Creating Policies for GCP resources

In the last several posts we explored building configurations with Config Connector. Config Connector is a Kubernetes extension that enables managing Google Cloud resources. It allows you to use Kubernetes resource model: declarative, idempotent, eventually consistent. In this post we’ll discuss Gatekeeper – open policy agent for Kubernetes. Using Gatekeeper you can create policies for GCP resources to ensure their compliance. To illustrate Gatekeeper integration with Config Connector, we will create a simple policy example.

Gatekeeper, just like Config Connector, is a Kubernetes extension. It registers CRDs that allow creating policies with constraint templates. Then, you can instantiate these policies by creating constraints.

First of all, let us provision a project, create a Kubernetes cluster and enable Config Connector. Below is the same script we used in the other posts. Don’t forget to substitute your [PROJECT_ID] and [BILLING_ACCOUNT]. You can also skip the part that is creating a project, if you already have one.

As the next step, we will install Gatekeeper library. The easiest way is with kubectl apply:

   kubectl apply -f


Now we will create a constraint template, that we will use in our example. This template restricts the types, that we are instantiating with Config Connector, to the allowed types:

kind: ConstraintTemplate
  name: kccallowedresourcetypes
        kind: KCCAllowedResourceTypes
        listKind: KCCAllowedResourceTypesList
        plural: KCCAllowedResourceTypes
        singular: KCCAllowedResourceTypes
              type: array
                type: string
    - target:
      rego: |
        package kccallowedresourcetypes
        violation[{"msg": msg}] {
          type :=
          apiVersion :=
          isKccType := contains(apiVersion, "")
          typeSatisfied := [good | allowedType = input.parameters.types[_] ; good = type == allowedType]
          isKccType; not any(typeSatisfied)
          msg := sprintf("using type <%v> is not allowed, allowed Config Connector types are %v", [type, input.parameters.types])

By the way, if you are looking for Gatekeeper language docs, this is the link. On the Gatekeeper github there are also simpler and more complex template examples.


Now let’s create a constraint based on this template. Let’s say you would like to only allow creation of PubSubTopic and ComputeNetwork resources. This is a policy that enforces it:

kind: KCCAllowedResourceTypes
  name: only-allowed-gcp-types
      - "PubSubTopic"
      - "ComputeNetwork"

Just like template above, you can apply this policy using kubectl apply.

To see this example in action, try creating ComputeNetwork or PubSubTopic. These will succeed. However, if you attempt to create another GCP resource, you will get a violation. For instance, referencing service account sample from Config Connector samples repo:

$ kubectl apply -f

Error from server ([denied by only-allowed-gcp-types] using type 
<IAMServiceAccount> is not allowed, allowed Config Connector types are 
["PubSubTopic", "ComputeNetwork"]): error when creating 
yaml": admission webhook "" denied the request: [denied 
by only-allowed-gcp-types] using type <IAMServiceAccount> is not allowed, 
allowed Config Connector types are ["PubSubTopic", "ComputeNetwork"]

One example use case for this policy, is ensuring that application team within your organization is limited to only creating certain GCP resource types.

To summarize, in this post we looked at how you can create policies for GCP resources to ensure their compliance, using Gatekeeper and Config Connector. This repo contains all the configuration scripts used in this sample. Good luck policy-making!

Leave a Comment