# 资源 'projects/my-project/global/images/my-image' 被策略禁止。策略：'constraints/compute.restrictNonCcslImages'。原因：'该资源不在允许的镜像列表中。'

- **ID:** `policy/gcp-organization-policy-constraint-blocking-resource`
- **领域:** policy
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 75%

## 根因

GCP 组织策略限制非 CCSL（Google Cloud 客户提供的许可证）镜像，阻止了自定义镜像的创建。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| gcloud 450.0.0 | active | — | — |
| Compute Engine API v1 | active | — | — |

## 解决方案

1. ```
   Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=<approved-project>' to find valid images.
   ```
2. ```
   Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization=<ORG_ID>'
   ```
3. ```
   Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image=<ccsl-image> --source-image-project=<project>'
   ```

## 无效尝试

- **Delete and recreate the image with a different name.** — The policy is based on image source, not name. Any non-CCSL image is blocked regardless of naming. (95% 失败率)
- **Remove the constraint from the specific project only.** — Organization policy constraints are inherited from the organization level and cannot be overridden at project level without organization admin privileges. (80% 失败率)
- **Use a different region to create the image.** — The constraint applies globally across all regions in the organization. (100% 失败率)