资源 'projects/my-project/global/images/my-image' 被策略禁止。策略:'constraints/compute.restrictNonCcslImages'。原因:'该资源不在允许的镜像列表中。'
Resource 'projects/my-project/global/images/my-image' was disallowed by policy. Policy: 'constraints/compute.restrictNonCcslImages'. Reason: 'The resource is not in the allowed list of images.'
ID: policy/gcp-organization-policy-constraint-blocking-resource
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| gcloud 450.0.0 | active | — | — | — |
| Compute Engine API v1 | active | — | — | — |
根因分析
GCP 组织策略限制非 CCSL(Google Cloud 客户提供的许可证)镜像,阻止了自定义镜像的创建。
English
GCP organization policy constraint restricts non-CCSL (Google Cloud Customer-Supplied License) images, blocking custom image creation.
官方文档
https://cloud.google.com/compute/docs/instances/restricting-image-access解决方案
-
Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=<approved-project>' to find valid images.
-
Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization=<ORG_ID>'
-
Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image=<ccsl-image> --source-image-project=<project>'
无效尝试
常见但无效的做法:
-
Delete and recreate the image with a different name.
95% 失败
The policy is based on image source, not name. Any non-CCSL image is blocked regardless of naming.
-
Remove the constraint from the specific project only.
80% 失败
Organization policy constraints are inherited from the organization level and cannot be overridden at project level without organization admin privileges.
-
Use a different region to create the image.
100% 失败
The constraint applies globally across all regions in the organization.