You can call the DescribePolicyGovernanceInCluster operation to query information about policies in a Container Service for Kubernetes (ACK) cluster.
Debugging
Request syntax
GET /clusters/cluster_id/policygovernance HTTP/1.1
Content-Type:application/jsonRequest parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| cluster_id | String | Yes | c8155823d057948c69a**** | The ID of the cluster that you want to query. |
Response syntax
HTTP/1.1 200 OK
Content-Type:application/json
{
"on_state" : [ {
"enabled_count" : Integer,
"total" : Integer,
"severity" : "String"
} ],
"admit_log" : {
"progress" : "String",
"count" : Long,
"log" : {
"msg" : "String",
"cluster_id" : "String",
"constraint_kind" : "String",
"resource_name" : "String",
"resource_kind" : "String",
"resource_namespace" : "String"
}
},
"totalViolations" : {
"deny" : {
"severity" : "String",
"violations" : Long
},
"warn" : {
"severity" : "String",
"violations" : Long
}
},
"violations" : {
"deny" : {
"policyName" : "String",
"policyDescription" : "String",
"violations" : Long,
"severity" : "String"
},
"warn" : {
"policyName" : "String",
"policyDescription" : "String",
"violations" : Long,
"severity" : "String"
}
}
}Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| on_state | Array of on_state | Details about the policies of different severity levels that are enabled for the cluster. |
|
| enabled_count | Integer | 3 | The number of policies that are enabled. |
| total | Integer | 8 | The total number of policies of the severity level. |
| severity | String | high | The severity level of the policy. |
| admit_log | Object | The audit logs of policies in the cluster. |
|
| progress | String | Complete | The status of the query. Valid values:
|
| count | Long | 100 | The number of audit log entries. |
| log | Object | The audit log content. |
|
| msg | String | d4hdhs***** | The message that appears when an event is generated by a policy. |
| cluster_id | String | c8155823d057948c69a**** | The ID of the cluster that you want to query. |
| constraint_kind | String | ACKAllowedRepos | The type of the policy. |
| resource_name | String | nginx-deployment-basic2-84ccb74bfc-df22p | The name of the resource. |
| resource_kind | String | Pod | The type of the resource. |
| resource_namespace | String | default | The namespace to which the resource belongs. |
| totalViolations | Object | Details about the blocking and alerting events that are triggered by policies of different severity levels. |
|
| deny | Object | Details about the blocking events that are triggered by the policies of each severity level. |
|
| severity | String | high | The severity level of the policy. |
| violations | Long | 0 | The number of blocking events that are triggered. |
| warn | Object | Details about the alerting events that are triggered by the policies of each severity level. |
|
| severity | String | low | The severity level of the policy. |
| violations | Long | 5 | The number of alerting events that are triggered. |
| violations | Object | Details about the blocking and alerting events that are triggered by different policies. |
|
| deny | Object | Details about the blocking events that are triggered by each policy. |
|
| policyName | String | policy-gatekeeper-ackallowedrepos | The name of the policy. |
| policyDescription | String | Requires container images to begin with a repo string from a specified list. | The description of the policy. |
| violations | Long | 11 | The total number of blocking events that are triggered by the policy. |
| severity | String | high | The severity level of the policy. |
| warn | Object | Details about the alerting events that are triggered by the policies of each severity level. |
|
| policyName | String | policy-gatekeeper-ackpspcapabilities | The name of the policy. |
| policyDescription | String | Controls Linux capabilities. | The description of the policy. |
| violations | Long | 81 | The total number of alerting events that are triggered by the policy. |
| severity | String | high | The severity level of the policy. |
Sample requests
Submit the following sample request to query information about policies in an ACK cluster:
GET /clusters/c8155823d057948c69a****/policygovernance HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/jsonSample success responses
XML format
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribePolicyGovernanceInClusterResponse>
<on_state>
<enabled_count>0</enabled_count>
<total>14</total>
<severity>low</severity>
</on_state>
<on_state>
<enabled_count>2</enabled_count>
<total>13</total>
<severity>high</severity>
</on_state>
<on_state>
<enabled_count>1</enabled_count>
<total>8</total>
<severity>medium</severity>
</on_state>
<admit_log>
<progress>Complete</progress>
<count>75</count>
<log>
<__source__>192.168.0.188</__source__>
<__tag__:__hostname__>iZwz98e621h0kvki3ja****</__tag__:__hostname__>
<__tag__:__pack_id__>63DE8FD17599E86****</__tag__:__pack_id__>
<__tag__:__path__>/policy_admit_logs/gatekeeper_admit.log</__tag__:__path__>
<__tag__:__receive_time__>1631168040</__tag__:__receive_time__>
<__tag__:__user_defined_id__>k8s-group-cb36d98a701ef4742b50603866809****</__tag__:__user_defined_id__>
<__tag__:_container_ip_>10.102.0.89</__tag__:_container_ip_>
<__tag__:_container_name_>manager</__tag__:_container_name_>
<__tag__:_image_name_>registry-vpc.cn-shenzhen.aliyuncs.com/acs/gatekeeper:v3.6.0.60-g72c4896-aliyun</__tag__:_image_name_>
<__tag__:_namespace_>kube-system</__tag__:_namespace_>
<__tag__:_node_ip_>192.168.0.188</__tag__:_node_ip_>
<__tag__:_node_name_>cn-shenzhen.192.168.XX.XX</__tag__:_node_name_>
<__tag__:_pod_name_>gatekeeper-7648f64cc8-27nd4</__tag__:_pod_name_>
<__tag__:_pod_uid_>11083b05-eecd-454c-8d22-81c83ce1****</__tag__:_pod_uid_>
<__time__>1631168037</__time__>
<__topic__/>
<cluster_id>cb36d98a701ef4742b50603866809****</cluster_id>
<constraint_action>deny</constraint_action>
<constraint_api_version>v1beta1</constraint_api_version>
<constraint_group>constraints.gatekeeper.sh</constraint_group>
<constraint_kind>ACKAllowedRepos</constraint_kind>
<constraint_name>allowed-repos-80970511-c93d-4c40-b692-be18c077****</constraint_name>
<event_msg>Admission webhook "validation.gatekeeper.sh" denied request, Resource Namespace: default, Constraint: allowed-repos-80970511-c93d-4c40-b692-be18c0770382, Message: container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are ["registry.cn-shanghai.aliyuncs.com/acs/", "registry.cn-hangzhou.aliyuncs.com/acs/"]</event_msg>
<event_reason>GatekeeperFailedAdmission</event_reason>
<event_type>violation</event_type>
<level>info</level>
<logger>ack_policy_admit_log_for_sls</logger>
<msg>container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are ["registry.cn-shanghai.aliyuncs.com/acs/", "registry.cn-hangzhou.aliyuncs.com/acs/"]</msg>
<process>admission</process>
<request_uid>9db8f008-c2e8-4723-a380-18ef358c2827</request_uid>
<request_username>system:serviceaccount:kube-system:replicaset-controller</request_username>
<resource_api_version>v1</resource_api_version>
<resource_group/>
<resource_kind>Pod</resource_kind>
<resource_name>nginx-deployment-basic2-84ccb74bfc-df22p</resource_name>
<resource_namespace>default</resource_namespace>
<time>2021-09-09T06:13:57Z</time>
<ts>1631168037.444757</ts>
</log>
<log>
<__source__>192.168.XX.XX</__source__>
</log>
</admit_log>
<Violation>
<totalViolations>
<deny>
<severity>high</severity>
<violations>75</violations>
</deny>
<deny>
<severity>medium</severity>
<violations>0</violations>
</deny>
<warn>
<severity>high</severity>
<violations>0</violations>
</warn>
<warn>
<severity>medium</severity>
<violations>0</violations>
</warn>
</totalViolations>
<violations>
<deny>
<policyName>policy-gatekeeper-ackallowedrepos</policyName>
<policyDescription>Requires container images to begin with a repo string from a specified list.</policyDescription>
<severity>high</severity>
<violations>11</violations>
</deny>
<deny>
<policyName>policy-gatekeeper-ackpspcapabilities</policyName>
<policyDescription>Controls Linux capabilities.</policyDescription>
<severity>high</severity>
<violations>81</violations>
</deny>
</violations>
</Violation>
</DescribePolicyGovernanceInClusterResponse>JSON format
HTTP/1.1 200 OK
Content-Type:application/json
{
"on_state" : [ {
"enabled_count" : 0,
"total" : 14,
"severity" : "low"
}, {
"enabled_count" : 2,
"total" : 13,
"severity" : "high"
}, {
"enabled_count" : 1,
"total" : 8,
"severity" : "medium"
} ],
"admit_log" : {
"progress" : "Complete",
"count" : 75,
"log" : [ {
"__source__" : "192.168.0.188",
"__tag__:__hostname__" : "iZwz98e621h0kvki3ja****",
"__tag__:__pack_id__" : "63DE8FD17599E86****",
"__tag__:__path__" : "/policy_admit_logs/gatekeeper_admit.log",
"__tag__:__receive_time__" : "1631168040",
"__tag__:__user_defined_id__" : "k8s-group-cb36d98a701ef4742b50603866809****",
"__tag__:_container_ip_" : "10.102.0.89",
"__tag__:_container_name_" : "manager",
"__tag__:_image_name_" : "registry-vpc.cn-shenzhen.aliyuncs.com/acs/gatekeeper:v3.6.0.60-g72c4896-aliyun",
"__tag__:_namespace_" : "kube-system",
"__tag__:_node_ip_" : "192.168.0.188",
"__tag__:_node_name_" : "cn-shenzhen.192.168.XX.XX",
"__tag__:_pod_name_" : "gatekeeper-7648f64cc8-27nd4",
"__tag__:_pod_uid_" : "11083b05-eecd-454c-8d22-81c83ce1****",
"__time__" : "1631168037",
"__topic__" : "",
"cluster_id" : "cb36d98a701ef4742b50603866809****",
"constraint_action" : "deny",
"constraint_api_version" : "v1beta1",
"constraint_group" : "constraints.gatekeeper.sh",
"constraint_kind" : "ACKAllowedRepos",
"constraint_name" : "allowed-repos-80970511-c93d-4c40-b692-be18c077****",
"event_msg" : "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: allowed-repos-80970511-c93d-4c40-b692-be18c0770382, Message: container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are [\"registry.cn-shanghai.aliyuncs.com/acs/\", \"registry.cn-hangzhou.aliyuncs.com/acs/\"]",
"event_reason" : "GatekeeperFailedAdmission",
"event_type" : "violation",
"level" : "info",
"logger" : "ack_policy_admit_log_for_sls",
"msg" : "container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are [\"registry.cn-shanghai.aliyuncs.com/acs/\", \"registry.cn-hangzhou.aliyuncs.com/acs/\"]",
"process" : "admission",
"request_uid" : "9db8f008-c2e8-4723-a380-18ef358c2827",
"request_username" : "system:serviceaccount:kube-system:replicaset-controller",
"resource_api_version" : "v1",
"resource_group" : "",
"resource_kind" : "Pod",
"resource_name" : "nginx-deployment-basic2-84ccb74bfc-df22p",
"resource_namespace" : "default",
"time" : "2021-09-09T06:13:57Z",
"ts" : "1631168037.444757"
}, {
"__source__" : "192.168.XX.XX"
} ]
},
"Violation" : {
"totalViolations" : {
"deny" : [ {
"severity" : "high",
"violations" : 75
}, {
"severity" : "medium",
"violations" : 0
} ],
"warn" : [ {
"severity" : "high",
"violations" : 0
}, {
"severity" : "medium",
"violations" : 0
} ]
},
"violations" : {
"deny" : [ {
"policyName" : "policy-gatekeeper-ackallowedrepos",
"policyDescription" : "Requires container images to begin with a repo string from a specified list.",
"severity" : "high",
"violations" : 11
}, {
"policyName" : "policy-gatekeeper-ackpspcapabilities",
"policyDescription" : "Controls Linux capabilities.",
"severity" : "high",
"violations" : 81
} ]
}
}
}Error codes
For a list of error codes, see Service error codes.