Enforce Artifact Registry policies

Platform Admin Duration: 10 min | Persona: Platform Admin

In this section, you will enforce policies in order to make sure that the containers in your clusters are coming from a restricted list of container registries.

Initialize variables:

source ${WORK_DIR}acm-workshop-variables.sh

Define “Allowed container registries” policy

Define the Constraint based on the K8sAllowedRepos ConstraintTemplate for Pods:

cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/policies/constraints/pod-allowed-container-registries.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
  name: pod-allowed-container-registries
  enforcementAction: deny
    - apiGroups:
      - ""
      - Pod
    - auto
    - gcr.io/config-management-release
    - gcr.io/gke-release
    - gke.gcr.io
    - k8s.gcr.io

We are restricting the source of the container images in the GKE cluster. Only system container images and the images from your own private Artifact Registry can be deployed in your GKE cluster.

Deploy Kubernetes manifests

git add . && git commit -m "Policies for Artifact Registry" && git push origin main

Check deployments

List the Kubernetes resources managed by Config Sync in GKE cluster for the GKE cluster configs repository:

gcloud alpha anthos config sync repo describe \
    --project $TENANT_PROJECT_ID \
    --managed-resources all \
    --sync-name root-sync \
    --sync-namespace config-management-system

Wait and re-run this command above until you see "status": "SYNCED".

Alternatively, you could also see this from within the Cloud Console, by clicking on this link:

echo -e "https://console.cloud.google.com/kubernetes/config_management/status?clusterName=${GKE_NAME}&id=${GKE_NAME}&project=${TENANT_PROJECT_ID}"

Wait until you see the Sync status column as SYNCED. And then you can also click on View resources to see the details.

List the GitHub runs for the GKE cluster configs repository:

cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME && gh run list