本页面包含有关分析组织政策设置的信息,帮助您了解有哪些组织政策涵盖哪些组织政策。使用针对组织政策的政策分析器,您可以创建分析查询以获取自定义和预定义组织政策的相关信息。
分析查询由范围和限制条件组成。
- Constraint:指定限制条件的资源名称。
- 范围:指定分析范围的组织。分析中包含了在此范围内定义的所有具有指定限制条件的组织政策。
如需详细了解组织政策,请参阅组织政策服务简介。如需详细了解如何创建自定义限制条件,请参阅创建和管理自定义限制条件。
须知事项
启用 Cloud Asset API。
您必须在用于发送查询的项目或组织中启用该 API。此资源不一定就是您要将查询范围限定到的资源。
所需的角色和权限
如需获取运行组织政策分析所需的权限,请让管理员为您要进行分析的组织资源授予以下 IAM 角色:
-
如需进行分析,请执行以下操作:
Cloud Asset Viewer (
roles/cloudasset.viewer) -
如需查看自定义限制条件,请执行以下操作:
Organization Policy Viewer (
roles/orgpolicy.policyViewer)
如需详细了解如何授予角色,请参阅管理访问权限。
这些预定义角色包含运行组织政策分析所需的权限。如需查看所需的确切权限,请展开所需权限部分:
所需权限
必须具备以下权限才能运行组织政策分析:
-
要进行分析,请执行以下操作:
-
cloudasset.assets.analyzeOrgPolicy -
cloudasset.assets.searchAllResources -
cloudasset.assets.searchAllIamPolicies
-
-
如需查看自定义限制条件,请执行以下操作:
orgpolicy.customConstraints.get
分析已配置的政策
组织政策是基于限制条件和可选择实施该限制条件的可选条件构建的。您可以使用政策分析器返回具有特定限制条件的组织政策列表以及这些政策所附加的资源。
对于在查询范围内检测到的每个组织政策,Policy Analyzer 都会返回一个结果条目。结果条目包含以下字段:
consolidatedPolicy:组织政策所附加的资源,以及针对层次结构评估规则对该资源执行的有效政策。policyBundle:附加到上述资源的完整配置组织政策,以及资源层次结构中其祖先实体上定义的组织政策。
gcloud
如需分析如何在组织中强制执行组织政策限制条件,请使用 gcloud beta asset analyze-org-policies 命令:
gcloud beta asset analyze-org-policies \
--constraint=CONSTRAINT_NAME \
--scope=organizations/ORGANIZATION_ID \
--limit=LIMIT_POLICIES \
--filter=FILTER_QUERY
请替换以下内容:
CONSTRAINT_NAME:您要分析的组织政策限制条件的名称。如需查看限制条件列表,请参阅组织政策限制条件。
ORGANIZATION_ID:您的组织资源的 ID。如需详细了解如何查找组织 ID,请参阅创建和管理组织。
LIMIT_POLICIES:您要查看的结果条目数量。如需查看不限次数的条目,请输入
unlimited。FILTER_QUERY:一个过滤查询,用于仅查看与过滤表达式匹配的政策。唯一可用于过滤的字段是
consolidated_policy.attached_resource。例如,consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/projects/1234567890"将仅返回附加到项目 ID 为1234567890的项目的政策。
YAML 响应类似于以下内容:
YAML 响应示例
--- consolidatedPolicy: appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621 attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621 rules: - enforce: true policyBundle: - appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621 attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621 reset: true - appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491 rules: - enforce: true --- consolidatedPolicy: appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491 rules: - enforce: true policyBundle: - appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491 rules: - enforce: true
REST
如需分析组织政策在组织内是如何强制执行的,请使用 Cloud Asset API 的 analyzeOrgPolicies 方法。
HTTP 方法和网址:
GET http://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:analyzeOrgPolicies
请求 JSON 正文:
JSON_REQUEST="{
'constraint': 'CONSTRAINT_NAME',
'filter': 'FILTER_QUERY',
'page_size': PAGE_SIZE,
'page_token': PAGE_TOKEN
}"
请替换以下内容:
ORGANIZATION_ID:您的组织资源的 ID。如需详细了解如何查找组织 ID,请参阅创建和管理组织。
CONSTRAINT_NAME:您要分析的组织政策限制条件的名称。如需查看限制条件列表,请参阅组织政策限制条件。
FILTER_QUERY:一个过滤查询,用于仅查看与过滤表达式匹配的政策。唯一可用于过滤的字段是
consolidated_policy.attached_resource。例如,consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/projects/1234567890"将仅返回附加到项目 ID 为1234567890的项目的政策。PAGE_SIZE:您要查看的每页的结果条目数。如需查看不限次数的条目,请输入
unlimited。如果结果条目总数大于 PAGE_SIZE,则使用此标志设置发出的请求将返回nextPageToken值。PAGE_TOKEN:仅用于在包含
page_size标志的第一个请求之后的请求中设置。您可以使用从先前响应收到的nextPageToken值返回特定页面的结果。
该 JSON 响应类似于以下内容:
示例 JSON 响应
{
"orgPolicyResults": [
{
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/123456789012",
"rules": [
{
"values": {
"allowedValues": [
"C0265whk2"
]
}
},
{
"values": {
"allowedValues": [
"C03kd36xr"
]
}
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/123456789012"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/123456789012",
"rules": [
{
"values": {
"allowedValues": [
"C03kd36xr"
]
}
}
],
"inheritFromParent": true,
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/123456789012"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123",
"rules": [
{
"values": {
"allowedValues": [
"C0265whk2"
]
}
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123"
}
]
},
{
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123",
"rules": [
{
"values": {
"allowedValues": [
"C0265whk2"
]
}
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123",
"rules": [
{
"values": {
"allowedValues": [
"C0265whk2"
]
}
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123"
}
]
}
]
"constraint": {
"googleDefinedConstraint": {
"name": "constraints/iam.allowedPolicyMemberDomains",
"displayName": "Domain restricted sharing",
"description": "This list constraint defines one or more Cloud Identity or Google Workspace customer IDs whose principals can be added to IAM policies. \u003cbr\u003eBy default, all user identities are allowed to be added to IAM policies. Only allowed values can be defined in this constraint, denied values are not supported. \u003cbr\u003eIf this constraint is active, only principals that belong to the allowed customer IDs can be added to IAM policies.",
"constraintDefault": "ALLOW",
"listConstraint": {}
}
}
}
分析容器
此上下文中的容器是项目、文件夹或组织资源。您可以使用 Policy Analyzer 返回一个列表,其中的所有容器都实施了特定限制条件。Policy Analyzer 还会返回每个容器的全名以及容器在层次结构中的父级。
对于在查询范围内检测到的每个容器,Policy Analyzer 都会返回一个结果条目。结果条目包含以下字段:
fullResourceName:容器资源的全名。parent:此容器资源父级的完整资源名称。consolidatedPolicy:组织政策所连接的容器,以及针对层次结构评估规则对该容器执行的有效政策。policyBundle:直接在容器上配置的组织政策(如果存在),以及在资源层次结构的容器的祖先实体上定义的组织政策。
gcloud
如需分析如何针对组织内的容器实施组织政策限制条件,请使用 gcloud beta asset analyze-org-policy-governed-containers 命令:
gcloud beta asset analyze-org-policy-governed-containers \
--constraint=CONSTRAINT_NAME \
--scope=organizations/ORGANIZATION_ID \
--limit=LIMIT_CONTAINERS \
--filter=FILTER_QUERY
请替换以下内容:
CONSTRAINT_NAME:您要分析的组织政策限制条件的名称。如需查看限制条件列表,请参阅组织政策限制条件。
ORGANIZATION_ID:您的组织资源的 ID。如需详细了解如何查找组织 ID,请参阅创建和管理组织。
LIMIT_CONTAINERS:您要查看的结果条目数量。如需查看不限次数的条目,请输入
unlimited。FILTER_QUERY:一个过滤查询,用于仅查看与过滤表达式匹配的容器。唯一可用于过滤的字段是
parent。例如,parent="//cloudresourcemanager.googleapis.com/organizations/012345678901"将仅返回组织 ID 为012345678901的组织的子容器。
YAML 响应类似于以下内容:
YAML 响应示例
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/donghe-project1
attachedResource: //cloudresourcemanager.googleapis.com/projects/donghe-project1
rules:
- values:
allowedValues:
- projects/donghe-project1/zones/us-central1-a/instances/instance-1
fullResourceName: //cloudresourcemanager.googleapis.com/projects/donghe-project1
parent: //cloudresourcemanager.googleapis.com/folders/86513245445
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/donghe-project1
attachedResource: //cloudresourcemanager.googleapis.com/projects/donghe-project1
inheritFromParent: true
rules:
- values:
allowedValues:
- projects/donghe-project1/zones/us-central1-a/instances/instance-1
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
attachedResource: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
rules:
- denyAll: true
fullResourceName: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
parent: //cloudresourcemanager.googleapis.com/organizations/474566717491
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
attachedResource: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
inheritFromParent: true
rules:
- denyAll: true
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
rules:
- values:
allowedValues:
- projects/opa-test-project-1-364621/zones/us-central1-a/instances/instance-1
fullResourceName: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
parent: //cloudresourcemanager.googleapis.com/folders/666681422980
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
rules:
- values:
allowedValues:
- projects/opa-test-project-1-364621/zones/us-central1-a/instances/instance-1
REST
如需分析如何针对组织内的容器实施组织政策限制条件,请使用 Cloud Asset API 的 analyzeOrgPolicyGovernedContainers 方法。
HTTP 方法和网址:
GET http://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:analyzeOrgPolicyGovernedContainers
请求 JSON 正文:
JSON_REQUEST="{
'constraint': 'CONSTRAINT_NAME',
'filter': '"FILTER_QUERY"',
'page_size': PAGE_SIZE,
'page_token': PAGE_TOKEN
}"
请替换以下内容:
ORGANIZATION_ID:您的组织资源的 ID。如需详细了解如何查找组织 ID,请参阅创建和管理组织。
CONSTRAINT_NAME:您要分析的组织政策限制条件的名称。如需查看限制条件列表,请参阅组织政策限制条件。
FILTER_QUERY:一个过滤查询,用于仅查看与过滤表达式匹配的容器。唯一可用于过滤的字段是
parent。例如,parent="//cloudresourcemanager.googleapis.com/organizations/012345678901"将仅返回组织 ID 为012345678901的组织的子容器。PAGE_SIZE:您要查看的结果条目页数。如需查看不限次数的条目,请输入
unlimited。如果结果条目总数大于 PAGE_SIZE,则使用此标志设置发出的请求将返回nextPageToken值。PAGE_TOKEN:仅用于在包含
page_size标志的第一个请求之后的请求中设置。您可以使用从先前响应收到的nextPageToken值返回特定页面的结果。
该 JSON 响应类似于以下内容:
示例 JSON 响应
{
"governedContainers": [
{
"fullResourceName": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2",
"parent": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/666681422980",
"rules": [
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/666681422980"
}
]
},
{
"fullResourceName": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-1",
"parent": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/666681422980",
"rules": [
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/666681422980"
}
]
}
]
"constraint": {
"googleDefinedConstraint": {
"name": "constraints/compute.requireOsLogin",
"displayName": "Require OS Login",
"description": "This boolean constraint, when set to \u003ccode\u003etrue\u003c/code\u003e, enables OS Login on all newly created Projects. All VM instances created in new projects will have OS Login enabled. On new and existing projects, this constraint prevents metadata updates that disable OS Login at the project or instance level. \u003cbr\u003eBy default, the OS Login feature is disabled on Compute Engine projects.\u003cbr\u003eGKE instances in private clusters running node pool versions 1.20.5-gke.2000 and later support OS Login. GKE instances in public clusters do not currently support OS Login. If this constraint is applied to a Project running public clusters, GKE instances running in that Project may not function properly.",
"constraintDefault": "ALLOW",
"booleanConstraint": {}
}
}
}
分析资产
在这种情况下,资产是指 Google Cloud 资源或 Identity and Access Management (IAM) 允许政策。您可以使用 Policy Analyzer 返回一个列表,其中的所有资产都具有特定的组织政策。政策分析器还会返回每个资产的全名、资产在层次结构中的父级,以及层次结构中资产上方的所有祖先项目、文件夹和组织资源。
对于在查询范围内检测到的每项资产,Policy Analyzer 都会返回一个结果条目。
资源的结果条目包含以下字段:
fullResourceName:资源的完整资源名称。parent:资源父级的完整资源名称。project:包含该资源的项目的相对资源名称。folders:包含该资源的任何文件夹的相对资源名称。organization:包含该资源的组织的相对资源名称。consolidatedPolicy:组织政策所附加的资源,以及针对层次结构评估规则对该资源执行的有效政策。policyBundle:附加到上述资源的完整配置组织政策,以及资源层次结构中其祖先实体上定义的组织政策。
允许政策的结果条目包含以下字段:
attachedResource:允许政策附加的资源。policy:允许政策。project:包含 allow 政策的项目的相对资源名称。folders:包含 allow 政策的所有文件夹的相对资源名称。organization:包含允许政策的组织的相对资源名称。consolidatedPolicy:组织政策所附加的资源,以及针对层次结构评估规则对该资源执行的有效政策。policyBundle:附加到上述资源的完整配置组织政策,以及资源层次结构中其祖先实体上定义的组织政策。
gcloud
如需分析如何针对组织内的资产强制执行组织政策限制条件,请使用 gcloud beta asset analyze-org-policy-governed-assets 命令:
gcloud beta asset analyze-org-policy-governed-assets \
--constraint=CONSTRAINT_NAME \
--scope=organizations/ORGANIZATION_ID \
--limit=LIMIT_ASSETS \
--filter=FILTER_QUERY
请替换以下内容:
CONSTRAINT_NAME:您要分析的组织政策限制条件的名称。如需查看限制条件列表,请参阅组织政策限制条件。
ORGANIZATION_ID:您的组织资源的 ID。如需详细了解如何查找组织 ID,请参阅创建和管理组织。
LIMIT_ASSETS:您要查看的结果条目数量。如需查看不限次数的条目,请输入
unlimited。FILTER_QUERY:一个过滤查询,用于仅查看与过滤表达式匹配的资产。可用于过滤的字段包括
governed_resource.folders、governed_resource.project、governed_iam_policy.folders和governed_iam_policy.project。例如,governed_resource.project="projects/1234567890"将仅返回附加到项目 ID 为1234567890的项目的资源。
YAML 响应类似于以下内容:
YAML 响应示例
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-2
attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-2
rules:
- enforce: false
governedResource:
folders:
- folders/513502730678
- folders/666681422980
fullResourceName: //container.googleapis.com/projects/opa-test-project-2/zones/us-central1-c/clusters/opa-test-project-2-cluster-1/nodePools/default-pool
organization: organizations/474566717491
parent: //container.googleapis.com/projects/opa-test-project-2/zones/us-central1-c/clusters/opa-test-project-2-cluster-1
project: projects/892625391619
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-2
attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-2
reset: true
- appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
attachedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
rules:
- enforce: true
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/project2-244918
attachedResource: //cloudresourcemanager.googleapis.com/projects/project2-244918
rules:
- enforce: false
governedResource:
folders:
- folders/800636178739
- folders/408342778736
fullResourceName: //container.googleapis.com/projects/project2-244918/zones/us-central1-c/clusters/cluster-1/nodePools/default-pool
organization: organizations/474566717491
parent: //container.googleapis.com/projects/project2-244918/zones/us-central1-c/clusters/cluster-1
project: projects/761097189269
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/project2-244918
attachedResource: //cloudresourcemanager.googleapis.com/projects/project2-244918
rules:
- enforce: false
- appliedResource: //cloudresourcemanager.googleapis.com/folders/408342778736
attachedResource: //cloudresourcemanager.googleapis.com/folders/408342778736
rules:
- condition:
description: cond-desc1
expression: resource.matchTag("474566717491/env", "prod")
title: cond-title1
enforce: false
- enforce: true
- appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
attachedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
rules:
- enforce: true
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
attachedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
rules:
- enforce: true
governedResource:
fullResourceName: //container.googleapis.com/projects/probe-per-rt-project/zones/us-west1-a/clusters/test-cluster-for-backup/nodePools/default-pool
organization: organizations/474566717491
parent: //container.googleapis.com/projects/probe-per-rt-project/zones/us-west1-a/clusters/test-cluster-for-backup
project: projects/896190383908
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
attachedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
rules:
- enforce: true
REST
如需分析如何针对组织内的资产强制执行组织政策限制条件,请使用 Cloud Asset API 的 analyzeOrgPolicyGovernedAssets 方法。
HTTP 方法和网址:
GET http://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:analyzeOrgPolicyGovernedAssets
请求 JSON 正文:
JSON_REQUEST="{
'constraint': 'CONSTRAINT_NAME',
'filter': 'FILTER_QUERY',
'page_size': PAGE_SIZE,
'page_token': PAGE_TOKEN
}"
请替换以下内容:
ORGANIZATION_ID:您的组织资源的 ID。如需详细了解如何查找组织 ID,请参阅创建和管理组织。
CONSTRAINT_NAME:您要分析的组织政策限制条件的名称。如需查看限制条件列表,请参阅组织政策限制条件。
FILTER_QUERY:一个过滤查询,用于仅查看与过滤表达式匹配的资产。可用于过滤的字段包括
governed_resource.folders、governed_resource.project、governed_iam_policy.folders和governed_iam_policy.project。例如,governed_resource.project="projects/1234567890"将仅返回附加到项目 ID 为1234567890的项目的资源。PAGE_SIZE:您要查看的结果条目页数。如需查看不限次数的条目,请输入
unlimited。如果结果条目总数大于 PAGE_SIZE,则使用此标志设置发出的请求将返回nextPageToken值。PAGE_TOKEN:仅用于在包含
page_size标志的第一个请求之后的请求中设置。您可以使用从先前响应收到的nextPageToken值返回特定页面的结果。
该 JSON 响应类似于以下内容:
示例 JSON 响应
{
"governedAssets": [
{
"governedResource": {
"fullResourceName": "//container.googleapis.com/projects/opa-test-project-2/zones/us-central1-c/clusters/opa-test-project-2-cluster-1/nodePools/default-pool",
"parent": "//container.googleapis.com/projects/opa-test-project-2/zones/us-central1-c/clusters/opa-test-project-2-cluster-1",
"project": "projects/892625391619",
"folders": [
"folders/513502730678",
"folders/666681422980"
],
"organization": "organizations/474566717491"
},
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2",
"reset": true,
"appliedResource": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/organizations/474566717491",
"rules": [
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/organizations/474566717491"
}
]
},
{
"governedResource": {
"fullResourceName": "//container.googleapis.com/projects/project2-244918/zones/us-central1-c/clusters/cluster-1/nodePools/default-pool",
"parent": "//container.googleapis.com/projects/project2-244918/zones/us-central1-c/clusters/cluster-1",
"project": "projects/761097189269",
"folders": [
"folders/800636178739",
"folders/408342778736"
],
"organization": "organizations/474566717491"
},
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/projects/project2-244918",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/projects/project2-244918"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/projects/project2-244918",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/projects/project2-244918"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/408342778736",
"rules": [
{
"enforce": false,
"condition": {
"expression": "resource.matchTag(\"474566717491/env\", \"prod\")",
"title": "cond-title1",
"description": "cond-desc1"
}
},
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/408342778736"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/organizations/474566717491",
"rules": [
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/organizations/474566717491"
}
]
}
]
"constraint": {
"customConstraint": {
"name": "organizations/474566717491/customConstraints/custom.disableGkeAutoUpgrade",
"resourceTypes": [
"container.googleapis.com/NodePool"
],
"methodTypes": [
"CREATE",
"UPDATE"
],
"condition": "resource.management.autoUpgrade == false",
"actionType": "ALLOW",
"displayName": "Disable GKE auto upgrade",
"description": "Only allow GKE NodePool resource create or updates if AutoUpgrade is not enabled"
}
}
}
后续步骤
- 详细了解如何使用限制条件。
- 了解如何创建和管理自定义限制条件。