Kebijakan keamanan kontainer klaster ACK menyediakan sekumpulan pustaka aturan bawaan yang lengkap, termasuk Compliance, Infra, K8s-general, dan PSP, untuk memastikan pengoperasian kontainer yang aman di lingkungan produksi. Anda dapat memanggil operasi DescribePolicyGovernanceInCluster untuk mengkueri informasi tata kelola kebijakan terperinci untuk klaster tertentu, seperti jumlah kebijakan yang diaktifkan pada berbagai tingkat keparahan, log audit tata kelola kebijakan, serta detail intersepsi dan peringatan.
Coba sekarang
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
cs:DescribePolicyGovernanceInCluster |
get |
*Cluster
|
None | None |
Sintaks permintaan
GET /clusters/{cluster_id}/policygovernance HTTP/1.1
Path Parameters
|
Parameter |
Type |
Required |
Description |
Example |
| cluster_id |
string |
Yes |
ID klaster target. |
c8155823d057948c69a**** |
Parameter permintaan
|
Parameter |
Type |
Required |
Description |
Example |
Tidak ada parameter yang diperlukan.
Elemen respons
|
Element |
Type |
Description |
Example |
|
object |
Skema Respons |
||
| on_state |
array<object> |
Jumlah kebijakan yang diaktifkan pada berbagai tingkat keparahan di klaster saat ini. |
|
|
object |
|||
| enabled_count |
integer |
Jumlah jenis kebijakan yang saat ini diaktifkan. |
3 |
| total |
integer |
Total jumlah jenis kebijakan pada tingkat keparahan ini. |
8 |
| severity |
string |
Tingkat keparahan tata kelola kebijakan. |
high |
| admit_log |
object |
Log audit tata kelola kebijakan untuk klaster saat ini. |
|
| progress |
string |
Status hasil kueri. Nilai yang valid:
|
Complete |
| count |
integer |
Total jumlah log yang dikembalikan oleh kueri saat ini. |
100 |
| logs |
array<object> |
Informasi log tentang pelanggaran kebijakan. |
|
|
object |
|||
| cluster_id |
string |
hash code |
|
| constraint_action |
string |
deny |
|
| constraint_api_version |
string |
v1beta1 |
|
| constraint_category |
string |
cis-k8s |
|
| constraint_group |
string |
constraints.gatekeeper.sh |
|
| constraint_kind |
string |
ACKNamespacesDeleteProtection |
|
| constraint_name |
string |
namespace-delete-protection-jpjwv |
|
| event_msg |
string |
Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: , Constraint: namespace-delete-protection-jpjwv, Message: not allow to delete protection namespace test. |
|
| event_type |
string |
violation |
|
| request_uid |
string |
hash code |
|
| request_userinfo |
string |
account id |
|
| request_username |
string |
account user name |
|
| resource_kind |
string |
Namespace |
|
| resource_name |
string |
test |
|
| time |
string |
2025-10-27T11:31:40Z |
|
| log_project |
string |
Proyek log yang menyimpan informasi tindakan kebijakan. |
k8s-log-clusterid |
| log_store |
string |
Logstore yang menyimpan informasi tindakan kebijakan. |
policyadmit-clusterid |
| Violation |
object |
Informasi pelanggaran kebijakan yang diagregasi berdasarkan tingkat keparahan. |
|
| totalViolations |
object |
Informasi ringkasan. |
|
| deny |
array<object> |
||
|
object |
|||
| severity |
string |
medium |
|
| violations |
string |
2 |
|
| warn |
array<object> |
||
|
object |
|||
| severity |
string |
high |
|
| violations |
integer |
0 |
|
| violations |
object |
Catatan pelanggaran yang diagregasi berdasarkan nama kebijakan. |
|
| deny |
array<object> |
||
|
object |
|||
| policyDescription |
string |
Prevent specific namespaces from being deleted. |
|
| policyName |
string |
ACKNamespacesDeleteProtection |
|
| severity |
string |
medium |
|
| violations |
integer |
1 |
|
| warn |
array<object> |
||
|
object |
|||
| policyDescription |
string |
||
| policyName |
string |
||
| severity |
string |
||
| violations |
integer |
Contoh
Respons sukses
JSONformat
{
"on_state": [
{
"enabled_count": 3,
"total": 8,
"severity": "high"
}
],
"admit_log": {
"progress": "Complete",
"count": 100,
"logs": [
{
"cluster_id": "hash code",
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_category": "cis-k8s",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "ACKNamespacesDeleteProtection",
"constraint_name": "namespace-delete-protection-jpjwv",
"event_msg": "Admission webhook \\\"validation.gatekeeper.sh\\\" denied request, Resource Namespace: , Constraint: namespace-delete-protection-jpjwv, Message: not allow to delete protection namespace test.",
"event_type": "violation",
"request_uid": "hash code",
"request_userinfo": "account id",
"request_username": "account user name\n",
"resource_kind": "Namespace",
"resource_name": "test",
"time": "2025-10-27T11:31:40Z"
}
],
"log_project": "k8s-log-clusterid",
"log_store": "policyadmit-clusterid"
},
"Violation": {
"totalViolations": {
"deny": [
{
"severity": "medium",
"violations": "2"
}
],
"warn": [
{
"severity": "high",
"violations": 0
}
]
},
"violations": {
"deny": [
{
"policyDescription": "Prevent specific namespaces from being deleted.",
"policyName": "ACKNamespacesDeleteProtection",
"severity": "medium",
"violations": 1
}
],
"warn": [
{
"policyDescription": "",
"policyName": "",
"severity": "",
"violations": 0
}
]
}
}
}
Kode kesalahan
Lihat Error Codes untuk daftar lengkap.
Catatan rilis
Lihat Release Notes untuk daftar lengkap.