This document is for identity and account admins who want to allow only approved privileged workloads to run anywhere in the organization. You should already be familiar with the concepts in the following pages:
- About privileged workload admission in Autopilot
- Introduction to the Organization Policy Service
- Using managed constraints in an organization policy .
How privileged workload admission control works for organizations
By default, GKE Autopilot enforces a set of security measures for workloads. The only way to run workloads that violate these constraints is to install allowlists for those workloads. To install an allowlist from a specific source, the cluster must be configured to admit allowlists from that source.
By default, Google Cloud organizations let platform admins configure clusters to admit allowlists from GKE partners and verified open source projects . If your organization has security requirements to limit privileged workloads to an explicit known set of sources, you can use an organization policy to modify the default behavior.
When you enforce a list of approved allowlist sources for your organization, folder, or project, platform admins can specify only those sources when they create or update Autopilot or Standard clusters. If a cluster is created or updated with an unapproved source specified, the operation fails.
The organization policies that you should configure depend on your use case, as follows:
-
Allow only specific privileged workloads to run in your organization, folder, or project:
-
Allow privileged workloads to run in Autopilot mode in Standard clusters: Configure an organization policy for allowlists
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Enable the Resource Manager API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles . -
Enable the Resource Manager API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles . - If your teams have allowlists for privileged workloads that they own, ask them to give you the paths to those allowlists in Cloud Storage.
Required roles and permissions
To get the permissions that
you need to manage organization policies,
ask your administrator to grant you the Organization policy administrator
( roles/orgpolicy.policyAdmin
)
IAM role
on the organization, folder, or project.
For more information about granting roles, see Manage access to projects, folders, and organizations
.
You might also be able to get the required permissions through custom roles or other predefined roles .
Configure an organization policy for allowlists
You can control the approved sources of allowlists for an organization, folder,
or project by creating or updating an organization policy based on the constraints/container.managed.autopilotPrivilegedAdmission
managed
constraint. When you enforce this organization policy, cluster administrators
can install allowlists only from the sources that you define in the policy.
In addition to these steps, we recommend that you enforce an organization policy that allows only Autopilot clusters to run in your environment. When there are no Standard clusters in the environment, only your approved privileged workloads can run. For more information, see the Configure an organization policy to allow only Autopilot clusters section.
To configure an organization policy for approved privileged workload allowlists, select one of the following options:
Console
-
In the Google Cloud console, go to the Organization policiespage:
-
In the table of constraints, find the
container.managed.autopilotPrivilegedAdmissionmanaged constraint. -
Click Actions > Edit policy. The Edit policypage opens.
-
In the Policy sourcesection, select Override parent's policy.
-
In the Rulessection, click Add a rule.
-
In the Enforcementsection, select On. The Parameterssection appears.
-
To control whether GKE-approved allowlists can be installed, follow these steps:
- In the allowAnyGKEPathparameter, click Edit. The Edit parameter valuespane opens.
- In the Value typesection, select User-defined.
-
In the User-defined valuessection, select one of the following options:
- True: administrators can configure clusters to run allowlists
from any path that starts with
gke://. This is the default value. - False: administrators can configure clusters to run allowlists
only from the paths that you specify in the
allowPathsparameter of the organization policy. If you don't specify paths in theallowPathsparameter, clusters can't run any allowlists from any source.
- True: administrators can configure clusters to run allowlists
from any path that starts with
-
Click Save. The Edit parameter valuespane closes.
-
To define the specific allowlists that can be installed, follow these steps:
- In the allowPathsparameter, click Edit. The Edit parameter valuespane opens.
- In the Value typesection, select User-defined.
- In the User-defined valuessection, specify one or more paths to allowlist sources. For more information about what you can specify, see Allowlist paths .
- Click Save. The Edit parameter valuespane closes.
- In the Edit rulesection, click Done.
-
Optional: To test the impact of enforcing the organization policy, click Test changes. For more information, see Test organization policy changes with Policy Simulator .
-
To enforce the policy in dry-run mode , click Set dry run policy.
-
After you verify that the organization policy works as intended in dry-run mode, set the live policy by clicking Set policy.
Changes to your organization policy can take up to 15 minutes to be fully enforced.
gcloud
-
Create a YAML file that defines the organization policy:
name : RESOURCE_TYPE / RESOURCE_ID /policies/container.managed.autopilotPrivilegedAdmission spec : rules : - enforce : true parameters : allowAnyGKEPath : ALLOW_GKE_PATHS allowedPaths : - ALLOWLIST1_PATH - ALLOWLIST2_PATHReplace the following:
-
RESOURCE_TYPE: the type of Google Cloud resource. This must be one of the following values:-
organizations -
folders -
projects
-
-
RESOURCE_ID: the organization ID, folder ID, or project ID. -
ALLOW_GKE_PATHS: whether to allow any GKE-approved allowlists. Specify one of the following values:-
True: allow cluster configuration with any GKE partner workload or verified open source workloads. This is the default value. -
False: allow cluster configuration with only the paths in theallowPathsfield.
-
-
ALLOWLIST1_PATH,ALLOWLIST2_PATH: the path to allowlists. For more information about what you can specify, see Allowlist paths .
Optionally, to make the organization policy conditional on a tag, add a
conditionblock to therulesfield. If you add a conditional rule to an organization policy, you must add at least one unconditional rule or the policy cannot be saved. For more information, see Setting an organization policy with tags . -
-
To set the organization policy in dry-run mode , specify the
dryRunSpecvalue for the--update-maskflag in thegcloud org-policies set-policycommand:gcloud org-policies set-policy POLICY_FILEPATH \ --update-mask = dryRunSpecReplace
POLICY_FILEPATHwith the path to the YAML file that you created in the previous step. -
Optional: To test the impact of enforcing this organization policy, use the
gcloud policy-intelligence simulate org-policycommand:gcloud policy-intelligence simulate org-policy \ --organization = ORGANIZATION_ID \ --policy-path = POLICY_FILEPATHReplace
ORGANIZATION_IDwith your organization ID. -
After you verify that the organization policy works as intended in dry-run mode, set the live policy by specifying the
specvalue for the--update-maskflag in thegcloud org-policies set-policycommand:gcloud org-policies set-policy POLICY_FILEPATH \ --update-mask = specChanges to your organization policy can take up to 15 minutes to be fully enforced.
Configure an organization policy to allow only Autopilot clusters
This section shows you how to configure an organization policy that allows only Autopilot clusters. We recommend that you configure this policy in addition to creating an organization policy for allowlists , because Standard clusters can run most privileged workloads. Allowing only Autopilot clusters means that your environment runs only the privileged workloads that you allow. The steps in this section are optional.
To configure this policy, select one of the following options:
Console
-
Create a custom constraint that allows only Autopilot cluster creation:
-
In the Google Cloud console, go to the Organization policiespage:
-
Click Custom constraint. The Create custom constraintpage opens.
-
Specify a display name and a unique ID for the constraint.
-
In the Enforcementsection, follow these steps:
- In the Resource typelist, select container.googleapis.com/Cluster.
- In the Enforcement methodlist, select Enforcement on create.
- In the Conditionsection, click Edit Condition. The Add conditionpane opens.
-
Specify the following expression:
resource.autopilot.enabled == true -
Click Save. The Add conditionpane closes.
-
In the Actionsection, select Allow.
-
Click Create constraint.
-
-
Create a custom organization policy that enforces the constraint:
- In the table of constraints, find the custom constraint that you created in the previous step.
- Click Actions > Edit policy. The Edit policypage opens.
- In the Policy sourcesection, select Override parent's policy.
- Click Add a rule.
- In the Enforcementsection, select On.
- To test the impact of enforcing the organization policy, click Test changes. For more information, see Test organization policy changes with Policy Simulator .
- To enforce the policy in dry-run mode , click Set dry run policy.
- After you verify that the organization policy works as intended in dry-run mode, set the live policy by clicking Set policy.
Changes to your organization policy can take up to 15 minutes to be fully enforced.
gcloud
-
Create a custom constraint that allows only Autopilot cluster creation:
-
Create a YAML file that defines the custom constraint:
name : organizations/ ORGANIZATION_ID /customConstraints/ CONSTRAINT_NAME resourceTypes : container.googleapis.com/Cluster methodTypes : - CREATE condition : resource.autopilot.enabled == true actionType : ALLOW displayName : "Allow only Autopilot clusters"Replace the following:
-
ORGANIZATION_ID: your organization ID. -
CONSTRAINT_NAME: a name for your new constraint.
-
-
Set the custom constraint:
gcloud org-policies set-custom-constraint CONSTRAINT_FILEPATHReplace
CONSTRAINT_FILEPATHwith the path to the YAML file that you created in the previous step.
The custom constraint is available to use in an organization policy.
-
-
Create a custom organization policy that enforces the constraint:
-
Create a YAML file that defines the organization policy:
name : RESOURCE_TYPE / RESOURCE_ID /policies/custom. CONSTRAINT_NAME spec : rules : - enforce : trueReplace the following:
-
RESOURCE_TYPE: the type of Google Cloud resource. This must be one of the following values:-
organizations -
folders -
projects
-
-
RESOURCE_ID: the ID of the organization, folder, or project.
Optionally, to make the organization policy conditional on a tag, add a
conditionblock to therulesfield. If you add a conditional rule to an organization policy, you must add at least one unconditional rule or the policy cannot be saved. For more information, see Setting an organization policy with tags . -
-
To set the organization policy in dry-run mode , specify the
dryRunSpecvalue for the--update-maskflag in thegcloud org-policies set-policycommand:gcloud org-policies set-policy POLICY_FILEPATH \ --update-mask = dryRunSpecReplace
POLICY_FILEPATHwith the path to the YAML file that you created in the previous step. -
To test the impact of enforcing this organization policy, use the
gcloud policy-intelligence simulate org-policycommand:gcloud policy-intelligence simulate org-policy \ --organization = ORGANIZATION_ID \ --policy-path = POLICY_FILEPATHReplace
ORGANIZATION_IDwith your organization ID. -
After you verify that the organization policy works as intended in dry-run mode, set the live policy by specifying the
specvalue for the--update-maskflag in thegcloud org-policies set-policycommand:gcloud org-policies set-policy POLICY_FILEPATH \ --update-mask = specChanges to your organization policy can take up to 15 minutes to be fully enforced.
-
What's next
- Tell your platform admins to run privileged workloads in Autopilot
