# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # # GCP Organization Policies # Org policies that correspond with a Guardrail will contain a label indicating what Guardrails it helps in enforcing # https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints # # Constraint: constraints/compute.trustedImageProjects # # This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. # https://cloud.google.com/compute/docs/images/restricting-image-access # # List public images: gcloud compute images list ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: compute-trusted-image-projects-except-hub-project namespace: policies annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/hub-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${hub-project-id} labels: guardrail: "false" spec: constraint: "constraints/compute.trustedImageProjects" listPolicy: allow: values: - "projects/fortigcp-project-001" - "projects/windows-cloud" projectRef: external: "0000000000" # kpt-set: ${hub-project-id}