You can call the DescribePolicyDetails operation to query information about a policy.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request syntax

GET /policies/policy_name HTTP/1.1
Content-Type:application/json

Request parameters

Table 1. Request path parameters
Parameter Type Required Example Description
policy_name String Yes ACKAllowedRepos

The name of the policy that you want to query.

Response syntax

HTTP/1.1 200 OK
Content-Type:application/json

{
  "name" : "String",
  "category" : "String",
  "description" : "String",
  "action" : "String",
  "severity" : "String",
  "template" : "String",
  "no_config" : Integer,
  "is_deleted" : Integer
}

Response parameters

Table 2. Response body parameters
Parameter Type Example Description
name String ACKAllowedRepos

The name of the policy that is returned.

category String k8s-general

The type of the policy.

description String Requires container images to begin with a repo string from a specified list

The description of the policy.

action String enforce

The action of the policy. Valid values:

  • enforce: blocks deployments that match the policy.
  • inform: generates alerts for deployments that match the policy.
severity String high

The severity level of the policy.

template String Refer to the sample request.

The content of the policy.

no_config Integer 0

Indicates whether parameters are required. Valid values:

  • 0: Parameters are required.
  • 1: Parameters are optional.
is_deleted Integer 0

Indicates whether the policy is deleted. Valid values:

  • 0: The policy is not deleted.
  • 1: The policy is deleted.

Sample requests

Submit the following sample request to query information about a policy:

GET /policies/ACKAllowedRepos HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json

Description of the sample request

The following code shows a sample policy:

    apiVersion: policy.alibabacloud.com/v1alpha1
    kind: Policy
    metadata:
      name: policy-gatekeeper-ackallowedrepos
      annotations:
        ack.policy/categories: k8s general
        ack.policy/controls: baseline control
    spec:
      remediationAction: enforce # will be overridden by remediationAction in parent policy
      severity: high
      description: "Requires container images to begin with a repo string from a specified list."
      policyTemplates:
        - # complianceType: musthave
          objectDefinition:
            apiVersion: templates.gatekeeper.sh/v1
            kind: ConstraintTemplate
            metadata:
              name: ackallowedrepos
              annotations:
                description: Requires container images to begin with a repo string from a specified list.
            spec:
              crd:
                spec:
                  names:
                    kind: ACKAllowedRepos
                  validation:
                    # Schema for the `parameters` field
                    legacySchema: true
                    openAPIV3Schema:
                      type: object
                      required:
                        - repos
                      properties:
                        repos:
                          type: array
                          items:
                            type: string
            targets:
              - target: admission.k8s.gatekeeper.sh
                rego: |
                  package ackallowedrepos
                  violation[{"msg": msg}] {
                    container := input.review.object.spec.containers[_]
                    satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
                    not any(satisfied)
                    msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
                }

                  violation[{"msg": msg}] {
                    container := input.review.object.spec.initContainers[_]
                    satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
                    not any(satisfied)
                    msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
                }
        - # complianceType: musthave
          objectDefinition:
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: ACKAllowedRepos
            metadata:
              name: allowed-repos
            spec:
              enforcementAction: deny
              match:
                kinds:
                  - apiGroups: [""]
                    kinds: ["Pod"]
                namespaces:
                  - "test-gatekeeper"
              parameters:
                repos:
                  - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
                  - "registry.cn-hangzhou.aliyuncs.com/acs/"

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribePolicyDetailsResponse>
    <name>ACKAllowedRepos</name>
    <category>k8s-general</category>
    <description>Requires container images to begin with a repo string from a specified list</description>
    <action>enforce</action>
    <severity>high</severity>
    <template>Refer to the sample request</template>
    <no_config>0</no_config>
    <is_deleted>0</is_deleted>
</DescribePolicyDetailsResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "name" : "ACKAllowedRepos",
  "category" : "k8s-general",
  "description" : "Requires container images to begin with a repo string from a specified list",
  "action" : "enforce",
  "severity" : "high",
  "template" : "Refer to the sample request",
  "no_config" : 0,
  "is_deleted" : 0
}

Error codes

For a list of error codes, visit the API Error Center.