Console
    Contact Us Start free

    Require continuous validation check-based platform policies for all GKE clusters

    This page shows you how to use the Organization Policy Service to require that GKE clusters use one or more continuous validation (CV) check-based platform policies. You specify the required check-based platform policies in custom constraints . You then enforce the custom constraints in your organization policy.

    Costs

    This guide uses the following Google Cloud services:

    • Binary Authorization, but CV is available free of charge during the Preview stage
    • Organization policies and constraints are offered at no charge.

    Before you begin

    1. Enable Binary Authorization .
    2. Set up CV with check-based platform policies and at least one CV check-based platform policy .

    Required roles

    To get the permissions that you need to create constraints and enforce organization policies, ask your administrator to grant you the Organization Policy Administrator ( roles/orgpolicy.policyAdmin ) IAM role on your Google Cloud organization. For more information about granting roles, see Manage access to projects, folders, and organizations .

    You might also be able to get the required permissions through custom roles or other predefined roles .

    Create a CV custom constraint

    Console

    1. In the Google Cloud console, go to the Organization policiespage.

      Go to Organization policies

    2. On the Organization policiespage, click Custom constraint.

    3. If you're prompted to do so, click Switch to parent organization. To learn more about organizations, see Introduction to the Organization Policy Service

    4. In Constraint detailsenter the following information in the fields:

      1. Display name:A display name for your constraint, such as Require a Binary Authorization continuous validation policy for all GKE clusters . You use the display name to look up the constraint after it is saved. The display name field has a maximum length of 200 characters

      2. Constraint ID: a constraint ID for your constraint—for example, RequireBinAuthzCVPolicy .

      3. Description(Optional): a human-friendly description of the constraint to display as an error message when the policy is violated. The description field has a maximum length of 2000 characters.

    5. In Enforcement, do the following:

      1. In Resource types, enter container.googleaips.com/Cluster .

      2. In Enforcement method, select Enforce on create and update.

      3. Enter an expression into the Conditionfield. This field has a maximum length of 1000 characters. The custom constraint is enforced when the condition evaluates to true . The condition is as expression in the Common Expression Language (CEL) syntax . You can combine expressions with and ( && ) and or ( || ) to create a complex condition. CEL is a C-like expression language. To learn more about the syntax and semantics of CEL, see https://github.com/google/cel-spec . To enter the condition, do the following:

        1. Click Edit condition.

        2. Enter an expression to check for the existence of a CV platform policy. The following condition requires that a CV platform policy binding exists and that the platform policy has a specific name:

           resource.binaryAuthorization.policyBindings.exists(policy, policy.name == "projects/ PROJECT_ID 
/platforms/gke/policies/ POLICY_ID 
")

          Replace the following:

          • PROJECT_ID : the project ID of your platform policy. The project must be in the same organization.
          • POLICY_ID : the policy ID of your platform policy.

          The following condition requires that two CV platform policy bindings exist and that each has a specific platform policy name.

           resource.binaryAuthorization.policyBindings.exists(policy, policy.name == "projects/ PROJECT_ID1 
/platforms/gke/policies/ POLICY_ID1 
") && resource.binaryAuthorization.policyBindings.exists(policy, policy.name == "projects/ PROJECT_ID2 
/platforms/gke/policies/ POLICY_ID2 
")
          • PROJECT_ID1 : the project ID of your first platform policy. The project must be in the same organization.
          • POLICY_ID1 : the policy ID of your first platform policy.
          • PROJECT_ID2 : the project ID of your second platform policy.
          • POLICY_ID2 : the policy ID of your second platform policy.

          • Click Save.

      4. In Action, select Allow.

    6. To create your custom constraint, click Create Constraint.

    gcloud

    1. Create a YAML file for the custom constraint:

        name 
 : 
  
 organizations/ ORGANIZATION_ID 
/customConstraints/custom. CONSTRAINT_ID 
 
 resource_types 
 : 
  
 container.googleapis.com/Cluster 
 method_types 
 : 
  
 - 
  
 CREATE 
  
 - 
  
 UPDATE 
 condition 
 : 
  
> - 
  
  CONDITION 
 
 action_type 
 : 
  
  ACTION 
 
 display_name 
 : 
  
  DISPLAY_NAME 
 
 description 
 : 
  
  DESCRIPTION

      Replace the following:

      • ORGANIZATION_ID : your organization ID—for example, 123456789 .
      • CONSTRAINT_ID : a constraint ID—for example, RequireBinAuthzCVPolicy .

      • CONDITION : enter an expression to check for the existence of a CV platform policy. This field has a maximum length of 1000 characters. The custom constraint is enforced when the condition evaluates to true . The condition is as expression in the Common Expression Language (CEL) syntax . You can combine expressions with and ( && ) and or ( || ) to create a complex condition. CEL is a C-like expression language. To learn more about the syntax and semantics of CEL, see https://github.com/google/cel-spec . The following condition requires that a CV platform policy binding exists and that the platform policy has a specific name:

         resource.binaryAuthorization.policyBindings.exists(policy, policy.name == "projects/ PROJECT_ID 
/platforms/gke/policies/ POLICY_ID 
")

        Replace the following:

        • PROJECT_ID : the project ID of your platform policy. The project must be in the same organization.
        • POLICY_ID : the policy ID of your platform policy.

        The following condition requires that two CV platform policy bindings exist and that each has a specific platform policy name.

         resource.binaryAuthorization.policyBindings.exists(policy, policy.name == "projects/ PROJECT_ID1 
/platforms/gke/policies/ POLICY_ID1 
") && resource.binaryAuthorization.policyBindings.exists(policy, policy.name == "projects/ PROJECT_ID2 
/platforms/gke/policies/ POLICY_ID2 
")
        • PROJECT_ID1 : the project ID of your first platform policy. The project must be in the same organization.
        • POLICY_ID1 : the policy ID of your first platform policy.
        • PROJECT_ID2 : the project ID of your second platform policy.
        • POLICY_ID2 : the policy ID of your second platform policy.

        • ACTION : the action to take if the condition is met. This can be either ALLOW or DENY .

        • DISPLAY_NAME : a human-friendly name for the constraint—for example, Require a Binary Authorization continuous validation policy for all GKE clusters . The display name field has a maximum length of 200 characters

        • DESCRIPTION : a human-friendly description of the constraint to display as an error message when the policy is violated. The description field has a maximum length of 2000 characters.

      • Apply the custom constraint:

         gcloud  
org-policies  
set-custom-constraint  
 CUSTOM_CONSTRAINT_PATH

        Replace CUSTOM_CONSTRAINT_PATH with the path of your custom constraint definition.

      • Verify that the custom constraint exists:

         gcloud  
org-policies  
list-custom-constraints  
 \ 
  
--organization = 
 ORGANIZATION_ID

        The output is similar to the following:

         CUSTOM_CONSTRAINT: custom.RequireBinAuthzCVPolicy
ACTION_TYPE: ALLOW
METHOD_TYPES: CREATE,UPDATE
RESOURCE_TYPES: container.googleapis.com/Cluster
DISPLAY_NAME: This cluster requires the continuous validation policy: projects/my-project/platforms/gke/policies/my-policy

    To enable enforcement of the custom constraint that you created, create an organization policy .

    Use an organization policy to enforce the custom constraint

    To enforce the new custom constraint, create an organization policy that references the constraint, and then apply the organization policy.

    Console

    To enforce the constraint, do the following:

    1. In the Google Cloud console, go to the Organization policiespage.

      Go to Organization policies

    2. Select the project picker select the organization.

    3. Search for and select your constraint from the list.

    4. In the Policy detailspage for that constraint, click Manage policy.

    5. On the Edit policypage, select Override parent's policy.

    6. Click Add a rule.

    7. In Enforcement, select On.

    8. Optional: Click Test changesto simulate the effect of this organization policy. For more information, see Test organization policy changes with Policy Simulator .

    9. To finish and apply the organization policy, click Set policy .

    gcloud

    1. Create a YAML policy definition file:

        name 
 : 
  
 organizations/ ORGANIZATION_ID 
/policies/custom. CONSTRAINT_ID 
 
 spec 
 : 
  
 rules 
 : 
  
 - 
  
 enforce 
 : 
  
 true

      Replace the following:

      • ORGANIZATION_ID : the organization ID
      • CONSTRAINT_ID : the constraint ID

    2. Enforce the policy:

       gcloud  
org-policies  
set-policy  
 ORG_POLICY_PATH

      Replace ORG_POLICY_PATH with the path to your policy definition file.

    3. Verify that the policy exists:

       gcloud  
org-policies  
list  
 \ 
  
--organization = 
 ORGANIZATION_ID

      Replace ORGANIZATION_ID with the organization ID.

      For a list of arguments, refer to gcloud org-policies list .

      The output is similar to the following:

       CONSTRAINT: custom.RequireBinAuthzCVPolicy
LIST_POLICY: -
BOOLEAN_POLICY: SET
ETAG: CN622LIGEIDXnpMB-

    The policy can take up to 15 minutes to take effect.

    To enforce multiple constraints on CV check-based platform policies, do the following:

    • Create one custom constraint per CV check-based policy.
    • Update the organization policy with each custom constraint as described in this section.

    Delete the custom constraint

    You can delete a custom constraint using the Google Cloud console or the Google Cloud CLI.

    Console

    1. In the Google Cloud console, go to the Organization policiespage.

      Go to Organization policies

    2. Select the project picker at the top of the page.

    3. From the project picker, select your organization.

    4. Search for and select your constraint from the list.

    5. In Constraint details, click Delete.

    6. To confirm you want to delete the constraint, click Delete.

    gcloud

    To delete a custom constraint, use the org-policies delete-custom-constraint gcloud CLI command:

     gcloud  
org-policies  
delete-custom-constraint  
custom. CONSTRAINT_ID 
  
 \ 
  
--organization = 
 ORGANIZATION_ID

    Replace the following:

    • ORGANIZATION_ID : your organization ID, such as 123456789

    • CONSTRAINT_NAME : the name of your custom constraint

    The output is similar to the following:

     Deleted custom constraint [organizations/123456789/customConstraints/ CONSTRAINT_NAME 
]

    After you delete a custom constraint, any policies that have been created using that constraint continue to exist, but are ignored. You can't create another custom constraint with the same name as a deleted custom constraint.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: