You can call the DescribePolicyGovernanceInCluster operation to query information about policies in a Container Service for Kubernetes (ACK) cluster.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request syntax

GET /clusters/cluster_id/policygovernance HTTP/1.1
Content-Type:application/json

Request parameters

Table 1. Request path parameters
Parameter Type Required Example Description
cluster_id String Yes c8155823d057948c69a****

The ID of the cluster that you want to query.

Response syntax

HTTP/1.1 200 OK
Content-Type:application/json

{
  "on_state" : [ {
    "enabled_count" : Integer,
    "total" : Integer,
    "severity" : "String"
  } ],
  "admit_log" : {
    "progress" : "String",
    "count" : Long,
    "log" : {
      "msg" : "String",
      "cluster_id" : "String",
      "constraint_kind" : "String",
      "resource_name" : "String",
      "resource_kind" : "String",
      "resource_namespace" : "String"
    }
  },
  "totalViolations" : {
    "deny" : {
      "severity" : "String",
      "violations" : Long
    },
    "warn" : {
      "severity" : "String",
      "violations" : Long
    }
  },
  "violations" : {
    "deny" : {
      "policyName" : "String",
      "policyDescription" : "String",
      "violations" : Long,
      "severity" : "String"
    },
    "warn" : {
      "policyName" : "String",
      "policyDescription" : "String",
      "violations" : Long,
      "severity" : "String"
    }
  }
}

Response parameters

Table 2. Response body parameters
Parameter Type Example Description
on_state Array of on_state

Details about the policies of different severity levels that are enabled for the cluster.

enabled_count Integer 3

The number of policies that are enabled.

total Integer 8

The total number of policies of the severity level.

severity String high

The policy severity level.

admit_log Object

The audit logs of policies in the cluster.

progress String Complete

The status of the query.

count Long 100

The number of audit log entries.

log Object

The audit log content.

msg String d4hdhs*****

The message that appears when an event is generated by a policy.

cluster_id String c8155823d057948c69a****

The ID of the queried cluster.

constraint_kind String ACKAllowedRepos

The name of the policy.

resource_name String nginx-deployment-basic2-84ccb74bfc-df22p

The name of the resource.

resource_kind String Pod

The type of the resource.

resource_namespace String default

The namespace to which the resource belongs.

totalViolations Object

Details about the blocking and alerting events that are triggered by policies of different severity levels.

deny Object

Details about the blocking events that are triggered by the policies of each severity level.

severity String high

The policy severity level.

violations Long 0

The number of blocking events that are triggered.

warn Object

Details about the alerting events that are triggered by the policies of each severity level.

severity String low

The policy severity level.

violations Long 5

The number of alerting events that are triggered.

violations Object

Details about the blocking and alerting events that are triggered by different policies.

deny Object

Details about the blocking events that are triggered by each policy.

policyName String policy-gatekeeper-ackallowedrepos

The name of the policy.

policyDescription String Requires container images to begin with a repo string from a specified list.

The description of the policy.

violations Long 11

The total number of blocking events that are triggered by the policy.

severity String high

The severity level of the policy.

warn Object

Details about the alerting events that are triggered by each policy.

policyName String policy-gatekeeper-ackpspcapabilities

The name of the policy.

policyDescription String Controls Linux capabilities.

The description of the policy.

violations Long 81

The total number of alerting events that are triggered by the policy.

severity String high

The severity level of the policy.

Sample requests

Submit the following sample request to query information about policies in an ACK cluster:

GET /clusters/c8155823d057948c69a****/policygovernance HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribePolicyGovernanceInClusterResponse>
    <on_state>
        <enabled_count>0</enabled_count>
        <total>14</total>
        <severity>low</severity>
    </on_state>
    <on_state>
        <enabled_count>2</enabled_count>
        <total>13</total>
        <severity>high</severity>
    </on_state>
    <on_state>
        <enabled_count>1</enabled_count>
        <total>8</total>
        <severity>medium</severity>
    </on_state>
    <admit_log>
        <progress>Complete</progress>
        <count>75</count>
        <logs>
            <__source__>192.168.0.188</__source__>
            <__tag__:__hostname__>iZwz98e621h0kvki3ja****</__tag__:__hostname__>
            <__tag__:__pack_id__>63DE8FD17599E86****</__tag__:__pack_id__>
            <__tag__:__path__>/policy_admit_logs/gatekeeper_admit.log</__tag__:__path__>
            <__tag__:__receive_time__>1631168040</__tag__:__receive_time__>
            <__tag__:__user_defined_id__>k8s-group-cb36d98a701ef4742b50603866809****</__tag__:__user_defined_id__>
            <__tag__:_container_ip_>10.102.0.89</__tag__:_container_ip_>
            <__tag__:_container_name_>manager</__tag__:_container_name_>
            <__tag__:_image_name_>registry-vpc.cn-shenzhen.aliyuncs.com/acs/gatekeeper:v3.6.0.60-g72c4896-aliyun</__tag__:_image_name_>
            <__tag__:_namespace_>kube-system</__tag__:_namespace_>
            <__tag__:_node_ip_>192.168.0.188</__tag__:_node_ip_>
            <__tag__:_node_name_>cn-shenzhen.192.168.XX.XX</__tag__:_node_name_>
            <__tag__:_pod_name_>gatekeeper-7648f64cc8-27nd4</__tag__:_pod_name_>
            <__tag__:_pod_uid_>11083b05-eecd-454c-8d22-81c83ce1****</__tag__:_pod_uid_>
            <__time__>1631168037</__time__>
            <__topic__/>
            <cluster_id>cb36d98a701ef4742b50603866809****</cluster_id>
            <constraint_action>deny</constraint_action>
            <constraint_api_version>v1beta1</constraint_api_version>
            <constraint_group>constraints.gatekeeper.sh</constraint_group>
            <constraint_kind>ACKAllowedRepos</constraint_kind>
            <constraint_name>allowed-repos-80970511-c93d-4c40-b692-be18c077****</constraint_name>
            <event_msg>Admission webhook "validation.gatekeeper.sh" denied request, Resource Namespace: default, Constraint: allowed-repos-80970511-c93d-4c40-b692-be18c0770382, Message: container &lt;nginx&gt; has an invalid image repo &lt;nginx:1.7.9&gt;, allowed repos are ["registry.cn-shanghai.aliyuncs.com/acs/", "registry.cn-hangzhou.aliyuncs.com/acs/"]</event_msg>
            <event_reason>GatekeeperFailedAdmission</event_reason>
            <event_type>violation</event_type>
            <level>info</level>
            <logger>ack_policy_admit_log_for_sls</logger>
            <msg>container &lt;nginx&gt; has an invalid image repo &lt;nginx:1.7.9&gt;, allowed repos are ["registry.cn-shanghai.aliyuncs.com/acs/", "registry.cn-hangzhou.aliyuncs.com/acs/"]</msg>
            <process>admission</process>
            <request_uid>9db8f008-c2e8-4723-a380-18ef358c2827</request_uid>
            <request_username>system:serviceaccount:kube-system:replicaset-controller</request_username>
            <resource_api_version>v1</resource_api_version>
            <resource_group/>
            <resource_kind>Pod</resource_kind>
            <resource_name>nginx-deployment-basic2-84ccb74bfc-df22p</resource_name>
            <resource_namespace>default</resource_namespace>
            <time>2021-09-09T06:13:57Z</time>
            <ts>1631168037.444757</ts>
        </logs>
        <logs>
            <__source__>192.168.XX.XX</__source__>
        </logs>
    </admit_log>
    <Violation>
        <totalViolations>
            <deny>
                <severity>high</severity>
                <violations>75</violations>
            </deny>
            <deny>
                <severity>medium</severity>
                <violations>0</violations>
            </deny>
            <warn>
                <severity>high</severity>
                <violations>0</violations>
            </warn>
            <warn>
                <severity>medium</severity>
                <violations>0</violations>
            </warn>
        </totalViolations>
        <violations>
            <deny>
                <policyName>policy-gatekeeper-ackallowedrepos</policyName>
                <policyDescription>Requires container images to begin with a repo string from a specified list.</policyDescription>
                <severity>high</severity>
                <violations>11</violations>
            </deny>
            <deny>
                <policyName>policy-gatekeeper-ackpspcapabilities</policyName>
                <policyDescription>Controls Linux capabilities.</policyDescription>
                <severity>high</severity>
                <violations>81</violations>
            </deny>
        </violations>
    </Violation>
</DescribePolicyGovernanceInClusterResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "on_state" : [ {
    "enabled_count" : 0,
    "total" : 14,
    "severity" : "low"
  }, {
    "enabled_count" : 2,
    "total" : 13,
    "severity" : "high"
  }, {
    "enabled_count" : 1,
    "total" : 8,
    "severity" : "medium"
  } ],
  "admit_log" : {
    "progress" : "Complete",
    "count" : 75,
    "logs" : [ {
      "__source__" : "192.168.0.188",
      "__tag__:__hostname__" : "iZwz98e621h0kvki3ja****",
      "__tag__:__pack_id__" : "63DE8FD17599E86****",
      "__tag__:__path__" : "/policy_admit_logs/gatekeeper_admit.log",
      "__tag__:__receive_time__" : "1631168040",
      "__tag__:__user_defined_id__" : "k8s-group-cb36d98a701ef4742b50603866809****",
      "__tag__:_container_ip_" : "10.102.0.89",
      "__tag__:_container_name_" : "manager",
      "__tag__:_image_name_" : "registry-vpc.cn-shenzhen.aliyuncs.com/acs/gatekeeper:v3.6.0.60-g72c4896-aliyun",
      "__tag__:_namespace_" : "kube-system",
      "__tag__:_node_ip_" : "192.168.0.188",
      "__tag__:_node_name_" : "cn-shenzhen.192.168.XX.XX",
      "__tag__:_pod_name_" : "gatekeeper-7648f64cc8-27nd4",
      "__tag__:_pod_uid_" : "11083b05-eecd-454c-8d22-81c83ce1****",
      "__time__" : "1631168037",
      "__topic__" : "",
      "cluster_id" : "cb36d98a701ef4742b50603866809****",
      "constraint_action" : "deny",
      "constraint_api_version" : "v1beta1",
      "constraint_group" : "constraints.gatekeeper.sh",
      "constraint_kind" : "ACKAllowedRepos",
      "constraint_name" : "allowed-repos-80970511-c93d-4c40-b692-be18c077****",
      "event_msg" : "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: allowed-repos-80970511-c93d-4c40-b692-be18c0770382, Message: container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are [\"registry.cn-shanghai.aliyuncs.com/acs/\", \"registry.cn-hangzhou.aliyuncs.com/acs/\"]",
      "event_reason" : "GatekeeperFailedAdmission",
      "event_type" : "violation",
      "level" : "info",
      "logger" : "ack_policy_admit_log_for_sls",
      "msg" : "container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are [\"registry.cn-shanghai.aliyuncs.com/acs/\", \"registry.cn-hangzhou.aliyuncs.com/acs/\"]",
      "process" : "admission",
      "request_uid" : "9db8f008-c2e8-4723-a380-18ef358c2827",
      "request_username" : "system:serviceaccount:kube-system:replicaset-controller",
      "resource_api_version" : "v1",
      "resource_group" : "",
      "resource_kind" : "Pod",
      "resource_name" : "nginx-deployment-basic2-84ccb74bfc-df22p",
      "resource_namespace" : "default",
      "time" : "2021-09-09T06:13:57Z",
      "ts" : "1631168037.444757"
    }, {
      "__source__" : "192.168.XX.XX"
    } ]
  },
  "Violation" : {
    "totalViolations" : {
      "deny" : [ {
        "severity" : "high",
        "violations" : 75
      }, {
        "severity" : "medium",
        "violations" : 0
      } ],
      "warn" : [ {
        "severity" : "high",
        "violations" : 0
      }, {
        "severity" : "medium",
        "violations" : 0
      } ]
    },
    "violations" : {
      "deny" : [ {
        "policyName" : "policy-gatekeeper-ackallowedrepos",
        "policyDescription" : "Requires container images to begin with a repo string from a specified list.",
        "severity" : "high",
        "violations" : 11
      }, {
        "policyName" : "policy-gatekeeper-ackpspcapabilities",
        "policyDescription" : "Controls Linux capabilities.",
        "severity" : "high",
        "violations" : 81
      } ]
    }
  }
}

Error codes

For a list of error codes, visit the API Error Center.