Container Service for Kubernetes (ACK) clusters offer a variety of built-in container security policies, such as Compliance, Infra, K8s-general, and pod security policy (PSP). You can use these policies to ensure the security of containers running in a production environment. You can call the DescribePolicyGovernanceInCluster operation to query the details of policies for an ACK cluster. For example, you can query the number of policies that are enabled per severity level, the audit logs of policies, and the blocking and alerting information.
Debugging
Authorization information
There is currently no authorization information disclosed in the API.
Request syntax
GET /clusters/{cluster_id}/policygovernance
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
cluster_id | string | Yes | The cluster ID. | c8155823d057948c69a**** |
Response parameters
Examples
Sample success responses
JSON
format
{
"on_state": [
{
"enabled_count": 3,
"total": 8,
"severity": "high"
}
],
"admit_log": {
"progress": "Complete",
"count": 100,
"log": {
"msg": "d4hdhs*****",
"cluster_id": "c8155823d057948c69a****",
"constraint_kind": "ACKAllowedRepos",
"resource_name": "nginx-deployment-basic2-84ccb74bfc-df22p",
"resource_kind": "Pod",
"resource_namespace": "default"
}
},
"totalViolations": {
"deny": {
"severity": "high",
"violations": 0
},
"warn": {
"severity": "low",
"violations": 5
}
},
"violations": {
"deny": {
"policyName": "policy-gatekeeper-ackallowedrepos",
"policyDescription": "Requires container images to begin with a repo string from a specified list.",
"violations": 11,
"severity": "high"
},
"warn": {
"policyName": "policy-gatekeeper-ackpspcapabilities",
"policyDescription": "Controls Linux capabilities.",
"violations": 81,
"severity": "high"
}
}
}
Error codes
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|
No change history