As an organization administrator, you can create custom constraints for Cloud Run services and jobs. Organization policies enforce these custom constraints at the project, folder, or organization level.
This page details how to create custom constraints for services and jobs and enforce them at the project level. For information about custom organization policies, see Creating and managing custom organization policies.
Cloud Run lets you write any number of custom constraints using most user-configured fields in the Cloud Run Admin API. For example, you can create a custom constraint that blocks services or jobs from setting the launch stage to Alpha or Beta.
Once applied, requests that violate a policy that enforces a custom constraint show an error message in the gcloud CLI and in Cloud Run logs. The error message contains the constraint ID and description of the violated custom constraint.
Before you begin
- You must have the organization policy administrator role
roles/orgpolicy.policyAdminto create and view customer organization policies. See required roles.
Limitations
- Cloud Run custom constraints must be specified by using the Cloud Run Admin API v1 field specifications.
- Labels and top-level fields are not supported.
Customize common constraints
The following examples demonstrate how to specify custom constraints for common use cases using the gcloud CLI. For Google Cloud console instructions, see Creating and managing custom organization policies.
- Restrict ingress settings
- Require a maximum memory limit
- Prevent non-GA launch stages
- Require Binary Authorization
- Require a liveness probe for every container
- Require a sidecar through a container image prefix and port
Restrict ingress settings
Create a custom constraint that restricts the ingress setting of new or revised Cloud Run services, and then enforce the custom constraint at the project level.
To specify a custom constraint that requires a service to be set to "Internal" using the Google Cloud CLI, perform the following steps:
Create a new
ingressConstraint.yamlfile with the following content:name: organizations/ORGANIZATION_ID/customConstraints/custom.ingressInternal resourceTypes: - run.googleapis.com/Service methodTypes: - CREATE - UPDATE condition: "'run.googleapis.com/ingress' in resource.metadata.annotations && resource.metadata.annotations['run.googleapis.com/ingress'] == 'internal'" actionType: ALLOW displayName: IngressInternal description: Require ingress to be set to internal
Replace ORGANIZATION_ID with the ID of your organization.
Add the custom constraint by running the following command:
gcloud org-policies set-custom-constraint /ingressConstraint.yaml
Specify a new policy that enforces the custom constraint created in the previous step by creating a new
enforceIngressConstraint.yamlfile with the following content:name: projects/PROJECT_ID/policies/ingressInternal spec: rules: - enforce: trueReplace PROJECT_ID with the ID of your project.
Set the new policy by running the following command:
gcloud org-policies set-policy /enforceIngressConstraint.yaml
Require a maximum memory limit
Require all containers of new or revised Cloud Run services to have a memory limit that's set to less than a particular value.
To require a custom memory limit for the service's container using the Google Cloud CLI, perform the following steps:
Create a new
memorylimitConstraint.yamlfile with the following content:name: organizations/ORGANIZATION_ID/customConstraints/custom.memoryLimit resourceTypes: - run.googleapis.com/Service methodTypes: - CREATE - UPDATE condition: "resource.spec.template.spec.containers.all(container, 'memory' in container.resources.limits && container.resources.limits['memory'] <= 'MEMORY_LIMIT')" actionType: ALLOW displayName: memoryLimitCap description: Require the container memory limit to be set to <= MEMORY_LIMIT
Replace:
- ORGANIZATION_ID with the ID of your organization.
- MEMORY_LIMIT with the memory limit you want to set.
Add the custom constraint by running the following command:
gcloud org-policies set-custom-constraint /memorylimitConstraint.yaml
Specify a new policy that enforces the custom constraint created in the previous step by creating a new
enforceMemorylimitConstraint.yamlfile with the following content:name: projects/PROJECT_ID/policies/custom.memoryLimit spec: rules: - enforce: trueReplace PROJECT_ID with the ID of your project.
Set the new policy by running the following command:
gcloud org-policies set-policy /enforceMemorylimitConstraint.yaml
Prevent non-GA launch stages
Prevent the Cloud Run launch stage from being changed from default GA to Alpha or Beta.
To prevent the launch stage from being set to a non-GA launch stage, do the following:
Create a new
launchstageConstraint.yamlfile with the following content:name: organizations/ORGANIZATION_ID/customConstraints/custom.launchStage resourceTypes: - run.googleapis.com/Service methodTypes: - CREATE - UPDATE condition: "!('run.googleapis.com/launch-stage' in resource.metadata.annotations)" actionType: ALLOW displayName: launchStage description: Only allow unset launch stage (default is GA).Replace ORGANIZATION_ID with the ID of your organization.
Add the custom constraint by running the following command:
gcloud org-policies set-custom-constraint /launchstageConstraint.yaml
Specify a new policy that enforces the custom constraint created in the previous step by creating a new
enforceLaunchstageConstraint.yamlfile with the following content:name: projects/PROJECT_ID/policies/launchStage spec: rules: - enforce: trueReplace PROJECT_ID with the ID of your project.
Set the new policy by running the following command:
gcloud org-policies set-policy /enforceLaunchstageConstraint.yaml
Require Binary Authorization
Require Binary Authorization to be
set to default.
To require that Binary Authorization is set to default, perform the following steps:
Create a new
binaryauthorizationConstraint.yamlfile with the following content:name: organizations/ORGANIZATION_ID/customConstraints/custom.binaryAuthorization resourceTypes: - run.googleapis.com/Service methodTypes: - CREATE - UPDATE condition: "'run.googleapis.com/binary-authorization' in resource.metadata.annotations && resource.metadata.annotations['run.googleapis.com/binary-authorization'] == 'default'" actionType: ALLOW displayName: binaryAuthorization description: Require binaryAuthorization to be set to default.
Replace ORGANIZATION_ID with the ID of your organization.
Add the custom constraint by running the following command:
gcloud org-policies set-custom-constraint /binaryauthorizationConstraint.yaml
Specify the new policy that enforces the custom constraint created in the previous step by creating a new
enforceBinaryauthorizationConstraint.yamlfile with the following content:name: projects/PROJECT_ID/policies/binaryAuthorization spec: rules: - enforce: trueReplace PROJECT_ID with the ID of your project.
Set the new policy by running the following command:
gcloud org-policies set-policy /enforceBinaryauthorizationConstraint.yaml
Require a liveness probe for every container
Require that services have a liveness probe
for every container by requiring that the livenessProbe.initialDelaySeconds
field is set to a value.
To require a liveness probe for every container, perform the following steps:
Create a new
livenessprobeConstraint.yamlfile with the following content:name: organizations/ORGANIZATION_ID/customConstraints/custom.livenessProbe resourceTypes: - run.googleapis.com/Service methodTypes: - CREATE - UPDATE condition: "resource.spec.template.spec.containers.all(container, has(container.livenessProbe.initialDelaySeconds))" actionType: ALLOW displayName: livenessProbe description: Require all containers to have a liveness probe configured with initialDelaySeconds.
Replace ORGANIZATION_ID with the ID of your organization.
Add the custom constraint by running the following command:
gcloud org-policies set-custom-constraint /livenessprobeConstraint.yaml
Specify a new policy that enforces the custom constraint created in the previous step by creating a new
enforceLivenessprobeConstraint.yamlfile with the following content:name: projects/PROJECT_ID/policies/livenessProbe spec: rules: - enforce: trueReplace PROJECT_ID with the ID of your project.
Set the new policy by running the following command:
gcloud org-policies set-policy /enforceLivenessprobeConstraint.yaml
Require a sidecar through a container image prefix and port
Require that a service has at least one sidecar container that uses an image beginning with a specified prefix and a port equal to a specified number.
To require that a container begins with a set prefix and uses PORT = 8081,
perform the following steps:
Create a new
requireSidecarConstraint.yamlfile with the following content:name: organizations/ORGANIZATION_ID/customConstraints/custom.requireSidecar resourceTypes: - run.googleapis.com/Service methodTypes: - CREATE - UPDATE condition: "resource.spec.template.spec.containers.exists(container, container.image.startsWith('us-docker.pkg.dev/cloud-ops-agents-artifacts/cloud-run-gmp-sidecar/') && container.ports.exists(port, port.containerPort == 8081))" actionType: ALLOW displayName: requireSidecar description: Require at least one container with an image that starts with "us-docker.pkg.dev/cloud-ops-agents-artifacts/cloud-run-gmp-sidecar/" and uses port 8081Replace ORGANIZATION_ID with the ID of your organization.
Add the custom constraint by running the following command:
gcloud org-policies set-custom-constraint /requireSidecarConstraint.yaml
Specify a new policy that enforces the custom constraint created in the previous step by creating a new
enforceRequireSidecarConstraint.yamlfile with the following content:name: projects/PROJECT_ID/policies/requireSidecar spec: rules: - enforce: trueReplace PROJECT_ID with the ID of your project.
Set the new policy by running the following command:
gcloud org-policies set-policy /enforceRequireSidecarConstraint.yaml