Query information about a policy -

You can call the DescribePolicyDetails operation to query information about a policy.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request syntax

GET /policies/policy_name HTTP/1.1
Content-Type:application/json

Request parameters

Table 1. Request path parameters
Parameter	Type	Required	Example	Description
policy_name	String	Yes	ACKAllowedRepos	The name of the policy that you want to query.

Response syntax

HTTP/1.1 200 OK
Content-Type:application/json

{
  "name" : "String",
  "category" : "String",
  "description" : "String",
  "action" : "String",
  "severity" : "String",
  "template" : "String",
  "no_config" : Integer,
  "is_deleted" : Integer
}

Response parameters

Table 2. Response body parameters
Parameter	Type	Example	Description
name	String	ACKAllowedRepos	The name of the policy that is returned.
category	String	k8s-general	The type of the policy.
description	String	Requires container images to begin with a repo string from a specified list	The description of the policy.
action	String	enforce	The action of the policy. Valid values: `enforce`: blocks deployments that match the policy. `inform`: generates alerts for deployments that match the policy.
severity	String	high	The severity level of the policy. Valid values: `high` `medium` `low`
template	String	Refer to the sample request.	The content of the policy.
no_config	Integer	0	Indicates whether parameters are required. Valid values: 0: Parameters are required. 1: Parameters are optional.
is_deleted	Integer	0	Indicates whether the policy is deleted. Valid values: 0: The policy is not deleted. 1: The policy is deleted.

Sample requests

Submit the following sample request to query information about a policy:

GET /policies/ACKAllowedRepos HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json

Description of the sample request

The following code shows a sample policy:

    apiVersion: policy.alibabacloud.com/v1alpha1
    kind: Policy
    metadata:
      name: policy-gatekeeper-ackallowedrepos
      annotations:
        ack.policy/categories: k8s general
        ack.policy/controls: baseline control
    spec:
      remediationAction: enforce # will be overridden by remediationAction in parent policy
      severity: high
      description: "Requires container images to begin with a repo string from a specified list."
      policyTemplates:
        - # complianceType: musthave
          objectDefinition:
            apiVersion: templates.gatekeeper.sh/v1
            kind: ConstraintTemplate
            metadata:
              name: ackallowedrepos
              annotations:
                description: Requires container images to begin with a repo string from a specified list.
            spec:
              crd:
                spec:
                  names:
                    kind: ACKAllowedRepos
                  validation:
                    # Schema for the `parameters` field
                    legacySchema: true
                    openAPIV3Schema:
                      type: object
                      required:
                        - repos
                      properties:
                        repos:
                          type: array
                          items:
                            type: string
            targets:
              - target: admission.k8s.gatekeeper.sh
                rego: |
                  package ackallowedrepos
                  violation[{"msg": msg}] {
                    container := input.review.object.spec.containers[_]
                    satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
                    not any(satisfied)
                    msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
                }

                  violation[{"msg": msg}] {
                    container := input.review.object.spec.initContainers[_]
                    satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
                    not any(satisfied)
                    msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
                }
        - # complianceType: musthave
          objectDefinition:
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: ACKAllowedRepos
            metadata:
              name: allowed-repos
            spec:
              enforcementAction: deny
              match:
                kinds:
                  - apiGroups: [""]
                    kinds: ["Pod"]
                namespaces:
                  - "test-gatekeeper"
              parameters:
                repos:
                  - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
                  - "registry.cn-hangzhou.aliyuncs.com/acs/"

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribePolicyDetailsResponse>
    <name>ACKAllowedRepos</name>
    <category>k8s-general</category>
    <description>Requires container images to begin with a repo string from a specified list</description>
    <action>enforce</action>
    <severity>high</severity>
    <template>Refer to the sample request</template>
    <no_config>0</no_config>
    <is_deleted>0</is_deleted>
</DescribePolicyDetailsResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "name" : "ACKAllowedRepos",
  "category" : "k8s-general",
  "description" : "Requires container images to begin with a repo string from a specified list",
  "action" : "enforce",
  "severity" : "high",
  "template" : "Refer to the sample request",
  "no_config" : 0,
  "is_deleted" : 0
}

Error codes

For a list of error codes, visit the API Error Center.