Leverage Custom Constraints/Org Policy in GCP

Security with Organization Policies

What is Organization Policy ?

Google Cloud allows Organization Policy Administrators to Configure Policies across Organization so that they have more control over actions performed by each users within their projects.

It also allows Administrators to enforce security for specific resources.

Refer: https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies

There are a set of Organization Policies pre-defined in Google Cloud which can be used by Administrators to enforce.

What are Custom Organization Policies?

Google Cloud has come up with a new solution called Custom Constraints which allows Administrators to define their own Custom Constraints and enforce it across Organizations.

Photo by Lukas Blazek on Unsplash

Currently this feature is supported only for few resources. Refer: https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services.

As of today it is also under Pre-GA and is covered by the Pre-GA Offerings Terms of the Google Cloud Terms of Service. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions.

Create a Constraint

Below is an example for Custom Constraint for Enabling Binary authorization upon Cluster creation. Create a constraint file as below:

name: organizations/ORG_ID/customConstraints/CONSTRAINT_NAME
resource_types: container.googleapis.com/Cluster
method_types:
- CREATE
condition: resource.binaryAuthorization.enabled == true  || resource.binaryAuthorization.evaluationMode == "PROJECT_SINGLETON_POLICY_ENFORCE"
action_type: ALLOW
display_name: Enable Binary Authorization for Cluster

Run the below command with the exact constraint path ( Path where the constraint file is places ).

gcloud org-policies set-custom-constraint CONSTRAINT_PATH

Enforcing Constraint

Enforcing a constraint can be done from the console or using gcloud commands. To create an Organization policy that enforces a boolean constraint, create a policy JSON file that references the constraint:

name: projects/PROJECT_ID/policies/CONSTRAINT_NAME
  spec:
    rules:
    - enforce: true

To enforce the Organization policy containing the constraint, run the following command with the full path to your organization policy JSON file.

gcloud org-policies set-policy POLICY_PATH

Permissions to perform the Task

To get the permissions that you need to manage organization policies, ask your administrator to grant you the Organization policy administrator (roles/orgpolicy.policyAdmin)

Why to use Custom Constraints?

Custom constraints in GCP provide a powerful mechanism to enforce policies, ensure compliance, and maintain governance across your cloud environment. They offer flexibility, customisation, and integration with existing GCP services, enabling you to align your cloud infrastructure with your organization’s unique requirements.

Happy Learning!