobalAccess
resource.allPorts
resource.IPProtocol
resource.ipVersion
resource.isMirroringCollector
resource.loadBalancingScheme
resource.metadataFilters
resource.metadataFilters.filterLabels
resource.metadataFilters.filterLabels.name
resource.metadataFilters.filterLabels.value
resource.metadataFilters.filterMatchCriteria
resource.networkTier
resource.noAutomateDnsZone
resource.portRange
resource.ports
resource.serviceDirectoryRegistrations
resource.serviceDirectoryRegistrations.namespace
resource.serviceDirectoryRegistrations.service
resource.serviceDirectoryRegistrations.serviceDirectoryRegion
resource.serviceLabel
resource.sourceIpRanges
健康检查
健康检查:compute.googleapis.com/HealthCheck
resource.name
resource.description
resource.checkIntervalSec
resource.timeoutSec
resource.unhealthyThreshold
resource.healthyThreshold
resource.type
- TCP 健康检查:
resource.tcpHealthCheck.port
resource.tcpHealthCheck.request
resource.tcpHealthCheck.response
resource.tcpHealthCheck.proxyHeader
resource.tcpHealthCheck.portSpecification
- SSL 健康检查:
resource.sslHealthCheck.port
resource.sslHealthCheck.request
resource.sslHealthCheck.response
resource.sslHealthCheck.proxyHeader
resource.sslHealthCheck.portSpecification
- HTTP 健康检查:
resource.httpHealthCheck.port
resource.httpHealthCheck.host
resource.httpHealthCheck.requestPath
resource.httpHealthCheck.proxyHeader
resource.httpHealthCheck.response
resource.httpHealthCheck.portSpecification
- HTTPS 健康检查:
resource.httpsHealthCheck.port
resource.httpsHealthCheck.host
resource.httpsHealthCheck.requestPath
resource.httpsHealthCheck.proxyHeader
resource.httpsHealthCheck.response
resource.httpsHealthCheck.portSpecification
- HTTP/2 健康检查:
resource.http2HealthCheck.port
resource.http2HealthCheck.host
resource.http2HealthCheck.requestPath
resource.http2HealthCheck.proxyHeader
resource.http2HealthCheck.response
resource.http2HealthCheck.portSpecification
- gRPC 健康检查:
resource.grpcHealthCheck.port
resource.grpcHealthCheck.grpcServiceName
resource.grpcHealthCheck.portSpecification
resource.sourceRegions
resource.logConfig
resource.logConfig.enable
目标代理
目标 TCP 代理:compute.googleapis.com/TargetTcpProxy
resource.name
resource.description
resource.proxyBind
resource.proxyHeader
目标 SSL 代理:compute.googleapis.com/TargetSslProxy
resource.name
resource.description
resource.proxyHeader
目标 HTTP 代理:compute.googleapis.com/TargetHttpProxy
resource.name
resource.description
resource.proxyBind
resource.httpKeepAliveTimeoutSec
目标 HTTPS 代理:compute.googleapis.com/TargetHttpsProxy
resource.name
resource.description
resource.proxyBind
resource.httpKeepAliveTimeoutSec
resource.quicOverride
resource.tlsEarlyData
目标 gRPC 代理:compute.googleapis.com/TargetGrpcProxy
resource.name
resource.description
resource.validateForProxyless
网址映射
网址映射:compute.googleapis.com/UrlMap
resource.name
resource.description
resource.defaultCustomErrorResponsePolicy
resource.defaultCustomErrorResponsePolicy.errorResponseRules
resource.defaultCustomErrorResponsePolicy.errorResponseRules.matchResponseCodes
resource.defaultCustomErrorResponsePolicy.errorResponseRules.overrideResponseCode
resource.defaultCustomErrorResponsePolicy.errorResponseRules.path
resource.defaultRouteAction
resource.defaultRouteAction.corsPolicy
resource.defaultRouteAction.corsPolicy.allowCredentials
resource.defaultRouteAction.corsPolicy.allowHeaders
resource.defaultRouteAction.corsPolicy.allowMethods
resource.defaultRouteAction.corsPolicy.allowOrigins
resource.defaultRouteAction.corsPolicy.allowOriginRegexes
resource.defaultRouteAction.corsPolicy.disabled
resource.defaultRouteAction.corsPolicy.exposeHeaders
resource.defaultRouteAction.corsPolicy.maxAge
resource.defaultRouteAction.faultInjectionPolicy
resource.defaultRouteAction.faultInjectionPolicy.abort
resource.defaultRouteAction.faultInjectionPolicy.abort.httpStatus
resource.defaultRouteAction.faultInjectionPolicy.abort.percentage
resource.defaultRouteAction.faultInjectionPolicy.delay
resource.defaultRouteAction.faultInjectionPolicy.delay.percentage
resource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay
resource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.nanos
resource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.seconds
resource.defaultRouteAction.maxStreamDuration
resource.defaultRouteAction.maxStreamDuration.nanos
resource.defaultRouteAction.maxStreamDuration.seconds
resource.defaultRouteAction.requestMirrorPolicy
resource.defaultRouteAction.retryPolicy
resource.defaultRouteAction.retryPolicy.numRetries
resource.defaultRouteAction.retryPolicy.perTryTimeout
resource.defaultRouteAction.retryPolicy.perTryTimeout.nanos
resource.defaultRouteAction.retryPolicy.perTryTimeout.seconds
resource.defaultRouteAction.retryPolicy.retryConditions
resource.defaultRouteAction.timeout
resource.defaultRouteAction.timeout.nanos
resource.defaultRouteAction.timeout.seconds
resource.defaultRouteAction.urlRewrite
resource.defaultRouteAction.urlRewrite.hostRewrite
resource.defaultRouteAction.urlRewrite.pathPrefixRewrite
resource.defaultRouteAction.urlRewrite.pathTemplateRewrite
resource.defaultRouteAction.weightedBackendServices
resource.defaultRouteAction.weightedBackendServices.headerAction
resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd
resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerName
resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValue
resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToRemove
resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd
resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerName
resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValue
resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToRemove
resource.defaultRouteAction.weightedBackendServices.weight
resource.defaultUrlRedirect
resource.defaultUrlRedirect.hostRedirect
resource.defaultUrlRedirect.httpsRedirect
resource.defaultUrlRedirect.pathRedirect
resource.defaultUrlRedirect.prefixRedirect
resource.defaultUrlRedirect.redirectResponseCode
resource.defaultUrlRedirect.stripQuery
resource.headerAction
resource.headerAction.requestHeadersToAdd
resource.headerAction.requestHeadersToAdd.headerName
resource.headerAction.requestHeadersToAdd.headerValue
resource.headerAction.requestHeadersToAdd.replace
resource.headerAction.requestHeadersToRemove
resource.headerAction.responseHeadersToAdd
resource.headerAction.responseHeadersToAdd.headerName
resource.headerAction.responseHeadersToAdd.headerValue
resource.headerAction.responseHeadersToAdd.replace
resource.headerAction.responseHeadersToRemove
resource.hostRules
resource.hostRules.description
resource.hostRules.hosts
resource.hostRules.pathMatcher
resource.pathMatchers
resource.pathMatchers.name
resource.pathMatchers.description
resource.pathMatchers.defaultCustomErrorResponsePolicy
resource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules
resource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.matchResponseCodes
resource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.overrideResponseCode
resource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.path
resource.pathMatchers.defaultRouteAction
resource.pathMatchers.defaultRouteAction.corsPolicy
resource.pathMatchers.defaultRouteAction.corsPolicy.allowCredentials
resource.pathMatchers.defaultRouteAction.corsPolicy.allowHeaders
resource.pathMatchers.defaultRouteAction.corsPolicy.allowMethods
resource.pathMatchers.defaultRouteAction.corsPolicy.allowOrigins
resource.pathMatchers.defaultRouteAction.corsPolicy.allowOriginRegexes
resource.pathMatchers.defaultRouteAction.corsPolicy.disabled
resource.pathMatchers.defaultRouteAction.corsPolicy.exposeHeaders
resource.pathMatchers.defaultRouteAction.corsPolicy.maxAge
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abort
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abort.httpStatus
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abort.percentage
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.percentage
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.nanos
resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.seconds
resource.pathMatchers.defaultRouteAction.maxStreamDuration
resource.pathMatchers.defaultRouteAction.maxStreamDuration.nanos
resource.pathMatchers.defaultRouteAction.maxStreamDuration.seconds
resource.pathMatchers.defaultRouteAction.requestMirrorPolicy
resource.pathMatchers.defaultRouteAction.retryPolicy
resource.pathMatchers.defaultRouteAction.retryPolicy.numRetries
resource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeout
resource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeout.nanos
resource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeout.seconds
resource.pathMatchers.defaultRouteAction.retryPolicy.retryConditions
resource.pathMatchers.defaultRouteAction.timeout
resource.pathMatchers.defaultRouteAction.timeout.nanos
resource.pathMatchers.defaultRouteAction.timeout.seconds
resource.pathMatchers.defaultRouteAction.urlRewrite
resource.pathMatchers.defaultRouteAction.urlRewrite.hostRewrite
resource.pathMatchers.defaultRouteAction.urlRewrite.pathPrefixRewrite
resource.pathMatchers.defaultRouteAction.urlRewrite.pathTemplateRewrite
resource.pathMatchers.defaultRouteAction.weightedBackendServices
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerName
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValue
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToRemove
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerName
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValue
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToRemove
resource.pathMatchers.defaultRouteAction.weightedBackendServices.weight
resource.pathMatchers.defaultUrlRedirect
resource.pathMatchers.defaultUrlRedirect.hostRedirect
resource.pathMatchers.defaultUrlRedirect.httpsRedirect
resource.pathMatchers.defaultUrlRedirect.pathRedirect
resource.pathMatchers.defaultUrlRedirect.prefixRedirect
resource.pathMatchers.defaultUrlRedirect.redirectResponseCode
resource.pathMatchers.defaultUrlRedirect.stripQuery
resource.pathMatchers.headerAction
resource.pathMatchers.headerAction.requestHeadersToAdd
resource.pathMatchers.headerAction.requestHeadersToAdd.headerName
resource.pathMatchers.headerAction.requestHeadersToAdd.headerValue
resource.pathMatchers.headerAction.requestHeadersToAdd.replace
resource.pathMatchers.headerAction.requestHeadersToRemove
resource.pathMatchers.headerAction.responseHeadersToAdd
resource.pathMatchers.headerAction.responseHeadersToAdd.headerName
resource.pathMatchers.headerAction.responseHeadersToAdd.headerValue
resource.pathMatchers.headerAction.responseHeadersToAdd.replace
resource.pathMatchers.headerAction.responseHeadersToRemove
resource.pathMatchers.pathRules
resource.pathMatchers.pathRules.paths
resource.pathMatchers.pathRules.customErrorResponsePolicy
resource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules
resource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.matchResponseCodes
resource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.overrideResponseCode
resource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.path
resource.pathMatchers.pathRules.routeAction
resource.pathMatchers.pathRules.routeAction.corsPolicy
resource.pathMatchers.pathRules.routeAction.corsPolicy.allowCredentials
resource.pathMatchers.pathRules.routeAction.corsPolicy.allowHeaders
resource.pathMatchers.pathRules.routeAction.corsPolicy.allowMethods
resource.pathMatchers.pathRules.routeAction.corsPolicy.allowOrigins
resource.pathMatchers.pathRules.routeAction.corsPolicy.allowOriginRegexes
resource.pathMatchers.pathRules.routeAction.corsPolicy.disabled
resource.pathMatchers.pathRules.routeAction.corsPolicy.exposeHeaders
resource.pathMatchers.pathRules.routeAction.corsPolicy.maxAge
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abort
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abort.httpStatus
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abort.percentage
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.percentage
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelay
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelay.nanos
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelay.seconds
resource.pathMatchers.pathRules.routeAction.maxStreamDuration
resource.pathMatchers.pathRules.routeAction.maxStreamDuration.nanos
resource.pathMatchers.pathRules.routeAction.maxStreamDuration.seconds
resource.pathMatchers.pathRules.routeAction.requestMirrorPolicy
resource.pathMatchers.pathRules.routeAction.retryPolicy
resource.pathMatchers.pathRules.routeAction.retryPolicy.numRetries
resource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeout
resource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeout.nanos
resource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeout.seconds
resource.pathMatchers.pathRules.routeAction.retryPolicy.retryConditions
resource.pathMatchers.pathRules.routeAction.timeout
resource.pathMatchers.pathRules.routeAction.timeout.nanos
resource.pathMatchers.pathRules.routeAction.timeout.seconds
resource.pathMatchers.pathRules.routeAction.urlRewrite
resource.pathMatchers.pathRules.routeAction.urlRewrite.hostRewrite
resource.pathMatchers.pathRules.routeAction.urlRewrite.pathPrefixRewrite
resource.pathMatchers.pathRules.routeAction.urlRewrite.pathTemplateRewrite
resource.pathMatchers.pathRules.routeAction.weightedBackendServices
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerName
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValue
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToRemove
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerName
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValue
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToRemove
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.weight
resource.pathMatchers.pathRules.urlRedirect
resource.pathMatchers.pathRules.urlRedirect.hostRedirect
resource.pathMatchers.pathRules.urlRedirect.httpsRedirect
resource.pathMatchers.pathRules.urlRedirect.pathRedirect
resource.pathMatchers.pathRules.urlRedirect.prefixRedirect
resource.pathMatchers.pathRules.urlRedirect.redirectResponseCode
resource.pathMatchers.pathRules.urlRedirect.stripQuery
resource.pathMatchers.routeRules
resource.pathMatchers.routeRules.description
resource.pathMatchers.routeRules.priority
resource.pathMatchers.routeRules.customErrorResponsePolicy
resource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules
resource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.matchResponseCodes
resource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.overrideResponseCode
resource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.path
resource.pathMatchers.routeRules.headerAction
resource.pathMatchers.routeRules.headerAction.requestHeadersToAdd
resource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.headerName
resource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.headerValue
resource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.replace
resource.pathMatchers.routeRules.headerAction.requestHeadersToRemove
resource.pathMatchers.routeRules.headerAction.responseHeadersToAdd
resource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.headerName
resource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.headerValue
resource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.replace
resource.pathMatchers.routeRules.headerAction.responseHeadersToRemove
resource.pathMatchers.routeRules.matchRules
resource.pathMatchers.routeRules.matchRules.fullPathMatch
resource.pathMatchers.routeRules.matchRules.headerMatches
resource.pathMatchers.routeRules.matchRules.headerMatches.exactMatch
resource.pathMatchers.routeRules.matchRules.headerMatches.headerName
resource.pathMatchers.routeRules.matchRules.headerMatches.invertMatch
resource.pathMatchers.routeRules.matchRules.headerMatches.prefixMatch
resource.pathMatchers.routeRules.matchRules.headerMatches.presentMatch
resource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatch
resource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatch.rangeStart
resource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatch.rangeEnd
resource.pathMatchers.routeRules.matchRules.headerMatches.regexMatch
resource.pathMatchers.routeRules.matchRules.headerMatches.suffixMatch
resource.pathMatchers.routeRules.matchRules.ignoreCase
resource.pathMatchers.routeRules.matchRules.metadataFilters
resource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabels
resource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabels.name
resource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabels.value
resource.pathMatchers.routeRules.matchRules.metadataFilters.filterMatchCriteria
resource.pathMatchers.routeRules.matchRules.pathTemplateMatch
resource.pathMatchers.routeRules.matchRules.prefixMatch
resource.pathMatchers.routeRules.matchRules.queryParameterMatches
resource.pathMatchers.routeRules.matchRules.queryParameterMatches.name
resource.pathMatchers.routeRules.matchRules.queryParameterMatches.exactMatch
resource.pathMatchers.routeRules.matchRules.queryParameterMatches.presentMatch
resource.pathMatchers.routeRules.matchRules.queryParameterMatches.regexMatch
resource.pathMatchers.routeRules.matchRules.regexMatch
resource.pathMatchers.routeRules.routeAction
resource.pathMatchers.routeRules.routeAction.corsPolicy
resource.pathMatchers.routeRules.routeAction.corsPolicy.allowCredentials
resource.pathMatchers.routeRules.routeAction.corsPolicy.allowHeaders
resource.pathMatchers.routeRules.routeAction.corsPolicy.allowMethods
resource.pathMatchers.routeRules.routeAction.corsPolicy.allowOrigins
resource.pathMatchers.routeRules.routeAction.corsPolicy.allowOriginRegexes
resource.pathMatchers.routeRules.routeAction.corsPolicy.disabled
resource.pathMatchers.routeRules.routeAction.corsPolicy.exposeHeaders
resource.pathMatchers.routeRules.routeAction.corsPolicy.maxAge
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abort
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abort.httpStatus
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abort.percentage
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.percentage
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelay
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelay.nanos
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelay.seconds
resource.pathMatchers.routeRules.routeAction.maxStreamDuration
resource.pathMatchers.routeRules.routeAction.maxStreamDuration.nanos
resource.pathMatchers.routeRules.routeAction.maxStreamDuration.seconds
resource.pathMatchers.routeRules.routeAction.requestMirrorPolicy
resource.pathMatchers.routeRules.routeAction.retryPolicy
resource.pathMatchers.routeRules.routeAction.retryPolicy.numRetries
resource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeout
resource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeout.nanos
resource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeout.seconds
resource.pathMatchers.routeRules.routeAction.retryPolicy.retryConditions
resource.pathMatchers.routeRules.routeAction.timeout
resource.pathMatchers.routeRules.routeAction.timeout.nanos
resource.pathMatchers.routeRules.routeAction.timeout.seconds
resource.pathMatchers.routeRules.routeAction.urlRewrite
resource.pathMatchers.routeRules.routeAction.urlRewrite.hostRewrite
resource.pathMatchers.routeRules.routeAction.urlRewrite.pathPrefixRewrite
resource.pathMatchers.routeRules.routeAction.urlRewrite.pathTemplateRewrite
resource.pathMatchers.routeRules.routeAction.weightedBackendServices
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerName
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValue
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToRemove
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerName
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValue
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToRemove
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.weight
resource.pathMatchers.routeRules.urlRedirect
resource.pathMatchers.routeRules.urlRedirect.hostRedirect
resource.pathMatchers.routeRules.urlRedirect.httpsRedirect
resource.pathMatchers.routeRules.urlRedirect.pathRedirect
resource.pathMatchers.routeRules.urlRedirect.prefixRedirect
resource.pathMatchers.routeRules.urlRedirect.redirectResponseCode
resource.pathMatchers.routeRules.urlRedirect.stripQuery
resource.tests
resource.tests.description
resource.tests.expectedOutputUrl
resource.tests.expectedRedirectResponseCode
resource.tests.headers
resource.tests.headers.name
resource.tests.headers.value
resource.tests.host
resource.tests.path
SSL 政策
SSL 政策:compute.googleapis.com/SslPolicy
resource.profile
resource.name
resource.description
resource.minTlsVersion
resource.customFeatures
目标实例
目标实例:compute.googleapis.com/TargetInstance
resource.name
resource.description
resource.natPolicy
目标池
目标池:compute.googleapis.com/TargetPool
resource.name
resource.description
resource.sessionAffinity
resource.failoverRatio
如需了解其他受支持的计算资源,请参阅 Compute Engine 自定义约束条件页面了解详情。
政策继承
如果您对资源强制执行政策,默认情况下,该资源的后代会继承组织政策。例如,如果您对某个文件夹强制执行一项政策,Google Cloud 会对该文件夹中的所有项目强制执行该政策。如需详细了解此行为及其更改方式,请参阅层次结构评估规则。
准备工作
-
如果您尚未设置身份验证,请进行设置。身份验证是通过其进行身份验证以访问 Google Cloud 服务和 API 的过程。如需从本地开发环境运行代码或示例,您可以选择以下任一选项向 Compute Engine 进行身份验证:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
- 请确保您知道您的组织 ID。
-
组织资源类型的 Organization Policy Administrator (
roles/orgpolicy.policyAdmin
) -
测试负载均衡资源的限制条件:项目资源的 Compute Load Balancer Admin (v1) (
roles/compute.loadBalancerAdmin.v1
) -
orgpolicy.constraints.list
-
orgpolicy.policies.create
-
orgpolicy.policies.delete
-
orgpolicy.policies.list
-
orgpolicy.policies.update
-
orgpolicy.policy.get
-
orgpolicy.policy.set
在 Google Cloud 控制台中,转到组织政策页面。
选择页面顶部的项目选择器。
在选择资源窗口中,选择要为哪个组织创建自定义限制条件。
点击
自定义限制条件。在显示名称框中,为限制条件输入一个易记的名称。此字段的最大长度为 200 个字符。 请勿在限制条件名称中使用 PII 或敏感数据,因为这些可能会在错误消息中公开。
在限制条件 ID 框中,为新的自定义限制条件输入所需的名称。自定义限制条件必须以
custom.
开头,只能包含大写字母、小写字母或数字,例如custom.enforceTCPHealthCheckPort1024
。该字段的长度上限为 70 个字符,不计算前缀(例如organizations/123456789/customConstraints/custom.
)。在说明框中,输入直观易懂的限制条件说明,在违反政策时此说明内容会以错误消息的形式显示。此字段的最大长度为 2000 个字符。
在资源类型框中,选择包含要限制的对象和字段的 Google Cloud REST 资源的名称。例如
compute.googleapis.com/HealthCheck
。在强制执行方法下,选择是否对 REST
CREATE
方法强制执行限制条件。如需定义条件,请点击
修改条件。在添加条件面板中,创建一个引用受支持的服务资源的 CEL 条件,例如
。此字段的最大长度为 1,000 个字符。resource.tcpHealthCheck.port >= 1024
点击保存。
在操作下,选择在满足上述条件时是允许还是拒绝评估的方法。
点击创建限制条件。
ORGANIZATION_ID
:您的组织 ID,例如123456789
。CONSTRAINT_NAME
:新的自定义限制条件的名称。 自定义限制条件必须以custom.
开头,只能包含大写字母、小写字母或数字。例如custom.enforceTCPHealthCheckPort1024
。该字段的长度上限为 70 个字符,不计算前缀(例如organizations/123456789/customConstraints/custom.
)。RESOURCE_NAME
:包含要限制的对象和字段的 Compute Engine API REST 资源的名称(而非 URI)。例如HealthCheck
。CONDITION
:针对受支持的服务资源的表示法编写的 CEL 条件。此字段的最大长度为 1,000 个字符。如需详细了解可用于针对其编写条件的资源,请参阅支持的资源。 例如"resource.tcpHealthCheck.port >= 1024"
。ACTION
:满足condition
时要执行的操作。可以是ALLOW
或DENY
。DISPLAY_NAME
:限制条件的直观易记名称。 此字段的最大长度为 200 个字符。DESCRIPTION
:直观易懂的限制条件说明,在违反政策时显示为错误消息。 此字段的最大长度为 2000 个字符。- 在 Google Cloud 控制台中,转到组织政策页面。
- 在项目选择器中,选择要设置组织政策的项目。
- 从组织政策页面上的列表中选择您的限制条件,以查看该限制条件的政策详情页面。
- 如需为该资源配置组织政策,请点击管理政策。
- 在修改政策页面,选择覆盖父级政策。
- 点击添加规则。
- 在强制执行部分中,选择开启还是关闭此组织政策的强制执行。
- (可选)如需使组织政策成为基于某个标记的条件性政策,请点击添加条件。请注意,如果您向组织政策添加条件规则,则必须至少添加一个无条件规则,否则无法保存政策。如需了解详情,请参阅设置带有标记的组织政策。
- 如果是自定义限制条件,您可以点击测试更改来模拟此组织政策的效果。如需了解详情,请参阅使用 Policy Simulator 测试组织政策更改。
- 若要完成并应用组织政策,请点击设置政策。该政策最长需要 15 分钟才能生效。
-
PROJECT_ID
:要对其实施限制条件的项目。 -
CONSTRAINT_NAME
:您为自定义限制条件定义的名称。例如,
。custom.enforceTCPHealthCheckPort1024
为自定义限制条件创建 YAML 文件。
name: organizations/ORGANIZATION_ID/customConstraints/custom.CONSTRAINT_NAME resource_types: compute.googleapis.com/SslPolicy methodTypes: - CREATE - UPDATE condition: resource.FIELD_NAME == VALUE action_type: ACTION display_name: DISPLAY_NAME description: DESCRIPTION
以下示例将最低 TLS 版本限制为 1.2:
name: organizations/012345678901/customConstraints/custom.restrictLbTlsVersion resource_types: compute.googleapis.com/SslPolicy methodTypes: - CREATE - UPDATE condition: resource.minTlsVersion == "TLS_1_2" action_type: ALLOW display_name: Restrict Load Balancing TLS version to 1.2 description: Only allow SSL policies to be created or updated if the minimum TLS version is 1.2 where this custom constraint is enforced.
将自定义限制条件添加到您的组织。
gcloud org-policies set-custom-constraint PATH_TO_FILE
验证您的组织中是否存在自定义限制条件。
gcloud org-policies list-custom-constraints \ --organization=ORGANIZATION_ID
为限制条件创建政策文件。
name: projects/PROJECT_ID/policies/custom.CONSTRAINT_NAME spec: rules: – enforce: true
替换以下内容:
PROJECT_ID
:您的 Google Cloud 项目 IDCONSTRAINT_NAME
:限制条件名称
强制执行该政策:
gcloud org-policies set-policy PATH_TO_POLICY_FILE
将
PATH_TO_POLICY_FILE
替换为政策文件的完全限定路径。假设您已创建了 YAML 文件以将最低 TLS 版本限制为 1.2,请通过创建将
minTlsVersion
设置为TLS_1_0
的 SSL 政策来测试限制条件:gcloud compute ssl-policies create SSL_POLICY_NAME \ --min-tls-version=1.0 \ --project=PROJECT_ID
输出类似于以下内容:
ERROR: (gcloud.compute.ssl-policies.update) HTTPError 412: Operation denied by custom org policy: [customConstraints/custom. restrictLbTlsVersion] : Only allow SSL policy resources to be created or updated if the minimum TLS version is 1.2 where this custom constraint is enforced.
- 您的组织 ID
项目 ID
使用以下信息创建
enforceTCPHealthCheckPort1024.yaml
限制条件文件:name: organizations/ORGANIZATION_ID/customConstraints/custom.enforceTCPHealthCheckPort1024 resource_types: – compute.googleapis.com/HealthCheck condition: "resource.tcpHealthCheck.port >= 1024" method_types: – CREATE – UPDATE action_type: ALLOW display_name: Only TCP HealthCheck Port >= 1024 Allowed. description: Prevent TCP health checks on well-known ports.
设置自定义限制条件。
gcloud org-policies set-custom-constraint enforceTCPHealthCheckPort1024.yaml
创建一份
enforceTCPHealthCheckPort1024-policy.yaml
具有以下信息政策文件。在此示例中,我们在项目级层强制执行此限制条件,但您也可以在组织或文件夹级层设置此限制条件。 请将PROJECT_ID
替换为您的项目 ID。name: projects/PROJECT_ID/policies/custom.enforceTCPHealthCheckPort1024 spec: rules: – enforce: true
强制执行该政策:
gcloud org-policies set-policy enforceTCPHealthCheckPort1024-policy.yaml
通过尝试在端口 80 上创建 TCP 健康检查(系统不允许)来测试此限制。
gcloud compute health-checks create tcp my-tcp-health-check \ --project=PROJECT_ID \ --region=us-central1 \ --port=80 \ --check-interval=5s \ --timeout=5s \ --healthy-threshold=4 \ --unhealthy-threshold=5 \
输出类似于以下内容:
ERROR: (gcloud.compute.healthChecks.create) Could not fetch resource: – Operation denied by custom org policies: [customConstraints/
custom.enforceTCPHealthCheckPort1024
]: Only TCP HealthCheck Port >= 1024 Allowed.不支持旧版健康检查(旧版全球 [HTTP] 和旧版全球 [HTTPS])。
对于某些 Compute Engine 资源(例如 Compute Engine SSL 政策资源),系统还会对
UPDATE
方法强制执行自定义限制条件。
所需的角色
如需获得管理 Cloud Load Balancing 资源的组织政策所需的权限,请让您的管理员为您授予以下 IAM 角色:
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
这些预定义角色包含管理 Cloud Load Balancing 资源组织政策所需的权限。如需查看所需的确切权限,请展开所需权限部分:
所需权限
如需管理 Cloud Load Balancing 资源的组织政策,您需要具备以下权限:
设置自定义限制条件
自定义限制条件由实施组织政策的服务支持的资源、方法、条件和操作定义。自定义限制条件的条件使用通用表达式语言 (CEL) 进行定义。如需详细了解如何使用 CEL 构建自定义限制条件中的条件,请参阅创建和管理自定义组织政策的 CEL 部分。
您可以使用 Google Cloud 控制台或 gcloud CLI 创建自定义限制条件并将其设置为在组织政策中使用。
控制台
在每个字段中输入值后,右侧将显示此自定义限制条件的等效 YAML 配置。
gcloud
如需使用 gcloud CLI 创建自定义限制条件,请为自定义限制条件创建 YAML 文件:
name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME resource_types: - compute.googleapis.com/RESOURCE_NAME method_types: - CREATE - UPDATE condition: CONDITION action_type: ACTION display_name: DISPLAY_NAME description: DESCRIPTION
替换以下内容:
如需详细了解如何创建自定义限制条件,请参阅创建和管理自定义组织政策。
为新的自定义限制条件创建 YAML 文件后,您必须对其进行设置,以使其可用于组织中的组织政策。如需设置自定义限制条件,请使用gcloud org-policies set-custom-constraint
命令: 将gcloud org-policies set-custom-constraint CONSTRAINT_PATH
CONSTRAINT_PATH
替换为自定义限制条件文件的完整路径。例如/home/user/customconstraint.yaml
。完成后,您的自定义限制条件会成为 Google Cloud 组织政策列表中的组织政策。如需验证自定义限制条件是否存在,请使用gcloud org-policies list-custom-constraints
命令: 将gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
ORGANIZATION_ID
替换为您的组织资源的 ID。 如需了解详情,请参阅查看组织政策。强制执行自定义限制条件
如需强制执行布尔值限制条件,您可以创建引用该限制条件的组织政策,并将该组织政策应用于 Google Cloud 资源。控制台
gcloud
如需创建强制执行布尔值限制条件的组织政策,请创建引用该限制条件的 YAML 政策文件:
name: projects/PROJECT_ID/policies/CONSTRAINT_NAME spec: rules: - enforce: true
请替换以下内容:
如需强制执行包含限制条件的组织政策,请运行以下命令:
gcloud org-policies set-policy POLICY_PATH
将
POLICY_PATH
替换为组织政策 YAML 文件的完整路径。该政策最长需要 15 分钟才能生效。示例:使用自定义限制条件限制 TLS 功能
如需使用自定义限制条件对支持的负载均衡器限制 TLS 功能,请在组织中定义使用预定义
constraints/compute.requireSslPolicy
限制条件的政策。定义政策后,请按照以下步骤设置自定义限制条件并使用它们。示例:创建一个限制条件,将 TCP 健康检查端口限制为至少 1024
以下示例创建了一个自定义限制条件和政策,将 TCP 健康检查端口号限制为至少
1024
。在开始之前,您需要了解以下信息:
gcloud
更多常见用例示例
以下部分介绍了一些可能有用的自定义限制条件的语法:
后端存储分区
使用场景 语法 要求所有后端存储分区都启用 Cloud CDN name: organizations/ORGANIZATION_ID/customConstraints/custom.backendBucketEnableCdn resourceTypes: - compute.googleapis.com/BackendBucket methodTypes: - CREATE - UPDATE condition: "resource.enableCdn == true" actionType: ALLOW displayName: Require all backend buckets to have Cloud CDN enabled description: All backend buckets must have Cloud CDN enabled.
后端服务
使用场景 语法 禁止将 HTTP 和 TCP 用作后端服务协议 name: organizations/ORGANIZATION_ID/customConstraints/custom.backendBucketEnableCdn resourceTypes: - compute.googleapis.com/BackendService methodTypes: - CREATE - UPDATE condition: "resource.serviceProtocol == 'HTTP' || resource.serviceProtocol == 'TCP'" actionType: DENY displayName: Disallow the use of HTTP and TCP as backend service protocols description: Backend services cannot configure HTTP or TCP as the backend service protocol.
转发规则
使用场景 语法 要求转发规则使用标准层级 name: organizations/ORGANIZATION_ID/customConstraints/custom.forwardingRulesStandardTier resourceTypes: - compute.googleapis.com/ForwardingRule methodTypes: - CREATE - UPDATE condition: "resource.networkTier == 'STANDARD'" actionType: ALLOW displayName: Require forwarding rules to use Standard Tier description: Forwarding rules must use the Standard Network Service Tier.
健康检查
使用场景 语法 要求所有健康检查协议都通过端口 1024 或更高端口进行 name: organizations/ORGANIZATION_ID/customConstraints/custom.healthCheckPortMin1024 resourceTypes: - compute.googleapis.com/HealthCheck methodTypes: - CREATE - UPDATE condition: "resource.tcpHealthCheck.port >= 1024 && resource.httpHealthCheck.port >= 1024 && resource.httpsHealthCheck.port >= 1024 && resource.sslHealthCheck.port >= 1024 && resource.sslHealthCheck.port >= 1024 &&resource.http2HealthCheck.port >= 1024 && resource.grpcHealthCheck.port >= 1024" actionType: ALLOW displayName: Require port 1024 or greater for all health checks description: All health check protocols must use a port of 1024 or higher, to avoid well-known ports.
禁止 GRPC 健康检查 name: organizations/ORGANIZATION_ID/customConstraints/custom.disallowGRPCHealthChecks resourceTypes: - compute.googleapis.com/HealthCheck methodTypes: - CREATE - UPDATE condition: "resource.type == 'GRPC'" actionType: DENY displayName: Disallow GRPC health checks description: Health checks aren't allowed to use GRPC.
防止高频率健康检查探测 name: organizations/ORGANIZATION_ID/customConstraints/custom.minHealthCheckFrequency resourceTypes: - compute.googleapis.com/HealthCheck methodTypes: - CREATE - UPDATE condition: "resource.checkIntervalSec >= 30" actionType: ALLOW displayName: Disallow fast health check probes description: Prevent health checks from having a probe frequency under 30 seconds.
目标代理
使用场景 语法 不允许客户端 HTTPS keepalive 超时值超过 1000 秒 name: organizations/ORGANIZATION_ID/customConstraints/custom.clientHTTPSKeepalive1000Sec resourceTypes: - compute.googleapis.com/TargetHttpsProxy methodTypes: - CREATE - UPDATE condition: "resource.httpKeepAliveTimeoutSec > 1000" actionType: DENY displayName: Disallow client HTTPS keepalive timeout greater than 1000 seconds description: Disallow client HTTPS keepalive timeout values greater than 1000 seconds.
网址映射
使用场景 语法 要求网址映射针对 HTTP 500
状态代码具有自定义错误响应政策name: organizations/ORGANIZATION_ID/customConstraints/custom.urlMapCustomResponseHTTP500 resourceTypes: - compute.googleapis.com/UrlMaps methodTypes: - CREATE - UPDATE condition: "resource.defaultCustomErrorResponsePolicy.errorResponseRule.exists(value, value.matchResponseCode == 500)" actionType: ALLOW displayName: Require URL maps to have a custom error response policy for HTTP 500 errors description: URL maps must have a custom error response policy configured for HTTP 500 errors.
目标实例
使用场景 语法 要求目标实例的名称以字符串“targetInstance”开头 name: organizations/ORGANIZATION_ID/customConstraints/custom.targetInstanceConstraint resourceTypes: - compute.googleapis.com/TargetInstance methodTypes: - CREATE - UPDATE condition: "resource.name.startsWith('targetInstance')" actionType: ALLOW displayName: Require target instances to have a name that starts with the string "targetInstance" description: Target instances must have resource names that start with the string "targetInstance"
目标池
使用场景 语法 要求目标池具有 CLIENT_IP 会话亲和性 name: organizations/ORGANIZATION_ID/customConstraints/custom.targetPoolConstraint resourceTypes: - compute.googleapis.com/TargetPool methodTypes: - CREATE - UPDATE condition: "resource.sessionAffinity == 'CLIENT_IP'" actionType: ALLOW displayName: Require target pools to use CLIENT_IP session affinity description: Target pools must use CLIENT_IP session affinity
限制
后续步骤
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2024-12-22。
-