[FR]: Custom organization policies #2845

markusl · 2025-01-28T06:36:11Z

markusl
Jan 28, 2025

The feature request

Hi!

We recently learned about a GKE security issue and about the proposed fix, which is a Custom Organization Policy.

We are looking for the preferred way of deploying custom organization policies in our GCP organization using the GCP Fast framework.

An example policy for the GKE looks like this according to the GCP support:

name: >-
  organizations/1001108820753/customConstraints/custom.disableKubeletReadOnlyPort
resource_types: container.googleapis.com/Cluster
method_types:
  - CREATE
  - UPDATE
condition: resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled == true
action_type: DENY
display_name: Disable Kubelet Read-Only Port 10255
description: Disallows the use of Kubelet read-only port 10255 to enhance security

Can you please provide instructions on how can we deploy a custom policy in addition to the managed policies using the framework?

Proposed solution

Additional context

No response

Answered by juliocc

Feb 13, 2025

Added support to Fabric and FAST in #2869, #2876 and #2884

View full answer

juliocc · 2025-01-28T09:51:41Z

juliocc
Jan 28, 2025
Maintainer

Does this help?

6 replies

juliocc Jan 28, 2025
Maintainer

Ah you're asking how to do it from FAST.

While the org-policies folder is the correct place to apply an existing policy (including your custom one once it's created), the challenge is that FAST's bootstrap stage doesn't currently expose the org_policy_custom_constraints variable (or its factory). This means you can't create the custom constraint itself using FAST directly.

This is a straightforward fix. Would you be interested in submitting a pull request to add this functionality?

markusl Jan 28, 2025
Author

I think it would be best if the example is provided directly by the FAST team so that we get it right from the start :)

I see there are already some examples that look like what we need https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/tests/modules/organization/org_policies_custom_constraints.tfvars

Once the upstream is exposing the org_policy_custom_constraints it would probably be easy for us to backport it to our own fork. Fixing the security problem is an official Google Cloud recommendation, and we would greatly appreciate it if it was made possible in the FAST so that it is as easy as possible for the customers.

Thank you!

juliocc Jan 28, 2025
Maintainer

Sounds good. We'll add this to the backlog and address it when someone on the team has availability

juliocc Feb 13, 2025
Maintainer

Added support to Fabric and FAST in #2869, #2876 and #2884

Answer selected by juliocc

markusl Feb 18, 2025
Author

Thanks! We will look into integrating these changes back to our code base :)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FR]: Custom organization policies #2845

{{title}}

Replies: 1 comment 6 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

[FR]: Custom organization policies #2845

markusl Jan 28, 2025

The feature request

Proposed solution

Additional context

Replies: 1 comment · 6 replies

juliocc Jan 28, 2025 Maintainer

juliocc Jan 28, 2025 Maintainer

markusl Jan 28, 2025 Author

juliocc Jan 28, 2025 Maintainer

juliocc Feb 13, 2025 Maintainer

markusl Feb 18, 2025 Author

markusl
Jan 28, 2025

Replies: 1 comment 6 replies

juliocc
Jan 28, 2025
Maintainer

juliocc Jan 28, 2025
Maintainer

markusl Jan 28, 2025
Author

juliocc Jan 28, 2025
Maintainer

juliocc Feb 13, 2025
Maintainer

markusl Feb 18, 2025
Author