调用DescribePolicyDetails获取策略规则模板详情。
调试
您可以在OpenAPI Explorer中直接运行该接口,免去您计算签名的困扰。运行成功后,OpenAPI Explorer可以自动生成SDK代码示例。
请求语法
GET /policies/policy_name HTTP/1.1
Content-Type:application/json请求参数
| 参数名称 | 类型 | 是否必选 | 示例 | 说明 |
|---|---|---|---|---|
| policy_name | String | 是 | ACKAllowedRepos | 策略治理规则名称 |
响应体语法
HTTP/1.1 200 OK
Content-Type:application/json
{
"name" : "String",
"category" : "String",
"description" : "String",
"action" : "String",
"severity" : "String",
"template" : "String",
"no_config" : Integer,
"is_deleted" : Integer
}响应参数
| 参数名称 | 类型 | 示例 | 说明 |
|---|---|---|---|
| name | String | ACKAllowedRepos | 策略治理规则名称 |
| category | String | k8s-general | 规则模板类型 |
| description | String | Requires container images to begin with a repo string from a specified list | 规则模板描述 |
| action | String | enforce | 规则治理动作,取值:
|
| severity | String | high | 规则治理等级,取值:
|
| template | String | 详情请参见请求示例 | 规则模板详情 |
| no_config | Integer | 0 | 是否需要配置策略,取值:
|
| is_deleted | Integer | 0 | 是否删除标志,取值:
|
请求示例
根据以下示例获取策略规则模板详情:
GET /policies/ACKAllowedRepos HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json请求示例补充说明
策略模板Template字段模板详情示例:
apiVersion: policy.alibabacloud.com/v1alpha1
kind: Policy
metadata:
name: policy-gatekeeper-ackallowedrepos
annotations:
ack.policy/categories: k8s general
ack.policy/controls: baseline control
spec:
remediationAction: enforce # will be overridden by remediationAction in parent policy
severity: high
description: "Requires container images to begin with a repo string from a specified list."
policyTemplates:
- # complianceType: musthave
objectDefinition:
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: ackallowedrepos
annotations:
description: Requires container images to begin with a repo string from a specified list.
spec:
crd:
spec:
names:
kind: ACKAllowedRepos
validation:
# Schema for the `parameters` field
legacySchema: true
openAPIV3Schema:
type: object
required:
- repos
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package ackallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
- # complianceType: musthave
objectDefinition:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
name: allowed-repos
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
repos:
- "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
- "registry.cn-hangzhou.aliyuncs.com/acs/"正常返回示例
XML格式
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribePolicyDetailsResponse>
<name>ACKAllowedRepos</name>
<category>k8s-general</category>
<description>Requires container images to begin with a repo string from a specified list</description>
<action>enforce</action>
<severity>high</severity>
<template>详情请参见请求示例</template>
<no_config>0</no_config>
<is_deleted>0</is_deleted>
</DescribePolicyDetailsResponse>JSON格式
HTTP/1.1 200 OK
Content-Type:application/json
{
"name" : "ACKAllowedRepos",
"category" : "k8s-general",
"description" : "Requires container images to begin with a repo string from a specified list",
"action" : "enforce",
"severity" : "high",
"template" : "详情请参见请求示例",
"no_config" : 0,
"is_deleted" : 0
}错误码
访问错误中心查看更多错误码。