Container security policies for ACK clusters provide a rich set of built-in rule libraries, including Compliance, Infra, K8s-general, and PSP, to secure containers in a production environment. Call the DescribePolicyGovernanceInCluster API to retrieve policy governance details for a target cluster, such as policy statistics by severity, audit logs, and interception and alert events.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
cs:DescribePolicyGovernanceInCluster |
get |
*Cluster
|
None | None |
Request syntax
GET /clusters/{cluster_id}/policygovernance HTTP/1.1
Path Parameters
|
Parameter |
Type |
Required |
Description |
Example |
| cluster_id |
string |
Yes |
The cluster ID. |
c8155823d057948c69a**** |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
No parameters required.
Response elements
|
Element |
Type |
Description |
Example |
|
object |
The response schema. |
||
| on_state |
array<object> |
The statistics for enabled policies in the cluster, categorized by severity. |
|
|
object |
|||
| enabled_count |
integer |
The number of enabled policy types. |
3 |
| total |
integer |
The total number of policy types for this severity. |
8 |
| severity |
string |
The severity level of the policy. |
high |
| admit_log |
object |
The audit log for policy governance in the cluster. |
|
| progress |
string |
The status of the query. Valid values:
|
Complete |
| count |
integer |
The total number of logs returned by the current query. |
100 |
| logs |
array<object> |
The log entries for policy violations. |
|
|
object |
|||
| cluster_id |
string |
The cluster ID. |
hash code |
| constraint_action |
string |
The enforcement action of the policy. Valid values:
|
deny |
| constraint_api_version |
string |
The API version of the policy. |
v1beta1 |
| constraint_category |
string |
The policy type. |
cis-k8s |
| constraint_group |
string |
The API group of the policy. |
constraints.gatekeeper.sh |
| constraint_kind |
string |
The kind of the policy constraint. |
ACKNamespacesDeleteProtection |
| constraint_name |
string |
The name of the policy instance. |
namespace-delete-protection-jpjwv |
| event_msg |
string |
The message generated by the policy enforcement. |
Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: , Constraint: namespace-delete-protection-jpjwv, Message: not allow to delete protection namespace test. |
| event_type |
string |
The type of the logged event, such as |
violation |
| request_uid |
string |
The request ID. |
hash code |
| request_userinfo |
string |
Information about the user who made the request that violated the policy. |
account id |
| request_username |
string |
The name of the user who made the request that violated the policy. |
account user name |
| resource_kind |
string |
The type of the violating resource. For example, if a request to operate on a namespace is denied, the value is |
Namespace |
| resource_name |
string |
The name of the violating resource. |
test |
| time |
string |
The time when the policy violation occurred. |
2025-10-27T11:31:40Z |
| log_project |
string |
The log project that stores policy enforcement information. |
k8s-log-clusterid |
| log_store |
string |
The log store that stores policy enforcement information. |
policyadmit-clusterid |
| Violation |
object |
A summary of policy violations, grouped by severity. |
|
| totalViolations |
object |
A summary of all policy violations. |
|
| deny |
array<object> |
A summary of deny actions. |
|
|
object |
|||
| severity |
string |
The severity level. Valid values: |
medium |
| violations |
string |
The number of violations. |
2 |
| warn |
array<object> |
A summary of warn actions. |
|
|
object |
|||
| severity |
string |
The severity level. Valid values: |
high |
| violations |
integer |
The number of violations. |
0 |
| violations |
object |
A summary of violations, grouped by policy name. |
|
| deny |
array<object> |
A summary of deny actions. |
|
|
object |
|||
| policyDescription |
string |
The policy description. |
Prevent specific namespaces from being deleted. |
| policyName |
string |
The policy name. |
ACKNamespacesDeleteProtection |
| severity |
string |
The severity level. |
medium |
| violations |
integer |
The number of violations. |
1 |
| warn |
array<object> |
A summary of warn actions. |
|
|
object |
|||
| policyDescription |
string |
The policy description. |
|
| policyName |
string |
The policy name. |
|
| severity |
string |
The severity level. |
|
| violations |
integer |
The number of violations. |
Examples
Success response
JSON format
{
"on_state": [
{
"enabled_count": 3,
"total": 8,
"severity": "high"
}
],
"admit_log": {
"progress": "Complete",
"count": 100,
"logs": [
{
"cluster_id": "hash code",
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_category": "cis-k8s",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "ACKNamespacesDeleteProtection",
"constraint_name": "namespace-delete-protection-jpjwv",
"event_msg": "Admission webhook \\\"validation.gatekeeper.sh\\\" denied request, Resource Namespace: , Constraint: namespace-delete-protection-jpjwv, Message: not allow to delete protection namespace test.",
"event_type": "violation",
"request_uid": "hash code",
"request_userinfo": "account id",
"request_username": "account user name\n",
"resource_kind": "Namespace",
"resource_name": "test",
"time": "2025-10-27T11:31:40Z"
}
],
"log_project": "k8s-log-clusterid",
"log_store": "policyadmit-clusterid"
},
"Violation": {
"totalViolations": {
"deny": [
{
"severity": "medium",
"violations": "2"
}
],
"warn": [
{
"severity": "high",
"violations": 0
}
]
},
"violations": {
"deny": [
{
"policyDescription": "Prevent specific namespaces from being deleted.",
"policyName": "ACKNamespacesDeleteProtection",
"severity": "medium",
"violations": 1
}
],
"warn": [
{
"policyDescription": "",
"policyName": "",
"severity": "",
"violations": 0
}
]
}
}
}
Error codes
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.