调用DescribePolicyGovernanceInCluster获取集群策略治理详情。
调试
您可以在OpenAPI Explorer中直接运行该接口,免去您计算签名的困扰。运行成功后,OpenAPI Explorer可以自动生成SDK代码示例。
请求语法
GET /clusters/cluster_id/policygovernance HTTP/1.1
Content-Type:application/json请求参数
| 参数名称 | 类型 | 是否必选 | 示例 | 说明 |
|---|---|---|---|---|
| cluster_id | String | 是 | c8155823d057948c69a**** | 目标集群ID |
响应体语法
HTTP/1.1 200 OK
Content-Type:application/json
{
"on_state" : [ {
"enabled_count" : Integer,
"total" : Integer,
"severity" : "String"
} ],
"admit_log" : {
"progress" : "String",
"count" : Long,
"log" : {
"msg" : "String",
"cluster_id" : "String",
"constraint_kind" : "String",
"resource_name" : "String",
"resource_kind" : "String",
"resource_namespace" : "String"
}
},
"totalViolations" : {
"deny" : {
"severity" : "String",
"violations" : Long
},
"warn" : {
"severity" : "String",
"violations" : Long
}
},
"violations" : {
"deny" : {
"policyName" : "String",
"policyDescription" : "String",
"violations" : Long,
"severity" : "String"
},
"warn" : {
"policyName" : "String",
"policyDescription" : "String",
"violations" : Long,
"severity" : "String"
}
}
}响应参数
| 参数名称 | 类型 | 示例 | 说明 |
|---|---|---|---|
| on_state | Array of on_state | 当前集群中开启的不同等级策略计数统计 |
|
| enabled_count | Integer | 3 | 当前开启的策略种类计数 |
| total | Integer | 8 | 该等级下策略种类总数 |
| severity | String | high | 策略治理等级 |
| admit_log | Object | 集群当前策略治理审计日志 |
|
| progress | String | Complete | 查询结果的状态,取值:
|
| count | Long | 100 | 当前查询到的日志总数 |
| log | Object | 策略治理审计日志内容 |
|
| msg | String | d4hdhs***** | 策略治理审计日志信息 |
| cluster_id | String | c8155823d057948c69a**** | 目标集群ID |
| constraint_kind | String | ACKAllowedRepos | 策略类型名称 |
| resource_name | String | nginx-deployment-basic2-84ccb74bfc-df22p | 目标资源名称 |
| resource_kind | String | Pod | 目标资源类型 |
| resource_namespace | String | default | 目标资源命名空间 |
| totalViolations | Object | 集群中当前被拦截和告警两种处理类型下不同治理等级的违规计数。 |
|
| deny | Object | 被拦截的不同治理等级的违规计数统计 |
|
| severity | String | high | 策略治理等级 |
| violations | Long | 0 | 被拦截的事件计数 |
| warn | Object | 告警模式下不同治理等级的违规计数统计 |
|
| severity | String | low | 策略治理等级 |
| violations | Long | 5 | 告警的事件计数 |
| violations | Object | 集群中针对不同策略类型的拦截和告警的审计计数统计列表 |
|
| deny | Object | 被拦截的不同策略类型的审计计数 |
|
| policyName | String | policy-gatekeeper-ackallowedrepos | 策略名称 |
| policyDescription | String | Requires container images to begin with a repo string from a specified list. | 策略描述 |
| violations | Long | 11 | 集群中对应规则类型下被拦截的违规计数统计 |
| severity | String | high | 策略治理等级 |
| warn | Object | 告警模式下不同治理等级的违规计数统计 |
|
| policyName | String | policy-gatekeeper-ackpspcapabilities | 策略名称 |
| policyDescription | String | Controls Linux capabilities. | 策略描述 |
| violations | Long | 81 | 集群中对应规则类型下被告警的违规计数统计 |
| severity | String | high | 策略治理等级 |
请求示例
根据以下示例获取集群策略治理详情:
GET /clusters/c8155823d057948c69a****/policygovernance HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json正常返回示例
XML格式
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribePolicyGovernanceInClusterResponse>
<on_state>
<enabled_count>0</enabled_count>
<total>14</total>
<severity>low</severity>
</on_state>
<on_state>
<enabled_count>2</enabled_count>
<total>13</total>
<severity>high</severity>
</on_state>
<on_state>
<enabled_count>1</enabled_count>
<total>8</total>
<severity>medium</severity>
</on_state>
<admit_log>
<progress>Complete</progress>
<count>75</count>
<log>
<__source__>192.168.0.188</__source__>
<__tag__:__hostname__>iZwz98e621h0kvki3ja****</__tag__:__hostname__>
<__tag__:__pack_id__>63DE8FD17599E86****</__tag__:__pack_id__>
<__tag__:__path__>/policy_admit_logs/gatekeeper_admit.log</__tag__:__path__>
<__tag__:__receive_time__>1631168040</__tag__:__receive_time__>
<__tag__:__user_defined_id__>k8s-group-cb36d98a701ef4742b50603866809****</__tag__:__user_defined_id__>
<__tag__:_container_ip_>10.102.0.89</__tag__:_container_ip_>
<__tag__:_container_name_>manager</__tag__:_container_name_>
<__tag__:_image_name_>registry-vpc.cn-shenzhen.aliyuncs.com/acs/gatekeeper:v3.6.0.60-g72c4896-aliyun</__tag__:_image_name_>
<__tag__:_namespace_>kube-system</__tag__:_namespace_>
<__tag__:_node_ip_>192.168.0.188</__tag__:_node_ip_>
<__tag__:_node_name_>cn-shenzhen.192.168.XX.XX</__tag__:_node_name_>
<__tag__:_pod_name_>gatekeeper-7648f64cc8-27nd4</__tag__:_pod_name_>
<__tag__:_pod_uid_>11083b05-eecd-454c-8d22-81c83ce1****</__tag__:_pod_uid_>
<__time__>1631168037</__time__>
<__topic__/>
<cluster_id>cb36d98a701ef4742b50603866809****</cluster_id>
<constraint_action>deny</constraint_action>
<constraint_api_version>v1beta1</constraint_api_version>
<constraint_group>constraints.gatekeeper.sh</constraint_group>
<constraint_kind>ACKAllowedRepos</constraint_kind>
<constraint_name>allowed-repos-80970511-c93d-4c40-b692-be18c077****</constraint_name>
<event_msg>Admission webhook "validation.gatekeeper.sh" denied request, Resource Namespace: default, Constraint: allowed-repos-80970511-c93d-4c40-b692-be18c0770382, Message: container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are ["registry.cn-shanghai.aliyuncs.com/acs/", "registry.cn-hangzhou.aliyuncs.com/acs/"]</event_msg>
<event_reason>GatekeeperFailedAdmission</event_reason>
<event_type>violation</event_type>
<level>info</level>
<logger>ack_policy_admit_log_for_sls</logger>
<msg>container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are ["registry.cn-shanghai.aliyuncs.com/acs/", "registry.cn-hangzhou.aliyuncs.com/acs/"]</msg>
<process>admission</process>
<request_uid>9db8f008-c2e8-4723-a380-18ef358c2827</request_uid>
<request_username>system:serviceaccount:kube-system:replicaset-controller</request_username>
<resource_api_version>v1</resource_api_version>
<resource_group/>
<resource_kind>Pod</resource_kind>
<resource_name>nginx-deployment-basic2-84ccb74bfc-df22p</resource_name>
<resource_namespace>default</resource_namespace>
<time>2021-09-09T06:13:57Z</time>
<ts>1631168037.444757</ts>
</log>
<log>
<__source__>192.168.XX.XX</__source__>
</log>
</admit_log>
<Violation>
<totalViolations>
<deny>
<severity>high</severity>
<violations>75</violations>
</deny>
<deny>
<severity>medium</severity>
<violations>0</violations>
</deny>
<warn>
<severity>high</severity>
<violations>0</violations>
</warn>
<warn>
<severity>medium</severity>
<violations>0</violations>
</warn>
</totalViolations>
<violations>
<deny>
<policyName>policy-gatekeeper-ackallowedrepos</policyName>
<policyDescription>Requires container images to begin with a repo string from a specified list.</policyDescription>
<severity>high</severity>
<violations>11</violations>
</deny>
<deny>
<policyName>policy-gatekeeper-ackpspcapabilities</policyName>
<policyDescription>Controls Linux capabilities.</policyDescription>
<severity>high</severity>
<violations>81</violations>
</deny>
</violations>
</Violation>
</DescribePolicyGovernanceInClusterResponse>JSON格式
HTTP/1.1 200 OK
Content-Type:application/json
{
"on_state" : [ {
"enabled_count" : 0,
"total" : 14,
"severity" : "low"
}, {
"enabled_count" : 2,
"total" : 13,
"severity" : "high"
}, {
"enabled_count" : 1,
"total" : 8,
"severity" : "medium"
} ],
"admit_log" : {
"progress" : "Complete",
"count" : 75,
"log" : [ {
"__source__" : "192.168.0.188",
"__tag__:__hostname__" : "iZwz98e621h0kvki3ja****",
"__tag__:__pack_id__" : "63DE8FD17599E86****",
"__tag__:__path__" : "/policy_admit_logs/gatekeeper_admit.log",
"__tag__:__receive_time__" : "1631168040",
"__tag__:__user_defined_id__" : "k8s-group-cb36d98a701ef4742b50603866809****",
"__tag__:_container_ip_" : "10.102.0.89",
"__tag__:_container_name_" : "manager",
"__tag__:_image_name_" : "registry-vpc.cn-shenzhen.aliyuncs.com/acs/gatekeeper:v3.6.0.60-g72c4896-aliyun",
"__tag__:_namespace_" : "kube-system",
"__tag__:_node_ip_" : "192.168.0.188",
"__tag__:_node_name_" : "cn-shenzhen.192.168.XX.XX",
"__tag__:_pod_name_" : "gatekeeper-7648f64cc8-27nd4",
"__tag__:_pod_uid_" : "11083b05-eecd-454c-8d22-81c83ce1****",
"__time__" : "1631168037",
"__topic__" : "",
"cluster_id" : "cb36d98a701ef4742b50603866809****",
"constraint_action" : "deny",
"constraint_api_version" : "v1beta1",
"constraint_group" : "constraints.gatekeeper.sh",
"constraint_kind" : "ACKAllowedRepos",
"constraint_name" : "allowed-repos-80970511-c93d-4c40-b692-be18c077****",
"event_msg" : "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: allowed-repos-80970511-c93d-4c40-b692-be18c0770382, Message: container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are [\"registry.cn-shanghai.aliyuncs.com/acs/\", \"registry.cn-hangzhou.aliyuncs.com/acs/\"]",
"event_reason" : "GatekeeperFailedAdmission",
"event_type" : "violation",
"level" : "info",
"logger" : "ack_policy_admit_log_for_sls",
"msg" : "container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are [\"registry.cn-shanghai.aliyuncs.com/acs/\", \"registry.cn-hangzhou.aliyuncs.com/acs/\"]",
"process" : "admission",
"request_uid" : "9db8f008-c2e8-4723-a380-18ef358c2827",
"request_username" : "system:serviceaccount:kube-system:replicaset-controller",
"resource_api_version" : "v1",
"resource_group" : "",
"resource_kind" : "Pod",
"resource_name" : "nginx-deployment-basic2-84ccb74bfc-df22p",
"resource_namespace" : "default",
"time" : "2021-09-09T06:13:57Z",
"ts" : "1631168037.444757"
}, {
"__source__" : "192.168.XX.XX"
} ]
},
"Violation" : {
"totalViolations" : {
"deny" : [ {
"severity" : "high",
"violations" : 75
}, {
"severity" : "medium",
"violations" : 0
} ],
"warn" : [ {
"severity" : "high",
"violations" : 0
}, {
"severity" : "medium",
"violations" : 0
} ]
},
"violations" : {
"deny" : [ {
"policyName" : "policy-gatekeeper-ackallowedrepos",
"policyDescription" : "Requires container images to begin with a repo string from a specified list.",
"severity" : "high",
"violations" : 11
}, {
"policyName" : "policy-gatekeeper-ackpspcapabilities",
"policyDescription" : "Controls Linux capabilities.",
"severity" : "high",
"violations" : 81
} ]
}
}
}错误码
访问错误中心查看更多错误码。