You can enact an image access policy by setting a compute.trustedImageProjects constraint on your project, your organization, or your folder.
You must have permission to modify organization policies to set these constraints.
For example, the resourcemanager.organizationAdmin role has permission to set these constraints.
To set it:
Go to the Organization policies page.
In the policies list, click Define trusted image projects.
Click Edit to edit your existing trusted image constraints.
Set constraints to allow or deny one or more projects from which your project can obtain images. The allowed and denied list of publisher projects is a list of strings in the following format:
where [PROJECT_ID] is the project ID of the project that you want to mark as a trusted source for images.
If your organization or folder has existing constraints, those constraints might conflict with project-level constraints that you set.
Click Save to apply the constraint settings.