# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # # GCP Organization Policies # Org policies that correspond with a Guardrail will contain a label indicating what Guardrails it helps in enforcing # https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints # # Constraint: constraints/compute.requireShieldedVm # # This boolean constraint, when set to True, requires that all new Compute Engine VM instances # use Shielded disk images with Secure Boot, vTPM, and Integrity Monitoring options enabled. # Secure Boot can be disabled after creation, if desired. Existing running instances will continue to work as usual. # # This exception is for the Fortigate VM in the hub project. Fortios version 7.2.4 is supposed to support shielded VM. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: compute-require-shielded-vm-except-hub-project namespace: policies annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/hub-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${hub-project-id} labels: guardrail: "false" spec: constraint: "constraints/compute.requireShieldedVm" booleanPolicy: enforced: false projectRef: external: "0000000000" # kpt-set: ${hub-project-id}