DescribePolicyGovernanceInCluster - Container Service for Kubernetes

Container Service for Kubernetes (ACK) clusters offer a variety of built-in container security policies, such as Compliance, Infra, K8s-general, and pod security policy (PSP). You can use these policies to ensure the security of containers running in a production environment. You can call the DescribePolicyGovernanceInCluster operation to query the details of policies for an ACK cluster. For example, you can query the number of policies that are enabled per severity level, the audit logs of policies, and the blocking and alerting information.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

There is currently no authorization information disclosed in the API.

Request syntax

GET /clusters/{cluster_id}/policygovernance

Request parameters

Parameter	Type	Required	Description	Example
cluster_id	string	Yes	The cluster ID.	c8155823d057948c69a****

Response parameters

Parameter	Type	Description	Example
	object	Schema of Response
on_state	array<object>	Details about the policies of different severity levels that are enabled for the cluster.
	object
enabled_count	integer	The number of policies that are enabled.	3
total	integer	The total number of policies of the severity level.	8
severity	string	The severity level of the policy.	high
admit_log	object	The audit logs of the policies in the cluster.
progress	string	The status of the query. Valid values: `Complete`: The query succeeded and the complete query result is returned. `Incomplete`: The query succeeded but the query result is incomplete. To obtain the complete query result, you must repeat the request.	Complete
count	long	The number of audit log entries.	100
log	object	The audit log content.
msg	string	The message that appears when an event is generated by a policy.	d4hdhs*****
cluster_id	string	The cluster ID.	c8155823d057948c69a****
constraint_kind	string	The policy type.	ACKAllowedRepos
resource_name	string	The resource name.	nginx-deployment-basic2-84ccb74bfc-df22p
resource_kind	string	The resource type.	Pod
resource_namespace	string	The namespace to which the resource belongs.	default
totalViolations	object	Details about the blocking and alerting events that are triggered by policies of different severity levels.
deny	object	Details about the blocking events that are triggered by the policies of each severity level.
severity	string	The severity level of the policy.	high
violations	long	The number of blocking events that are triggered.	0
warn	object	Details about the alerting events that are triggered by the policies of each severity level.
severity	string	The severity level of the policy.	low
violations	long	The number of alerting events that are triggered.	5
violations	object	Details about the blocking and alerting events that are triggered by different policies.
deny	object	Details about the blocking events that are triggered by each policy.
policyName	string	The policy name.	policy-gatekeeper-ackallowedrepos
policyDescription	string	The policy description.	Requires container images to begin with a repo string from a specified list.
violations	long	The total number of blocking events that are triggered by the policy.	11
severity	string	The severity level of the policy.	high
warn	object	Details about the alerting events that are triggered by the policies of each severity level.
policyName	string	The policy name.	policy-gatekeeper-ackpspcapabilities
policyDescription	string	The policy description.	Controls Linux capabilities.
violations	long	The total number of alerting events that are triggered by the policy.	81
severity	string	The severity level of the policy.	high

Examples

Sample success responses

JSONformat

{
  "on_state": [
    {
      "enabled_count": 3,
      "total": 8,
      "severity": "high"
    }
  ],
  "admit_log": {
    "progress": "Complete",
    "count": 100,
    "log": {
      "msg": "d4hdhs*****",
      "cluster_id": "c8155823d057948c69a****",
      "constraint_kind": "ACKAllowedRepos",
      "resource_name": "nginx-deployment-basic2-84ccb74bfc-df22p",
      "resource_kind": "Pod",
      "resource_namespace": "default"
    }
  },
  "totalViolations": {
    "deny": {
      "severity": "high",
      "violations": 0
    },
    "warn": {
      "severity": "low",
      "violations": 5
    }
  },
  "violations": {
    "deny": {
      "policyName": "policy-gatekeeper-ackallowedrepos",
      "policyDescription": "Requires container images to begin with a repo string from a specified list.",
      "violations": 11,
      "severity": "high"
    },
    "warn": {
      "policyName": "policy-gatekeeper-ackpspcapabilities",
      "policyDescription": "Controls Linux capabilities.",
      "violations": 81,
      "severity": "high"
    }
  }
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation

No change history