Change theme
Help
Press space for more information.
Show links for this issue (Shortcut: i, l)
Copy issue ID
Previous Issue (Shortcut: k)
Next Issue (Shortcut: j)
Sign in to use full features.
Vote: I am impacted
Notification menu
Refresh (Shortcut: Shift+r)
Go home (Shortcut: u)
Pending code changes (auto-populated)
View issue level access limits(Press Alt + Right arrow for more information)
Request for new functionality
View staffing
Description
Whitelisting specific public image families, rather than entire image projects as with the constraints/compute.trustedImageProjects policy.
How this might work:
With either a new Organization policy like compute.trustedImageProjects but specific to image families, or implementing them on the constraints/compute.storageResourceUseRestrictions policy so it can take custom values like:
under:projects/windows-cloud/global/images/family/windows-2019-core
If applicable, reasons why alternative solutions are not sufficient:
As an alternative, we can make duplicate images in a separate project to be whitelisted with the trustedImageProjects policy as in [1], but this would require additional work to keep it up-to-date with current images in a given public image family.
Other information (workarounds you have tried, documentation consulted, etc):
The restricting image access [2] documentation only covers it on an image project basis, and the storageResourceUseRestrictions constraints [3] documentation does not mention image families, but it does not accept custom values starting with "is:" or "under:" for image family paths.
This feature request has been forwarded to the Identity & Security product management team so that they may evaluate it. There is no timeline or implementation guarantee for feature requests. All communication regarding this feature request is to be done here.
[1] gcloud compute images create --source-image=windows-server-2016-dc-v20200609 --source-image-project=windows-cloud windows-server-2016-dc-v20200609 --project=whitelisted-images-project
[2]
[3]