使用自定义约束条件管理 Cloud Load Balancing 资源

Google Cloud 组织政策可让您以编程方式集中控制组织的资源。作为组织政策管理员,您可以定义组织政策,这是一组称为限制条件的限制,会应用于 Google Cloud 资源层次结构中的 Google Cloud 资源及其后代。您可以在组织、文件夹或项目级强制执行组织政策。

组织政策为各种 Google Cloud 服务提供预定义限制条件。但是,如果您想要更精细地控制和自定义组织政策中受限的特定字段,还可以创建自定义限制条件并在自定义组织政策中使用这些自定义限制条件。

以下负载均衡组件支持自定义约束条件:

优势

  • 费用管理:使用自定义组织政策限制健康检查探测频率。
  • 安全、合规性和治理:您可以使用自定义组织政策强制执行政策。例如:

    • 强制使用特定的健康检查协议或端口范围
    • 禁止使用特定后端流量协议
    • 若要要求后端存储分区启用 Cloud CDN,请执行以下操作:
    • 要求转发规则使用特定的 Network Service Tiers

Cloud Load Balancing 支持的资源

对于 Cloud Load Balancing,您可以对以下资源和字段设置自定义约束条件。

后端存储分区

后端存储分区compute.googleapis.com/BackendBucket

  • resource.name
  • resource.description
  • resource.bucketName
  • resource.enableCdn
  • resource.cdnPolicy
    • resource.cdnPolicy.bypassCacheOnRequestHeaders
      • resource.cdnPolicy.bypassCacheOnRequestHeaders.headerName
    • resource.cdnPolicy.cacheKeyPolicy
      • resource.cdnPolicy.cacheKeyPolicy.includeHttpHeaders
      • resource.cdnPolicy.cacheKeyPolicy.queryStringWhitelist
      • resource.cdnPolicy.signedUrlCacheMaxAgeSec
    • resource.compressionMode
    • resource.customResponseHeaders

后端服务

后端服务compute.googleapis.com/BackendService

  • resource.name
  • resource.description
  • resource.port
  • resource.portName
  • resource.protocol
  • resource.backends
    • resource.backends.balancingMode
    • resource.backends.capacityScaler
    • resource.backends.description
    • resource.backends.failover
    • resource.backends.maxConnections
    • resource.backends.maxConnectionsPerEndpoint
    • resource.backends.maxConnectionsPerInstance
    • resource.backends.maxRate
    • resource.backends.maxRatePerEndpoint
    • resource.backends.maxRatePerInstance
    • resource.backends.maxUtilization
    • resource.backends.preference
  • resource.enableCDN
  • resource.cdnPolicy
    • resource.cdnPolicy.bypassCacheOnRequestHeaders
      • resource.cdnPolicy.bypassCacheOnRequestHeaders.headerName
    • resource.cdnPolicy.cacheKeyPolicy
      • resource.cdnPolicy.cacheKeyPolicy.includeHost
      • resource.cdnPolicy.cacheKeyPolicy.includeHttpHeaders
      • resource.cdnPolicy.cacheKeyPolicy.includeNamedCookies
      • resource.cdnPolicy.cacheKeyPolicy.includeProtocol
      • resource.cdnPolicy.cacheKeyPolicy.includeQueryString
      • resource.cdnPolicy.cacheKeyPolicy.queryStringBlacklist
      • resource.cdnPolicy.cacheKeyPolicy.queryStringWhitelist
    • resource.cdnPolicy.cacheMode
    • resource.cdnPolicy.clientTtl
    • resource.cdnPolicy.defaultTtl
    • resource.cdnPolicy.maxTtl
    • resource.cdnPolicy.negativeCaching
    • resource.cdnPolicy.negativeCachingPolicy
      • resource.cdnPolicy.negativeCachingPolicy.code
      • resource.cdnPolicy.negativeCachingPolicy.ttl
    • resource.cdnPolicy.requestCoalescing
    • resource.cdnPolicy.serveWhileStale
    • resource.cdnPolicy.signedUrlCacheMaxAgeSec
  • resource.circuitBreakers
    • resource.circuitBreakers.maxConnections
    • resource.circuitBreakers.maxPendingRequests
    • resource.circuitBreakers.maxRequests
    • resource.circuitBreakers.maxRequestsPerConnection
    • resource.circuitBreakers.maxRetries
  • resource.compressionMode
  • resource.connectionDraining
    • resource.connectionDraining.drainingTimeoutSec
  • resource.connectionTrackingPolicy
    • resource.connectionTrackingPolicy.connectionPersistenceOnUnhealthyBackends
    • resource.connectionTrackingPolicy.enableStrongAffinity
    • resource.connectionTrackingPolicy.idleTimeoutSec
    • resource.connectionTrackingPolicy.trackingMode
  • resource.consistentHash
    • resource.consistentHash.httpCookie
    • resource.consistentHash.httpCookie.name
    • resource.consistentHash.httpCookie.path
    • resource.consistentHash.httpCookie.ttl
      • resource.consistentHash.httpCookie.ttl.nanos
      • resource.consistentHash.httpCookie.ttl.seconds
    • resource.consistentHash.minimumRingSize
  • resource.customRequestHeaders
  • resource.customResponseHeaders
  • resource.affinityCookieTtlSec
  • resource.failoverPolicy
    • resource.failoverPolicy.disableConnectionDrainOnFailover
    • resource.failoverPolicy.dropTrafficIfUnhealthy
    • resource.failoverPolicy.failoverRatio
  • resource.iap
    • resource.iap.enabled
    • resource.iap.oauth2ClientId
  • resource.ipAddressSelectionPolicy
  • resource.loadBalancingScheme
  • resource.localityLbPolicies
    • resource.localityLbPolicies.customPolicy
    • resource.localityLbPolicies.customPolicy.data
    • resource.localityLbPolicies.customPolicy.name
    • resource.localityLbPolicies.policy
    • resource.localityLbPolicies.policy.name
  • resource.logConfig
    • resource.logConfig.enable
    • resource.logConfig.optionalFields
    • resource.logConfig.optionalMode
    • resource.logConfig.sampleRate
  • resource.maxStreamDuration
    • resource.maxStreamDuration.nanos
    • resource.maxStreamDuration.seconds
  • resource.outlierDetection
    • resource.outlierDetection.baseEjectionTime
    • resource.outlierDetection.baseEjectionTime.nanos
    • resource.outlierDetection.baseEjectionTime.seconds
    • resource.outlierDetection.consecutiveGatewayFailure
    • resource.outlierDetection.enforcingConsecutiveErrors
    • resource.outlierDetection.enforcingConsecutiveGatewayFailure
    • resource.outlierDetection.enforcingSuccessRate
    • resource.outlierDetection.maxEjectionPercent
    • resource.outlierDetection.successRateMinimumHosts
    • resource.outlierDetection.successRateRequestVolume
    • resource.outlierDetection.successRateStdevFactor
  • resource.securitySettings
    • resource.securitySettings.awsV4Authentication
    • resource.securitySettings.awsV4Authentication.accessKeyId
    • resource.securitySettings.awsV4Authentication.accessKeyVersion
    • resource.securitySettings.subjectAltNames
  • resource.sessionAffinity
  • resource.subsetting
    • resource.subsetting.policy
  • resource.timeoutSec
  • resource.strongSessionAffinityCookie
    • resource.strongSessionAffinityCookie.name
    • resource.strongSessionAffinityCookie.path
    • resource.strongSessionAffinityCookie.ttl
    • resource.strongSessionAffinityCookie.ttl.nanos
    • resource.strongSessionAffinityCookie.ttl.seconds

转发规则

转发规则compute.googleapis.com/ForwardingRule

  • resource.name
  • resource.description
  • resource.allowGlobalAccess
  • resource.allowPscGlobalAccess
  • resource.allPorts
  • resource.IPProtocol
  • resource.ipVersion
  • resource.isMirroringCollector
  • resource.loadBalancingScheme
  • resource.metadataFilters
    • resource.metadataFilters.filterLabels
    • resource.metadataFilters.filterLabels.name
    • resource.metadataFilters.filterLabels.value
    • resource.metadataFilters.filterMatchCriteria
  • resource.networkTier
  • resource.noAutomateDnsZone
  • resource.portRange
  • resource.ports
  • resource.serviceDirectoryRegistrations
    • resource.serviceDirectoryRegistrations.namespace
    • resource.serviceDirectoryRegistrations.service
    • resource.serviceDirectoryRegistrations.serviceDirectoryRegion
  • resource.serviceLabel
  • resource.sourceIpRanges

健康检查

健康检查compute.googleapis.com/HealthCheck

  • resource.name
  • resource.description
  • resource.checkIntervalSec
  • resource.timeoutSec
  • resource.unhealthyThreshold
  • resource.healthyThreshold
  • resource.type
  • TCP 健康检查:
    • resource.tcpHealthCheck.port
    • resource.tcpHealthCheck.request
    • resource.tcpHealthCheck.response
    • resource.tcpHealthCheck.proxyHeader
    • resource.tcpHealthCheck.portSpecification
  • SSL 健康检查:
    • resource.sslHealthCheck.port
    • resource.sslHealthCheck.request
    • resource.sslHealthCheck.response
    • resource.sslHealthCheck.proxyHeader
    • resource.sslHealthCheck.portSpecification
  • HTTP 健康检查:
    • resource.httpHealthCheck.port
    • resource.httpHealthCheck.host
    • resource.httpHealthCheck.requestPath
    • resource.httpHealthCheck.proxyHeader
    • resource.httpHealthCheck.response
    • resource.httpHealthCheck.portSpecification
  • HTTPS 健康检查:
    • resource.httpsHealthCheck.port
    • resource.httpsHealthCheck.host
    • resource.httpsHealthCheck.requestPath
    • resource.httpsHealthCheck.proxyHeader
    • resource.httpsHealthCheck.response
    • resource.httpsHealthCheck.portSpecification
  • HTTP/2 健康检查:
    • resource.http2HealthCheck.port
    • resource.http2HealthCheck.host
    • resource.http2HealthCheck.requestPath
    • resource.http2HealthCheck.proxyHeader
    • resource.http2HealthCheck.response
    • resource.http2HealthCheck.portSpecification
  • gRPC 健康检查:
    • resource.grpcHealthCheck.port
    • resource.grpcHealthCheck.grpcServiceName
    • resource.grpcHealthCheck.portSpecification
  • resource.sourceRegions
  • resource.logConfig
    • resource.logConfig.enable

目标代理

目标 TCP 代理compute.googleapis.com/TargetTcpProxy

  • resource.name
  • resource.description
  • resource.proxyBind
  • resource.proxyHeader

目标 SSL 代理compute.googleapis.com/TargetSslProxy

  • resource.name
  • resource.description
  • resource.proxyHeader

目标 HTTP 代理compute.googleapis.com/TargetHttpProxy

  • resource.name
  • resource.description
  • resource.proxyBind
  • resource.httpKeepAliveTimeoutSec

目标 HTTPS 代理compute.googleapis.com/TargetHttpsProxy

  • resource.name
  • resource.description
  • resource.proxyBind
  • resource.httpKeepAliveTimeoutSec
  • resource.quicOverride
  • resource.tlsEarlyData

目标 gRPC 代理compute.googleapis.com/TargetGrpcProxy

  • resource.name
  • resource.description
  • resource.validateForProxyless

网址映射

网址映射compute.googleapis.com/UrlMap

  • resource.name
  • resource.description
  • resource.defaultCustomErrorResponsePolicy
    • resource.defaultCustomErrorResponsePolicy.errorResponseRules
      • resource.defaultCustomErrorResponsePolicy.errorResponseRules.matchResponseCodes
      • resource.defaultCustomErrorResponsePolicy.errorResponseRules.overrideResponseCode
      • resource.defaultCustomErrorResponsePolicy.errorResponseRules.path
  • resource.defaultRouteAction
    • resource.defaultRouteAction.corsPolicy
    • resource.defaultRouteAction.corsPolicy.allowCredentials
    • resource.defaultRouteAction.corsPolicy.allowHeaders
    • resource.defaultRouteAction.corsPolicy.allowMethods
    • resource.defaultRouteAction.corsPolicy.allowOrigins
    • resource.defaultRouteAction.corsPolicy.allowOriginRegexes
    • resource.defaultRouteAction.corsPolicy.disabled
    • resource.defaultRouteAction.corsPolicy.exposeHeaders
    • resource.defaultRouteAction.corsPolicy.maxAge
    • resource.defaultRouteAction.faultInjectionPolicy
    • resource.defaultRouteAction.faultInjectionPolicy.abort
      • resource.defaultRouteAction.faultInjectionPolicy.abort.httpStatus
      • resource.defaultRouteAction.faultInjectionPolicy.abort.percentage
    • resource.defaultRouteAction.faultInjectionPolicy.delay
      • resource.defaultRouteAction.faultInjectionPolicy.delay.percentage
      • resource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay
      • resource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.nanos
      • resource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.seconds
    • resource.defaultRouteAction.maxStreamDuration
    • resource.defaultRouteAction.maxStreamDuration.nanos
    • resource.defaultRouteAction.maxStreamDuration.seconds
    • resource.defaultRouteAction.requestMirrorPolicy
    • resource.defaultRouteAction.retryPolicy
    • resource.defaultRouteAction.retryPolicy.numRetries
    • resource.defaultRouteAction.retryPolicy.perTryTimeout
      • resource.defaultRouteAction.retryPolicy.perTryTimeout.nanos
      • resource.defaultRouteAction.retryPolicy.perTryTimeout.seconds
    • resource.defaultRouteAction.retryPolicy.retryConditions
    • resource.defaultRouteAction.timeout
    • resource.defaultRouteAction.timeout.nanos
    • resource.defaultRouteAction.timeout.seconds
    • resource.defaultRouteAction.urlRewrite
    • resource.defaultRouteAction.urlRewrite.hostRewrite
    • resource.defaultRouteAction.urlRewrite.pathPrefixRewrite
    • resource.defaultRouteAction.urlRewrite.pathTemplateRewrite
    • resource.defaultRouteAction.weightedBackendServices
    • resource.defaultRouteAction.weightedBackendServices.headerAction
      • resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd
      • resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerName
      • resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValue
      • resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
      • resource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToRemove
      • resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd
      • resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerName
      • resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValue
      • resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
      • resource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToRemove
    • resource.defaultRouteAction.weightedBackendServices.weight
  • resource.defaultUrlRedirect
    • resource.defaultUrlRedirect.hostRedirect
    • resource.defaultUrlRedirect.httpsRedirect
    • resource.defaultUrlRedirect.pathRedirect
    • resource.defaultUrlRedirect.prefixRedirect
    • resource.defaultUrlRedirect.redirectResponseCode
    • resource.defaultUrlRedirect.stripQuery
  • resource.headerAction
    • resource.headerAction.requestHeadersToAdd
    • resource.headerAction.requestHeadersToAdd.headerName
    • resource.headerAction.requestHeadersToAdd.headerValue
    • resource.headerAction.requestHeadersToAdd.replace
    • resource.headerAction.requestHeadersToRemove
    • resource.headerAction.responseHeadersToAdd
    • resource.headerAction.responseHeadersToAdd.headerName
    • resource.headerAction.responseHeadersToAdd.headerValue
    • resource.headerAction.responseHeadersToAdd.replace
    • resource.headerAction.responseHeadersToRemove
  • resource.hostRules
    • resource.hostRules.description
    • resource.hostRules.hosts
    • resource.hostRules.pathMatcher
  • resource.pathMatchers
    • resource.pathMatchers.name
    • resource.pathMatchers.description
    • resource.pathMatchers.defaultCustomErrorResponsePolicy
    • resource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules
      • resource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.matchResponseCodes
      • resource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.overrideResponseCode
      • resource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.path
    • resource.pathMatchers.defaultRouteAction
    • resource.pathMatchers.defaultRouteAction.corsPolicy
      • resource.pathMatchers.defaultRouteAction.corsPolicy.allowCredentials
      • resource.pathMatchers.defaultRouteAction.corsPolicy.allowHeaders
      • resource.pathMatchers.defaultRouteAction.corsPolicy.allowMethods
      • resource.pathMatchers.defaultRouteAction.corsPolicy.allowOrigins
      • resource.pathMatchers.defaultRouteAction.corsPolicy.allowOriginRegexes
      • resource.pathMatchers.defaultRouteAction.corsPolicy.disabled
      • resource.pathMatchers.defaultRouteAction.corsPolicy.exposeHeaders
      • resource.pathMatchers.defaultRouteAction.corsPolicy.maxAge
    • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy
      • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abort
      • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abort.httpStatus
      • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abort.percentage
      • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay
      • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.percentage
      • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay
        • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.nanos
        • resource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.seconds
    • resource.pathMatchers.defaultRouteAction.maxStreamDuration
      • resource.pathMatchers.defaultRouteAction.maxStreamDuration.nanos
      • resource.pathMatchers.defaultRouteAction.maxStreamDuration.seconds
    • resource.pathMatchers.defaultRouteAction.requestMirrorPolicy
    • resource.pathMatchers.defaultRouteAction.retryPolicy
      • resource.pathMatchers.defaultRouteAction.retryPolicy.numRetries
      • resource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeout
      • resource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeout.nanos
      • resource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeout.seconds
      • resource.pathMatchers.defaultRouteAction.retryPolicy.retryConditions
    • resource.pathMatchers.defaultRouteAction.timeout
      • resource.pathMatchers.defaultRouteAction.timeout.nanos
      • resource.pathMatchers.defaultRouteAction.timeout.seconds
    • resource.pathMatchers.defaultRouteAction.urlRewrite
      • resource.pathMatchers.defaultRouteAction.urlRewrite.hostRewrite
      • resource.pathMatchers.defaultRouteAction.urlRewrite.pathPrefixRewrite
      • resource.pathMatchers.defaultRouteAction.urlRewrite.pathTemplateRewrite
    • resource.pathMatchers.defaultRouteAction.weightedBackendServices
      • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction
      • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd
        • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerName
        • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValue
        • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
      • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToRemove
      • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd
        • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerName
        • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValue
        • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
      • resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToRemove
      • resource.pathMatchers.defaultRouteAction.weightedBackendServices.weight
    • resource.pathMatchers.defaultUrlRedirect
    • resource.pathMatchers.defaultUrlRedirect.hostRedirect
    • resource.pathMatchers.defaultUrlRedirect.httpsRedirect
    • resource.pathMatchers.defaultUrlRedirect.pathRedirect
    • resource.pathMatchers.defaultUrlRedirect.prefixRedirect
    • resource.pathMatchers.defaultUrlRedirect.redirectResponseCode
    • resource.pathMatchers.defaultUrlRedirect.stripQuery
    • resource.pathMatchers.headerAction
    • resource.pathMatchers.headerAction.requestHeadersToAdd
    • resource.pathMatchers.headerAction.requestHeadersToAdd.headerName
    • resource.pathMatchers.headerAction.requestHeadersToAdd.headerValue
    • resource.pathMatchers.headerAction.requestHeadersToAdd.replace
    • resource.pathMatchers.headerAction.requestHeadersToRemove
    • resource.pathMatchers.headerAction.responseHeadersToAdd
    • resource.pathMatchers.headerAction.responseHeadersToAdd.headerName
    • resource.pathMatchers.headerAction.responseHeadersToAdd.headerValue
    • resource.pathMatchers.headerAction.responseHeadersToAdd.replace
    • resource.pathMatchers.headerAction.responseHeadersToRemove
    • resource.pathMatchers.pathRules
    • resource.pathMatchers.pathRules.paths
    • resource.pathMatchers.pathRules.customErrorResponsePolicy
      • resource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules
      • resource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.matchResponseCodes
      • resource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.overrideResponseCode
      • resource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.path
    • resource.pathMatchers.pathRules.routeAction
      • resource.pathMatchers.pathRules.routeAction.corsPolicy
      • resource.pathMatchers.pathRules.routeAction.corsPolicy.allowCredentials
      • resource.pathMatchers.pathRules.routeAction.corsPolicy.allowHeaders
      • resource.pathMatchers.pathRules.routeAction.corsPolicy.allowMethods
      • resource.pathMatchers.pathRules.routeAction.corsPolicy.allowOrigins
      • resource.pathMatchers.pathRules.routeAction.corsPolicy.allowOriginRegexes
      • resource.pathMatchers.pathRules.routeAction.corsPolicy.disabled
      • resource.pathMatchers.pathRules.routeAction.corsPolicy.exposeHeaders
      • resource.pathMatchers.pathRules.routeAction.corsPolicy.maxAge
      • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy
      • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abort
        • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abort.httpStatus
        • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abort.percentage
      • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay
        • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.percentage
        • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelay
        • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelay.nanos
        • resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelay.seconds
      • resource.pathMatchers.pathRules.routeAction.maxStreamDuration
      • resource.pathMatchers.pathRules.routeAction.maxStreamDuration.nanos
      • resource.pathMatchers.pathRules.routeAction.maxStreamDuration.seconds
      • resource.pathMatchers.pathRules.routeAction.requestMirrorPolicy
      • resource.pathMatchers.pathRules.routeAction.retryPolicy
      • resource.pathMatchers.pathRules.routeAction.retryPolicy.numRetries
      • resource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeout
        • resource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeout.nanos
        • resource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeout.seconds
      • resource.pathMatchers.pathRules.routeAction.retryPolicy.retryConditions
      • resource.pathMatchers.pathRules.routeAction.timeout
      • resource.pathMatchers.pathRules.routeAction.timeout.nanos
      • resource.pathMatchers.pathRules.routeAction.timeout.seconds
      • resource.pathMatchers.pathRules.routeAction.urlRewrite
      • resource.pathMatchers.pathRules.routeAction.urlRewrite.hostRewrite
      • resource.pathMatchers.pathRules.routeAction.urlRewrite.pathPrefixRewrite
      • resource.pathMatchers.pathRules.routeAction.urlRewrite.pathTemplateRewrite
      • resource.pathMatchers.pathRules.routeAction.weightedBackendServices
      • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerName
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValue
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToRemove
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerName
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValue
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
        • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToRemove
      • resource.pathMatchers.pathRules.routeAction.weightedBackendServices.weight
    • resource.pathMatchers.pathRules.urlRedirect
      • resource.pathMatchers.pathRules.urlRedirect.hostRedirect
      • resource.pathMatchers.pathRules.urlRedirect.httpsRedirect
      • resource.pathMatchers.pathRules.urlRedirect.pathRedirect
      • resource.pathMatchers.pathRules.urlRedirect.prefixRedirect
      • resource.pathMatchers.pathRules.urlRedirect.redirectResponseCode
      • resource.pathMatchers.pathRules.urlRedirect.stripQuery
    • resource.pathMatchers.routeRules
    • resource.pathMatchers.routeRules.description
    • resource.pathMatchers.routeRules.priority
    • resource.pathMatchers.routeRules.customErrorResponsePolicy
      • resource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules
      • resource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.matchResponseCodes
      • resource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.overrideResponseCode
      • resource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.path
    • resource.pathMatchers.routeRules.headerAction
      • resource.pathMatchers.routeRules.headerAction.requestHeadersToAdd
      • resource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.headerName
      • resource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.headerValue
      • resource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.replace
      • resource.pathMatchers.routeRules.headerAction.requestHeadersToRemove
      • resource.pathMatchers.routeRules.headerAction.responseHeadersToAdd
      • resource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.headerName
      • resource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.headerValue
      • resource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.replace
      • resource.pathMatchers.routeRules.headerAction.responseHeadersToRemove
    • resource.pathMatchers.routeRules.matchRules
      • resource.pathMatchers.routeRules.matchRules.fullPathMatch
      • resource.pathMatchers.routeRules.matchRules.headerMatches
      • resource.pathMatchers.routeRules.matchRules.headerMatches.exactMatch
      • resource.pathMatchers.routeRules.matchRules.headerMatches.headerName
      • resource.pathMatchers.routeRules.matchRules.headerMatches.invertMatch
      • resource.pathMatchers.routeRules.matchRules.headerMatches.prefixMatch
      • resource.pathMatchers.routeRules.matchRules.headerMatches.presentMatch
      • resource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatch
        • resource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatch.rangeStart
        • resource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatch.rangeEnd
      • resource.pathMatchers.routeRules.matchRules.headerMatches.regexMatch
      • resource.pathMatchers.routeRules.matchRules.headerMatches.suffixMatch
      • resource.pathMatchers.routeRules.matchRules.ignoreCase
      • resource.pathMatchers.routeRules.matchRules.metadataFilters
      • resource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabels
        • resource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabels.name
        • resource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabels.value
      • resource.pathMatchers.routeRules.matchRules.metadataFilters.filterMatchCriteria
      • resource.pathMatchers.routeRules.matchRules.pathTemplateMatch
      • resource.pathMatchers.routeRules.matchRules.prefixMatch
      • resource.pathMatchers.routeRules.matchRules.queryParameterMatches
      • resource.pathMatchers.routeRules.matchRules.queryParameterMatches.name
      • resource.pathMatchers.routeRules.matchRules.queryParameterMatches.exactMatch
      • resource.pathMatchers.routeRules.matchRules.queryParameterMatches.presentMatch
      • resource.pathMatchers.routeRules.matchRules.queryParameterMatches.regexMatch
      • resource.pathMatchers.routeRules.matchRules.regexMatch
    • resource.pathMatchers.routeRules.routeAction
      • resource.pathMatchers.routeRules.routeAction.corsPolicy
      • resource.pathMatchers.routeRules.routeAction.corsPolicy.allowCredentials
      • resource.pathMatchers.routeRules.routeAction.corsPolicy.allowHeaders
      • resource.pathMatchers.routeRules.routeAction.corsPolicy.allowMethods
      • resource.pathMatchers.routeRules.routeAction.corsPolicy.allowOrigins
      • resource.pathMatchers.routeRules.routeAction.corsPolicy.allowOriginRegexes
      • resource.pathMatchers.routeRules.routeAction.corsPolicy.disabled
      • resource.pathMatchers.routeRules.routeAction.corsPolicy.exposeHeaders
      • resource.pathMatchers.routeRules.routeAction.corsPolicy.maxAge
      • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy
      • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abort
        • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abort.httpStatus
        • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abort.percentage
      • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay
        • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.percentage
        • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelay
        • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelay.nanos
        • resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelay.seconds
      • resource.pathMatchers.routeRules.routeAction.maxStreamDuration
      • resource.pathMatchers.routeRules.routeAction.maxStreamDuration.nanos
      • resource.pathMatchers.routeRules.routeAction.maxStreamDuration.seconds
      • resource.pathMatchers.routeRules.routeAction.requestMirrorPolicy
      • resource.pathMatchers.routeRules.routeAction.retryPolicy
      • resource.pathMatchers.routeRules.routeAction.retryPolicy.numRetries
      • resource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeout
        • resource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeout.nanos
        • resource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeout.seconds
      • resource.pathMatchers.routeRules.routeAction.retryPolicy.retryConditions
      • resource.pathMatchers.routeRules.routeAction.timeout
      • resource.pathMatchers.routeRules.routeAction.timeout.nanos
      • resource.pathMatchers.routeRules.routeAction.timeout.seconds
      • resource.pathMatchers.routeRules.routeAction.urlRewrite
      • resource.pathMatchers.routeRules.routeAction.urlRewrite.hostRewrite
      • resource.pathMatchers.routeRules.routeAction.urlRewrite.pathPrefixRewrite
      • resource.pathMatchers.routeRules.routeAction.urlRewrite.pathTemplateRewrite
      • resource.pathMatchers.routeRules.routeAction.weightedBackendServices
      • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerName
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValue
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToRemove
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerName
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValue
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
        • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToRemove
      • resource.pathMatchers.routeRules.routeAction.weightedBackendServices.weight
    • resource.pathMatchers.routeRules.urlRedirect
      • resource.pathMatchers.routeRules.urlRedirect.hostRedirect
      • resource.pathMatchers.routeRules.urlRedirect.httpsRedirect
      • resource.pathMatchers.routeRules.urlRedirect.pathRedirect
      • resource.pathMatchers.routeRules.urlRedirect.prefixRedirect
      • resource.pathMatchers.routeRules.urlRedirect.redirectResponseCode
      • resource.pathMatchers.routeRules.urlRedirect.stripQuery
  • resource.tests
    • resource.tests.description
    • resource.tests.expectedOutputUrl
    • resource.tests.expectedRedirectResponseCode
    • resource.tests.headers
    • resource.tests.headers.name
    • resource.tests.headers.value
    • resource.tests.host
    • resource.tests.path

SSL 政策

SSL 政策compute.googleapis.com/SslPolicy

  • resource.profile
  • resource.name
  • resource.description
  • resource.minTlsVersion
  • resource.customFeatures

目标实例

目标实例compute.googleapis.com/TargetInstance

  • resource.name
  • resource.description
  • resource.natPolicy

目标池

目标池compute.googleapis.com/TargetPool

  • resource.name
  • resource.description
  • resource.sessionAffinity
  • resource.failoverRatio

如需了解其他受支持的计算资源,请参阅 Compute Engine 自定义约束条件页面了解详情。

政策继承

如果您对资源强制执行政策,默认情况下,该资源的后代会继承组织政策。例如,如果您对某个文件夹强制执行一项政策,Google Cloud 会对该文件夹中的所有项目强制执行该政策。如需详细了解此行为及其更改方式,请参阅层次结构评估规则

准备工作

  • 如果您尚未设置身份验证,请进行设置。身份验证是通过其进行身份验证以访问 Google Cloud 服务和 API 的过程。如需从本地开发环境运行代码或示例,您可以选择以下任一选项向 Compute Engine 进行身份验证:

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    1. Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init
    2. Set a default region and zone.

所需的角色

如需获得管理 Cloud Load Balancing 资源的组织政策所需的权限,请让您的管理员为您授予以下 IAM 角色:

如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限

这些预定义角色包含管理 Cloud Load Balancing 资源组织政策所需的权限。如需查看所需的确切权限,请展开所需权限部分:

所需权限

如需管理 Cloud Load Balancing 资源的组织政策,您需要具备以下权限:

  • orgpolicy.constraints.list
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

您也可以使用自定义角色或其他预定义角色来获取这些权限。

设置自定义限制条件

自定义限制条件由实施组织政策的服务支持的资源、方法、条件和操作定义。自定义限制条件的条件使用通用表达式语言 (CEL) 进行定义。如需详细了解如何使用 CEL 构建自定义限制条件中的条件,请参阅创建和管理自定义组织政策的 CEL 部分。

您可以使用 Google Cloud 控制台或 gcloud CLI 创建自定义限制条件并将其设置为在组织政策中使用。

控制台

  1. 在 Google Cloud 控制台中,转到组织政策页面。

    转到“组织政策”

  2. 选择页面顶部的项目选择器。

  3. 选择资源窗口中,选择要为哪个组织创建自定义限制条件。

  4. 点击 自定义限制条件

  5. 显示名称框中,为限制条件输入一个易记的名称。此字段的最大长度为 200 个字符。 请勿在限制条件名称中使用 PII 或敏感数据,因为这些可能会在错误消息中公开。

  6. 限制条件 ID 框中,为新的自定义限制条件输入所需的名称。自定义限制条件必须以 custom. 开头,只能包含大写字母、小写字母或数字,例如 custom.enforceTCPHealthCheckPort1024。该字段的长度上限为 70 个字符,不计算前缀(例如 organizations/123456789/customConstraints/custom.)。

  7. 说明框中,输入直观易懂的限制条件说明,在违反政策时此说明内容会以错误消息的形式显示。此字段的最大长度为 2000 个字符。

  8. 资源类型框中,选择包含要限制的对象和字段的 Google Cloud REST 资源的名称。例如 compute.googleapis.com/HealthCheck

  9. 强制执行方法下,选择是否对 REST CREATE 方法强制执行限制条件。

  10. 如需定义条件,请点击 修改条件

    1. 添加条件面板中,创建一个引用受支持的服务资源的 CEL 条件,例如 resource.tcpHealthCheck.port >= 1024。此字段的最大长度为 1,000 个字符。

    2. 点击保存

  11. 操作下,选择在满足上述条件时是允许还是拒绝评估的方法。

  12. 点击创建限制条件

在每个字段中输入值后,右侧将显示此自定义限制条件的等效 YAML 配置。

gcloud

如需使用 gcloud CLI 创建自定义限制条件,请为自定义限制条件创建 YAML 文件:

name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resource_types:
- compute.googleapis.com/RESOURCE_NAME
method_types:
- CREATE
- UPDATE
condition: CONDITION
action_type: ACTION
display_name: DISPLAY_NAME
description: DESCRIPTION

替换以下内容:

  • ORGANIZATION_ID:您的组织 ID,例如 123456789

  • CONSTRAINT_NAME:新的自定义限制条件的名称。 自定义限制条件必须以 custom. 开头,只能包含大写字母、小写字母或数字。例如 custom.enforceTCPHealthCheckPort1024。该字段的长度上限为 70 个字符,不计算前缀(例如 organizations/123456789/customConstraints/custom.)。

  • RESOURCE_NAME:包含要限制的对象和字段的 Compute Engine API REST 资源的名称(而非 URI)。例如 HealthCheck

  • CONDITION:针对受支持的服务资源的表示法编写的 CEL 条件。此字段的最大长度为 1,000 个字符。如需详细了解可用于针对其编写条件的资源,请参阅支持的资源。 例如 "resource.tcpHealthCheck.port >= 1024"

  • ACTION:满足 condition 时要执行的操作。可以是 ALLOWDENY

  • DISPLAY_NAME:限制条件的直观易记名称。 此字段的最大长度为 200 个字符。

  • DESCRIPTION:直观易懂的限制条件说明,在违反政策时显示为错误消息。 此字段的最大长度为 2000 个字符。

如需详细了解如何创建自定义限制条件,请参阅创建和管理自定义组织政策

为新的自定义限制条件创建 YAML 文件后,您必须对其进行设置,以使其可用于组织中的组织政策。如需设置自定义限制条件,请使用 gcloud org-policies set-custom-constraint 命令:
gcloud org-policies set-custom-constraint CONSTRAINT_PATH
CONSTRAINT_PATH 替换为自定义限制条件文件的完整路径。例如 /home/user/customconstraint.yaml。完成后,您的自定义限制条件会成为 Google Cloud 组织政策列表中的组织政策。如需验证自定义限制条件是否存在,请使用 gcloud org-policies list-custom-constraints 命令:
gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
ORGANIZATION_ID 替换为您的组织资源的 ID。 如需了解详情,请参阅查看组织政策

强制执行自定义限制条件

如需强制执行布尔值限制条件,您可以创建引用该限制条件的组织政策,并将该组织政策应用于 Google Cloud 资源。

控制台

  1. 在 Google Cloud 控制台中,转到组织政策页面。

    转到组织政策

  2. 在项目选择器中,选择要设置组织政策的项目。
  3. 组织政策页面上的列表中选择您的限制条件,以查看该限制条件的政策详情页面。
  4. 如需为该资源配置组织政策,请点击管理政策
  5. 修改政策页面,选择覆盖父级政策
  6. 点击添加规则
  7. 强制执行部分中,选择开启还是关闭此组织政策的强制执行。
  8. (可选)如需使组织政策成为基于某个标记的条件性政策,请点击添加条件。请注意,如果您向组织政策添加条件规则,则必须至少添加一个无条件规则,否则无法保存政策。如需了解详情,请参阅设置带有标记的组织政策
  9. 如果是自定义限制条件,您可以点击测试更改来模拟此组织政策的效果。如需了解详情,请参阅使用 Policy Simulator 测试组织政策更改
  10. 若要完成并应用组织政策,请点击设置政策。该政策最长需要 15 分钟才能生效。

gcloud

如需创建强制执行布尔值限制条件的组织政策,请创建引用该限制条件的 YAML 政策文件:

      name: projects/PROJECT_ID/policies/CONSTRAINT_NAME
      spec:
        rules:
        - enforce: true
    

请替换以下内容:

  • PROJECT_ID:要对其实施限制条件的项目。
  • CONSTRAINT_NAME:您为自定义限制条件定义的名称。例如,custom.enforceTCPHealthCheckPort1024

如需强制执行包含限制条件的组织政策,请运行以下命令:

    gcloud org-policies set-policy POLICY_PATH
    

POLICY_PATH 替换为组织政策 YAML 文件的完整路径。该政策最长需要 15 分钟才能生效。

示例:使用自定义限制条件限制 TLS 功能

如需使用自定义限制条件对支持的负载均衡器限制 TLS 功能,请在组织中定义使用预定义 constraints/compute.requireSslPolicy 限制条件的政策。定义政策后,请按照以下步骤设置自定义限制条件并使用它们。

  1. 为自定义限制条件创建 YAML 文件。

    name: organizations/ORGANIZATION_ID/customConstraints/custom.CONSTRAINT_NAME
    resource_types: compute.googleapis.com/SslPolicy
    methodTypes:
    - CREATE
    - UPDATE
    condition: resource.FIELD_NAME == VALUE
    action_type: ACTION
    display_name: DISPLAY_NAME
    description: DESCRIPTION
    

    以下示例将最低 TLS 版本限制为 1.2:

    name: organizations/012345678901/customConstraints/custom.restrictLbTlsVersion
    resource_types: compute.googleapis.com/SslPolicy
    methodTypes:
    - CREATE
    - UPDATE
    condition: resource.minTlsVersion == "TLS_1_2"
    action_type: ALLOW
    display_name: Restrict Load Balancing TLS version to 1.2
    description: Only allow SSL policies to be created or updated if the minimum TLS version is 1.2 where this custom constraint is enforced.
    
  2. 将自定义限制条件添加到您的组织。

    gcloud org-policies set-custom-constraint PATH_TO_FILE
    
  3. 验证您的组织中是否存在自定义限制条件。

    gcloud org-policies list-custom-constraints \
        --organization=ORGANIZATION_ID
    
  4. 为限制条件创建政策文件。

    name: projects/PROJECT_ID/policies/custom.CONSTRAINT_NAME
    spec:
      rules:
    enforce: true

    替换以下内容:

    • PROJECT_ID:您的 Google Cloud 项目 ID
    • CONSTRAINT_NAME:限制条件名称
  5. 强制执行该政策:

    gcloud org-policies set-policy PATH_TO_POLICY_FILE
    

    PATH_TO_POLICY_FILE 替换为政策文件的完全限定路径。

  6. 假设您已创建了 YAML 文件以将最低 TLS 版本限制为 1.2,请通过创建将 minTlsVersion 设置为 TLS_1_0 的 SSL 政策来测试限制条件:

    gcloud compute ssl-policies create SSL_POLICY_NAME \
        --min-tls-version=1.0 \
        --project=PROJECT_ID
    

    输出类似于以下内容:

    ERROR: (gcloud.compute.ssl-policies.update) HTTPError 412: Operation
    denied by custom org policy: [customConstraints/custom.
    restrictLbTlsVersion] : Only allow SSL policy resources to be created or
    updated if the minimum TLS version is 1.2 where this custom constraint
    is enforced.
    

示例:创建一个限制条件,将 TCP 健康检查端口限制为至少 1024

以下示例创建了一个自定义限制条件和政策,将 TCP 健康检查端口号限制为至少 1024

在开始之前,您需要了解以下信息:

  • 您的组织 ID
  • 项目 ID

gcloud

  1. 使用以下信息创建 enforceTCPHealthCheckPort1024.yaml 限制条件文件:

    name: organizations/ORGANIZATION_ID/customConstraints/custom.enforceTCPHealthCheckPort1024
    resource_types: compute.googleapis.com/HealthCheck
    condition: "resource.tcpHealthCheck.port >= 1024"
    method_types: CREATE UPDATE
    action_type: ALLOW
    display_name: Only TCP HealthCheck Port >= 1024 Allowed.
    description: Prevent TCP health checks on well-known ports.
  2. 设置自定义限制条件。

    gcloud org-policies set-custom-constraint enforceTCPHealthCheckPort1024.yaml
    
  3. 创建一份 enforceTCPHealthCheckPort1024-policy.yaml 具有以下信息政策文件。在此示例中,我们在项目级层强制执行此限制条件,但您也可以在组织或文件夹级层设置此限制条件。 请将 PROJECT_ID 替换为您的项目 ID。

    name: projects/PROJECT_ID/policies/custom.enforceTCPHealthCheckPort1024
    spec:
      rules:
    enforce: true
  4. 强制执行该政策:

    gcloud org-policies set-policy enforceTCPHealthCheckPort1024-policy.yaml
    
  5. 通过尝试在端口 80 上创建 TCP 健康检查(系统不允许)来测试此限制。

    gcloud compute health-checks create tcp my-tcp-health-check \
        --project=PROJECT_ID \
        --region=us-central1 \
        --port=80 \
        --check-interval=5s \
        --timeout=5s \
        --healthy-threshold=4 \
        --unhealthy-threshold=5 \
    
    

    输出类似于以下内容:

    ERROR: (gcloud.compute.healthChecks.create) Could not fetch resource:
    – Operation denied by custom org policies: [customConstraints/custom.enforceTCPHealthCheckPort1024]: Only TCP HealthCheck Port >= 1024 Allowed.
    

更多常见用例示例

以下部分介绍了一些可能有用的自定义限制条件的语法:

后端存储分区

使用场景 语法
要求所有后端存储分区都启用 Cloud CDN
name: organizations/ORGANIZATION_ID/customConstraints/custom.backendBucketEnableCdn
resourceTypes:
- compute.googleapis.com/BackendBucket
methodTypes:
- CREATE
- UPDATE
condition: "resource.enableCdn == true"
actionType: ALLOW
displayName: Require all backend buckets to have Cloud CDN enabled
description: All backend buckets must have Cloud CDN enabled.

后端服务

使用场景 语法
禁止将 HTTP 和 TCP 用作后端服务协议
name: organizations/ORGANIZATION_ID/customConstraints/custom.backendBucketEnableCdn
resourceTypes:
- compute.googleapis.com/BackendService
methodTypes:
- CREATE
- UPDATE
condition: "resource.serviceProtocol == 'HTTP' || resource.serviceProtocol == 'TCP'"
actionType: DENY
displayName: Disallow the use of HTTP and TCP as backend service protocols
description: Backend services cannot configure HTTP or TCP as the backend service protocol.

转发规则

使用场景 语法
要求转发规则使用标准层级
name: organizations/ORGANIZATION_ID/customConstraints/custom.forwardingRulesStandardTier
resourceTypes:
- compute.googleapis.com/ForwardingRule
methodTypes:
- CREATE
- UPDATE
condition: "resource.networkTier == 'STANDARD'"
actionType: ALLOW
displayName: Require forwarding rules to use Standard Tier
description: Forwarding rules must use the Standard Network Service Tier.

健康检查

使用场景 语法
要求所有健康检查协议都通过端口 1024 或更高端口进行
name: organizations/ORGANIZATION_ID/customConstraints/custom.healthCheckPortMin1024
resourceTypes:
- compute.googleapis.com/HealthCheck
methodTypes:
- CREATE
- UPDATE
condition: "resource.tcpHealthCheck.port >= 1024 && resource.httpHealthCheck.port >= 1024 && resource.httpsHealthCheck.port >= 1024 && resource.sslHealthCheck.port >= 1024 && resource.sslHealthCheck.port >= 1024 &&resource.http2HealthCheck.port >= 1024 && resource.grpcHealthCheck.port >= 1024"
actionType: ALLOW
displayName: Require port 1024 or greater for all health checks
description: All health check protocols must use a port of 1024 or higher, to avoid well-known ports.
禁止 GRPC 健康检查
name: organizations/ORGANIZATION_ID/customConstraints/custom.disallowGRPCHealthChecks
resourceTypes:
- compute.googleapis.com/HealthCheck
methodTypes:
- CREATE
- UPDATE
condition: "resource.type == 'GRPC'"
actionType: DENY
displayName: Disallow GRPC health checks
description: Health checks aren't allowed to use GRPC.
防止高频率健康检查探测
name: organizations/ORGANIZATION_ID/customConstraints/custom.minHealthCheckFrequency
resourceTypes:
- compute.googleapis.com/HealthCheck
methodTypes:
- CREATE
- UPDATE
condition: "resource.checkIntervalSec >= 30"
actionType: ALLOW
displayName: Disallow fast health check probes
description: Prevent health checks from having a probe frequency under 30 seconds.

目标代理

使用场景 语法
不允许客户端 HTTPS keepalive 超时值超过 1000 秒
name: organizations/ORGANIZATION_ID/customConstraints/custom.clientHTTPSKeepalive1000Sec
resourceTypes:
- compute.googleapis.com/TargetHttpsProxy
methodTypes:
- CREATE
- UPDATE
condition: "resource.httpKeepAliveTimeoutSec > 1000"
actionType: DENY
displayName: Disallow client HTTPS keepalive timeout greater than 1000 seconds
description: Disallow client HTTPS keepalive timeout values greater than 1000 seconds.

网址映射

使用场景 语法
要求网址映射针对 HTTP 500 状态代码具有自定义错误响应政策
name: organizations/ORGANIZATION_ID/customConstraints/custom.urlMapCustomResponseHTTP500
resourceTypes:
- compute.googleapis.com/UrlMaps
methodTypes:
- CREATE
- UPDATE
condition: "resource.defaultCustomErrorResponsePolicy.errorResponseRule.exists(value, value.matchResponseCode == 500)"
actionType: ALLOW
displayName: Require URL maps to have a custom error response policy for HTTP 500 errors
description: URL maps must have a custom error response policy configured for HTTP 500 errors.

目标实例

使用场景 语法
要求目标实例的名称以字符串“targetInstance”开头
name: organizations/ORGANIZATION_ID/customConstraints/custom.targetInstanceConstraint
resourceTypes:
- compute.googleapis.com/TargetInstance
methodTypes:
- CREATE
- UPDATE
condition: "resource.name.startsWith('targetInstance')"
actionType: ALLOW
displayName: Require target instances to have a name that starts with the string "targetInstance"
description: Target instances must have resource names that start with the string "targetInstance"

目标池

使用场景 语法
要求目标池具有 CLIENT_IP 会话亲和性
name: organizations/ORGANIZATION_ID/customConstraints/custom.targetPoolConstraint
resourceTypes:
- compute.googleapis.com/TargetPool
methodTypes:
- CREATE
- UPDATE
condition: "resource.sessionAffinity == 'CLIENT_IP'"
actionType: ALLOW
displayName: Require target pools to use CLIENT_IP session affinity
description: Target pools must use CLIENT_IP session affinity

限制

  • 不支持旧版健康检查(旧版全球 [HTTP]旧版全球 [HTTPS])。

  • 对于某些 Compute Engine 资源(例如 Compute Engine SSL 政策资源),系统还会对 UPDATE 方法强制执行自定义限制条件。

后续步骤