DescribePolicyGovernanceInCluster - Container Service for Kubernetes

You can call the DescribePolicyGovernanceInCluster operation to query information about policies in a Container Service for Kubernetes (ACK) cluster.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
cs:DescribePolicyGovernanceInCluster	Read	Cluster acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}	none	none

Request syntax

GET /clusters/{cluster_id}/policygovernance

Request parameters

Parameter	Type	Required	Description	Example
cluster_id	string	Yes	The cluster ID.	c8155823d057948c69a****

Response parameters

Parameter	Type	Description	Example
	object	Schema of Response
on_state	object []	Details about the policies of different severity levels that are enabled for the cluster.
enabled_count	integer	The number of policies that are enabled.	3
total	integer	The total number of policies of the severity level.	8
severity	string	The severity level of the policy.	high
admit_log	object	The audit logs of the policies in the cluster.
progress	string	The status of the query. Valid values: `Complete`: The query succeeded and the complete query result is returned. `Incomplete`: The query succeeded but the query result is incomplete. To obtain the complete query result, you must repeat the request.	Complete
count	long	The number of audit log entries.	100
log	object	The audit log content.
msg	string	The message that appears when an event is generated by a policy.	d4hdhs*****
cluster_id	string	The cluster ID.	c8155823d057948c69a****
constraint_kind	string	The policy type.	ACKAllowedRepos
resource_name	string	The resource name.	nginx-deployment-basic2-84ccb74bfc-df22p
resource_kind	string	The resource type.	Pod
resource_namespace	string	The namespace to which the resource belongs.	default
totalViolations	object	Details about the blocking and alerting events that are triggered by policies of different severity levels.
deny	object	Details about the blocking events that are triggered by the policies of each severity level.
severity	string	The severity level of the policy.	high
violations	long	The number of blocking events that are triggered.	0
warn	object	Details about the alerting events that are triggered by the policies of each severity level.
severity	string	The severity level of the policy.	low
violations	long	The number of alerting events that are triggered.	5
violations	object	Details about the blocking and alerting events that are triggered by different policies.
deny	object	Details about the blocking events that are triggered by each policy.
policyName	string	The policy name.	policy-gatekeeper-ackallowedrepos
policyDescription	string	The policy description.	Requires container images to begin with a repo string from a specified list.
violations	long	The total number of blocking events that are triggered by the policy.	11
severity	string	The severity level of the policy.	high
warn	object	Details about the alerting events that are triggered by the policies of each severity level.
policyName	string	The policy name.	policy-gatekeeper-ackpspcapabilities
policyDescription	string	The policy description.	Controls Linux capabilities.
violations	long	The total number of alerting events that are triggered by the policy.	81
severity	string	The severity level of the policy.	high

Examples

Sample success responses

JSONformat

{
  "on_state": [
    {
      "enabled_count": 3,
      "total": 8,
      "severity": "high"
    }
  ],
  "admit_log": {
    "progress": "Complete",
    "count": 100,
    "log": {
      "msg": "d4hdhs*****",
      "cluster_id": "c8155823d057948c69a****",
      "constraint_kind": "ACKAllowedRepos",
      "resource_name": "nginx-deployment-basic2-84ccb74bfc-df22p",
      "resource_kind": "Pod",
      "resource_namespace": "default"
    }
  },
  "totalViolations": {
    "deny": {
      "severity": "high",
      "violations": 0
    },
    "warn": {
      "severity": "low",
      "violations": 5
    }
  },
  "violations": {
    "deny": {
      "policyName": "policy-gatekeeper-ackallowedrepos",
      "policyDescription": "Requires container images to begin with a repo string from a specified list.",
      "violations": 11,
      "severity": "high"
    },
    "warn": {
      "policyName": "policy-gatekeeper-ackpspcapabilities",
      "policyDescription": "Controls Linux capabilities.",
      "violations": 81,
      "severity": "high"
    }
  }
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation

No change history