This page shows you how to enable and use custom constraints within your GKE on AWS environment. Google Cloud's Organization Policy Service helps you manage resource configurations and create guardrails in your cloud environment.
Overview
With custom organization policies, you can create granular resource policies across GKE Multi-Cloud environments to meet your organization's specific security and compliance requirements. You can also create organization policies in dry-run mode to test new policies without affecting your production workloads.
To learn more about organization policies, see Introduction to the Organization Policy Service .
Before you begin
Before you start, make sure you understand the following topics.
Policy inheritance
By default, organization policies are inherited by the descendants of the resources on which you enforce the policy. For example, if you enforce a policy on an organization, Google Cloud enforces the policy on all projects in the organization. To learn more about policy inheritance and how to change evaluation rules, see Hierarchy evaluation rules .
Limitations
Before you create custom constraints, keep in mind the following limitations:
- Custom constraints can only be enforced on the
CREATEorUPDATEmethods for GKE on AWS resources. - Newly enforced custom constraints don't automatically apply to existing resources. You must update existing resources to apply the constraint. To find existing resources that need to be updated, you can enforce a dry-run organization policy .
- To create constraints and enforce organization policies, you need the Organization Policy Administrator
(
roles/orgpolicy.policyAdmin) IAM role on your Google Cloud organization. For more information about the permissions required to manage organization policies with custom constraints, see Required roles .
Pricing
Organizational policies and custom constraints are offered at no charge.
Create custom constraints
Custom constraints must be specified by using the fields in the AwsCluster and AwsNodepool API resource specs, excluding fields that are described as "Output only".Create a custom constraint
To create a new custom constraint, you define the constraint in a YAML file and apply the custom constraint in your organization using the Google Cloud CLI. This constraint must encapsulate the specific policy you want to enforce across your GKE on AWS resources.
Create a YAML file for defining a custom constraint on your cluster:
name
:
organizations/ ORGANIZATION_ID
/customConstraints/ CONSTRAINT_NAME
resourceTypes
:
-
gkemulticloud.googleapis.com/AwsCluster
methodTypes
:
-
CREATE
condition
:
CONDITION
actionType
:
ACTION
displayName
:
DISPLAY_NAME
description
:
DESCRIPTION
To define a custom constraint on your node pool, use the following YAML configuration:
name
:
organizations/ ORGANIZATION_ID
/customConstraints/ CONSTRAINT_NAME
resourceTypes
:
-
gkemulticloud.googleapis.com/AwsNodePool
methodTypes
:
-
CREATE
condition
:
CONDITION
actionType
:
ACTION
displayName
:
DISPLAY_NAME
description
:
DESCRIPTION
Replace the following:
-
ORGANIZATION_ID: your organization ID, such as123456789. -
CONSTRAINT_NAME: the name of your new custom constraint. A custom constraint must start withcustom., and can only include uppercase letters, lowercase letters, or numbers. For example,custom.allowClusterCreateIfAnnotationPresent. The maximum length of this field is 70 characters, not counting the prefix, for example,organizations/123456789/customConstraints/custom. -
CONDITION: a condition that is written against a representation of a Google Cloud resource. Conditions are written in Common Expression Language (CEL) . This field has a maximum length of 1,000 characters. For example, condition:"key" in resource.annotations && resource.annotations.key == "created-by". -
ACTION: the action to take if the condition is met. This can be eitherALLOWorDENY. -
DISPLAY_NAME: a display name for the constraint. This field has a maximum length of 200 characters. -
DESCRIPTION: a description of the constraint to display as an error message when the policy is violated, for example,"Allow new clusters only when certain annotations are set."This field has a maximum length of 2,000 characters.
For more information about how to create a custom constraint, see Defining custom constraints .
Associate the constraint with your resources
After you have created the YAML file for a new custom constraint, you must set it up to make the constraint available for organization policies.
-
To set up a custom constraint, use the
gcloud org-policies set-custom-constraintcommand:gcloud org-policies set-custom-constraint PATH_TO_FILEReplace
PATH_TO_FILEwith the path of your custom constraint YAML definition. -
To verify that the custom constraint is created, use the
gcloud org-policies list-custom-constraintscommand:gcloud org-policies list-custom-constraints --organization = ORGANIZATION_IDThe output lists the created policies:
CUSTOM_CONSTRAINT : custom.allowClusterCreateIfAnnotationPresent ACTION_TYPE : ALLOW METHOD_TYPES : CREATE RESOURCE_TYPES : gkemulticloud.googleapis.com/AwsCluster DISPLAY_NAME : Allow new clusters only when certain annotations are set.
Enforce the custom constraint
To enforce the new custom constraint, create an organization policy that references the constraint, and then apply the organization policy.
-
Create a YAML file for the organization policy:
name : RESOURCE_HIERARCHY /policies/ POLICY_NAME spec : rules : - enforce : trueReplace the following:
-
RESOURCE_HIERARCHY: the location of the new policy, which affects the scope of enforcement. Use the Google Cloud resource hierarchy as a guide. For example, if you want to enforce the policy in a specific project, useprojects/PROJECT_ID. To enforce the policy in a specific organization, useorganizations/ORGANIZATION_ID. -
POLICY_NAME: the name of the new policy.
-
-
Enforce the policy:
gcloud org-policies set-policy PATH_TO_POLICYReplace
PATH_TO_POLICYwith the path to your policy definition file. -
Verify that the policy exists:
gcloud org-policies list -- RESOURCE_FLAG = RESOURCE_IDReplace the following:
-
RESOURCE_FLAG: the Google Cloud resource where you enforced the policy. For example, a project or organization. -
RESOURCE_ID: the ID of the resource where you enforced the policy. For example, your project ID or organization ID.
The output is similar to the following:
CONSTRAINT : custom.allowClusterCreateIfAnnotationPresent LIST_POLICY : - BOOLEAN_POLICY : SET ETAG : CPjb27wGEOijhL4B- -
Test the policy
Test the organization policy by creating a new AWS cluster in a restricted project.-
Create an AWS cluster in a restricted project.
gcloud container aws clusters create CLUSTER_NAME \ --aws-region AWS_REGION \ --location GOOGLE_CLOUD_LOCATION \ --cluster-version CLUSTER_VERSION \ --fleet-project FLEET_PROJECT \ --vpc-id VPC_ID \ --subnet-ids CONTROL_PLANE_SUBNET_1,CONTROL_PLANE_SUBNET_2,CONTROL_PLANE_SUBNET_3 \ --pod-address-cidr-blocks POD_ADDRESS_CIDR_BLOCKS \ --service-address-cidr-blocks SERVICE_ADDRESS_CIDR_BLOCKS \ --role-arn API_ROLE_ARN \ --database-encryption-kms-key-arn DB_KMS_KEY_ARN \ --admin-users ADMIN_USERS_LIST \ --config-encryption-kms-key-arn CONFIG_KMS_KEY_ARN \ --iam-instance-profile CONTROL_PLANE_PROFILE \ --tags "Name=CLUSTER_NAME-cp" -
The output is similar to the following:
FAILED_PRECONDITION: Operation denied by org policy on resource 'projects/PROJECT_NUMBER/locations/GOOGLE_CLOUD_REGION' : [ "customConstraints/custom.allowClusterCreateIfAnnotationPresent" : "Allow new clusters only when certain annotations are set." ] '@type' : type.googleapis.com/google.rpc.ErrorInfo domain: googleapis.com metadata: customConstraints: customConstraints/custom.allowClusterCreateIfAnnotationPresent service: gkemulticloud.googleapis.com reason: CUSTOM_ORG_POLICY_VIOLATION
