You can call the DescribePolicyInstancesStatus operation to query information about policy instances in a Container Service for Kubernetes (ACK) cluster. The information includes the number of instances deployed from each policy and the number of policy instances of each severity level.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request syntax

GET /clusters/cluster_id/policies/status HTTP/1.1
Content-Type:application/json

Request parameters

Table 1. Request path parameters
Parameter Type Required Example Description
cluster_id String Yes c8155823d057948c69a****

The ID of the cluster that you want to query.

Response syntax

HTTP/1.1 200 OK
Content-Type:application/json

{
  "policy_instances" : [ {
    "policy_category" : "String",
    "policy_name" : "String",
    "policy_description" : "String",
    "policy_severity" : "String",
    "policy_instances_count" : Long
  } ]
}

Response parameters

Table 2. Response body parameters
Parameter Type Example Description
policy_instances Array of policy_instances

Details about policy instances of different types.

policy_category String cis-k8s

The policy type.

policy_name String ACKRestrictRoleBindings

The name of the policy.

policy_description String Restricts use of the cluster-admin role.

The description of the policy.

policy_severity String medium

The severity level of the policy.

policy_instances_count Long 1

The number of policy instances that are deployed. If this parameter is empty, it indicates that no policy instance is deployed from the policy.

instances_severity_count Map

Information about the number of policy instances of each severity level.

Sample requests

Submit the following request to query information about policy instances in an ACK cluster:

GET /clusters/{cluster_id}/policies/status HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribePolicyInstancesStatusResponse>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKBlockNodePort</policy_name>
        <policy_description>Disallows all Services with type NodePort.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKExternalIPs</policy_name>
        <policy_description>Restricts Services from containing externalIPs except those in a provided allowlist.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPHostNamespace</policy_name>
        <policy_description>Controls usage of host namespaces.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPReadOnlyRootFilesystem</policy_name>
        <policy_description>Requires the use of a read only root file system.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPVolumeTypes</policy_name>
        <policy_description>Controls usage of volume types.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>infra</policy_category>
        <policy_name>ACKOSSStorageLocationConstraint</policy_name>
        <policy_description>Restricts location of oss storage in cluster.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKBlockAutoinjectServiceEnv</policy_name>
        <policy_description>Disable autoinjecting information about services into pod's environment variables.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKImageDigests</policy_name>
        <policy_description>Requires container images to contain a digest.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPAllowedUsers</policy_name>
        <policy_description>Controls the user and group IDs of the container.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPHostFilesystem</policy_name>
        <policy_description>Controls usage of the host filesystem.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>infra</policy_category>
        <policy_name>ACKBlockProcessNamespaceSharing</policy_name>
        <policy_description>Restricts shareProcessNamespace used in pod.</policy_description>
        <policy_severity>high</policy_severity>
        <policy_instances_count>2</policy_instances_count>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPCapabilities</policy_name>
        <policy_description>Controls Linux capabilities.</policy_description>
        <policy_severity>high</policy_severity>
        <policy_instances_count>5</policy_instances_count>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPForbiddenSysctls</policy_name>
        <policy_description>Controls the `sysctl` profile used by containers.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPSeccomp</policy_name>
        <policy_description>Controls the seccomp profile used by containers.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKBlockLoadBalancer</policy_name>
        <policy_description>Disallows all Services with type LoadBalancer.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPAppArmor</policy_name>
        <policy_description>Controls the AppArmor profile used by containers.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPPrivilegedContainer</policy_name>
        <policy_description>Controls running of privileged containers.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPProcMount</policy_name>
        <policy_description>Controls the allowed `procMount` types for the container.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPSELinuxV2</policy_name>
        <policy_description>Controls the SELinux context of the container.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>infra</policy_category>
        <policy_name>ACKEmptyDirHasSizeLimit</policy_name>
        <policy_description>Requires that emptydir volume must have a `sizelimit` defined.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPAllowPrivilegeEscalationContainer</policy_name>
        <policy_description>Controls restricting escalation to root privileges.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPFSGroup</policy_name>
        <policy_description>Controls allocating an FSGroup that owns the Pod's volumes.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>cis-k8s</policy_category>
        <policy_name>ACKPodsRequireSecurityContext</policy_name>
        <policy_description>Requires that Pods must have a `securityContext` defined.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>cis-k8s</policy_category>
        <policy_name>ACKRestrictNamespaces</policy_name>
        <policy_description>Restricts resources from using the `default` namespace.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKContainerLimits</policy_name>
        <policy_description>Requires containers to have memory and CPU limits set and within a specified maximum amount.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPHostNetworkingPorts</policy_name>
        <policy_description>Controls usage of host networking and ports.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKBlockAutomountToken</policy_name>
        <policy_description>Disable automounting API credentials.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKRequiredLabels</policy_name>
        <policy_description>Requires all resources to contain a specified label with a value matching a provided regular expression.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPFlexVolumes</policy_name>
        <policy_description>Controls the allowlist of Flexvolume drivers.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKAllowedRepos</policy_name>
        <policy_description>Requires container images to begin with a repo string from a specified list.</policy_description>
        <policy_severity>high</policy_severity>
        <policy_instances_count>4</policy_instances_count>
    </policy_instances>
    <policy_instances>
        <policy_category>cis-k8s</policy_category>
        <policy_name>ACKNoEnvVarSecrets</policy_name>
        <policy_description>Restricts secrets used in pod envs.</policy_description>
        <policy_severity>medium</policy_severity>
        <policy_instances_count>1</policy_instances_count>
    </policy_instances>
    <policy_instances>
        <policy_category>cis-k8s</policy_category>
        <policy_name>ACKRestrictRoleBindings</policy_name>
        <policy_description>Restricts use of the cluster-admin role.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>infra</policy_category>
        <policy_name>ACKLocalStorageRequireSafeToEvict</policy_name>
        <policy_description>Restricts safe to evict annotation existing in pod with local storage.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKRequiredProbes</policy_name>
        <policy_description>Requires Pods to have readiness and/or liveness probes.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <instances_severity_count>
        <high>11</high>
        <medium>1</medium>
    </instances_severity_count>
</DescribePolicyInstancesStatusResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "policy_instances" : [ {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKBlockNodePort",
    "policy_description" : "Disallows all Services with type NodePort.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKExternalIPs",
    "policy_description" : "Restricts Services from containing externalIPs except those in a provided allowlist.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPHostNamespace",
    "policy_description" : "Controls usage of host namespaces.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPReadOnlyRootFilesystem",
    "policy_description" : "Requires the use of a read only root file system.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPVolumeTypes",
    "policy_description" : "Controls usage of volume types.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "infra",
    "policy_name" : "ACKOSSStorageLocationConstraint",
    "policy_description" : "Restricts location of oss storage in cluster.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKBlockAutoinjectServiceEnv",
    "policy_description" : "Disable autoinjecting information about services into pod's environment variables.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKImageDigests",
    "policy_description" : "Requires container images to contain a digest.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPAllowedUsers",
    "policy_description" : "Controls the user and group IDs of the container.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPHostFilesystem",
    "policy_description" : "Controls usage of the host filesystem.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "infra",
    "policy_name" : "ACKBlockProcessNamespaceSharing",
    "policy_description" : "Restricts shareProcessNamespace used in pod.",
    "policy_severity" : "high",
    "policy_instances_count" : 2
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPCapabilities",
    "policy_description" : "Controls Linux capabilities.",
    "policy_severity" : "high",
    "policy_instances_count" : 5
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPForbiddenSysctls",
    "policy_description" : "Controls the `sysctl` profile used by containers.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPSeccomp",
    "policy_description" : "Controls the seccomp profile used by containers.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKBlockLoadBalancer",
    "policy_description" : "Disallows all Services with type LoadBalancer.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPAppArmor",
    "policy_description" : "Controls the AppArmor profile used by containers.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPPrivilegedContainer",
    "policy_description" : "Controls running of privileged containers.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPProcMount",
    "policy_description" : "Controls the allowed `procMount` types for the container.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPSELinuxV2",
    "policy_description" : "Controls the SELinux context of the container.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "infra",
    "policy_name" : "ACKEmptyDirHasSizeLimit",
    "policy_description" : "Requires that emptydir volume must have a `sizelimit` defined.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPAllowPrivilegeEscalationContainer",
    "policy_description" : "Controls restricting escalation to root privileges.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPFSGroup",
    "policy_description" : "Controls allocating an FSGroup that owns the Pod's volumes.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "cis-k8s",
    "policy_name" : "ACKPodsRequireSecurityContext",
    "policy_description" : "Requires that Pods must have a `securityContext` defined.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "cis-k8s",
    "policy_name" : "ACKRestrictNamespaces",
    "policy_description" : "Restricts resources from using the `default` namespace.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKContainerLimits",
    "policy_description" : "Requires containers to have memory and CPU limits set and within a specified maximum amount.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPHostNetworkingPorts",
    "policy_description" : "Controls usage of host networking and ports.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKBlockAutomountToken",
    "policy_description" : "Disable automounting API credentials.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKRequiredLabels",
    "policy_description" : "Requires all resources to contain a specified label with a value matching a provided regular expression.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPFlexVolumes",
    "policy_description" : "Controls the allowlist of Flexvolume drivers.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKAllowedRepos",
    "policy_description" : "Requires container images to begin with a repo string from a specified list.",
    "policy_severity" : "high",
    "policy_instances_count" : 4
  }, {
    "policy_category" : "cis-k8s",
    "policy_name" : "ACKNoEnvVarSecrets",
    "policy_description" : "Restricts secrets used in pod envs.",
    "policy_severity" : "medium",
    "policy_instances_count" : 1
  }, {
    "policy_category" : "cis-k8s",
    "policy_name" : "ACKRestrictRoleBindings",
    "policy_description" : "Restricts use of the cluster-admin role.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "infra",
    "policy_name" : "ACKLocalStorageRequireSafeToEvict",
    "policy_description" : "Restricts safe to evict annotation existing in pod with local storage.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKRequiredProbes",
    "policy_description" : "Requires Pods to have readiness and/or liveness probes.",
    "policy_severity" : "medium"
  } ],
  "instances_severity_count" : {
    "high" : 11,
    "medium" : 1
  }
}

Error codes

For a list of error codes, visit the API Error Center.