All Products
Search
Document Center

Container Service for Kubernetes:DescribePolicyGovernanceInCluster

Last Updated:Apr 04, 2026

Container security policies for ACK clusters provide a rich set of built-in rule libraries, including Compliance, Infra, K8s-general, and PSP, to secure containers in a production environment. Call the DescribePolicyGovernanceInCluster API to retrieve policy governance details for a target cluster, such as policy statistics by severity, audit logs, and interception and alert events.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

cs:DescribePolicyGovernanceInCluster

get

*Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None None

Request syntax

GET /clusters/{cluster_id}/policygovernance HTTP/1.1

Path Parameters

Parameter

Type

Required

Description

Example

cluster_id

string

Yes

The cluster ID.

c8155823d057948c69a****

Request parameters

Parameter

Type

Required

Description

Example

No parameters required.

Response elements

Element

Type

Description

Example

object

The response schema.

on_state

array<object>

The statistics for enabled policies in the cluster, categorized by severity.

object

enabled_count

integer

The number of enabled policy types.

3

total

integer

The total number of policy types for this severity.

8

severity

string

The severity level of the policy.

high

admit_log

object

The audit log for policy governance in the cluster.

progress

string

The status of the query. Valid values:

  • Complete: All query results are returned.

  • Incomplete: The query returned a partial result set. Send the request again to retrieve the remaining results.

Complete

count

integer

The total number of logs returned by the current query.

100

logs

array<object>

The log entries for policy violations.

object

cluster_id

string

The cluster ID.

hash code

constraint_action

string

The enforcement action of the policy. Valid values:

  • warn: Logs a warning for the violating request but allows it to proceed.

  • deny: Deny requests that violate the policy.

deny

constraint_api_version

string

The API version of the policy.

v1beta1

constraint_category

string

The policy type.

cis-k8s

constraint_group

string

The API group of the policy.

constraints.gatekeeper.sh

constraint_kind

string

The kind of the policy constraint.

ACKNamespacesDeleteProtection

constraint_name

string

The name of the policy instance.

namespace-delete-protection-jpjwv

event_msg

string

The message generated by the policy enforcement.

Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: , Constraint: namespace-delete-protection-jpjwv, Message: not allow to delete protection namespace test.

event_type

string

The type of the logged event, such as violation.

violation

request_uid

string

The request ID.

hash code

request_userinfo

string

Information about the user who made the request that violated the policy.

account id

request_username

string

The name of the user who made the request that violated the policy.

account user name

resource_kind

string

The type of the violating resource. For example, if a request to operate on a namespace is denied, the value is Namespace.

Namespace

resource_name

string

The name of the violating resource.

test

time

string

The time when the policy violation occurred.

2025-10-27T11:31:40Z

log_project

string

The log project that stores policy enforcement information.

k8s-log-clusterid

log_store

string

The log store that stores policy enforcement information.

policyadmit-clusterid

Violation

object

A summary of policy violations, grouped by severity.

totalViolations

object

A summary of all policy violations.

deny

array<object>

A summary of deny actions.

object

severity

string

The severity level. Valid values: low, medium, and high.

medium

violations

string

The number of violations.

2

warn

array<object>

A summary of warn actions.

object

severity

string

The severity level. Valid values: low, medium, and high.

high

violations

integer

The number of violations.

0

violations

object

A summary of violations, grouped by policy name.

deny

array<object>

A summary of deny actions.

object

policyDescription

string

The policy description.

Prevent specific namespaces from being deleted.

policyName

string

The policy name.

ACKNamespacesDeleteProtection

severity

string

The severity level.

medium

violations

integer

The number of violations.

1

warn

array<object>

A summary of warn actions.

object

policyDescription

string

The policy description.

policyName

string

The policy name.

severity

string

The severity level.

violations

integer

The number of violations.

Examples

Success response

JSON format

{
  "on_state": [
    {
      "enabled_count": 3,
      "total": 8,
      "severity": "high"
    }
  ],
  "admit_log": {
    "progress": "Complete",
    "count": 100,
    "logs": [
      {
        "cluster_id": "hash code",
        "constraint_action": "deny",
        "constraint_api_version": "v1beta1",
        "constraint_category": "cis-k8s",
        "constraint_group": "constraints.gatekeeper.sh",
        "constraint_kind": "ACKNamespacesDeleteProtection",
        "constraint_name": "namespace-delete-protection-jpjwv",
        "event_msg": "Admission webhook \\\"validation.gatekeeper.sh\\\" denied request, Resource Namespace: , Constraint: namespace-delete-protection-jpjwv, Message: not allow to delete protection namespace test.",
        "event_type": "violation",
        "request_uid": "hash code",
        "request_userinfo": "account id",
        "request_username": "account user name\n",
        "resource_kind": "Namespace",
        "resource_name": "test",
        "time": "2025-10-27T11:31:40Z"
      }
    ],
    "log_project": "k8s-log-clusterid",
    "log_store": "policyadmit-clusterid"
  },
  "Violation": {
    "totalViolations": {
      "deny": [
        {
          "severity": "medium",
          "violations": "2"
        }
      ],
      "warn": [
        {
          "severity": "high",
          "violations": 0
        }
      ]
    },
    "violations": {
      "deny": [
        {
          "policyDescription": "Prevent specific namespaces from being deleted.",
          "policyName": "ACKNamespacesDeleteProtection",
          "severity": "medium",
          "violations": 1
        }
      ],
      "warn": [
        {
          "policyDescription": "",
          "policyName": "",
          "severity": "",
          "violations": 0
        }
      ]
    }
  }
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.