调用DescribePolicyInstancesStatus获取集群当前不同策略类型对应的实例部署状态,包括每种策略规则对应开启的实例计数,以及不同治理等级下开启的策略种类计数。
调试
您可以在OpenAPI Explorer中直接运行该接口,免去您计算签名的困扰。运行成功后,OpenAPI Explorer可以自动生成SDK代码示例。
请求语法
GET /clusters/cluster_id/policies/status HTTP/1.1
Content-Type:application/json
请求参数
参数名称 | 类型 | 是否必选 | 示例 | 说明 |
---|---|---|---|---|
cluster_id | String | 是 | c8155823d057948c69a**** | 目标集群ID |
响应体语法
HTTP/1.1 200 OK
Content-Type:application/json
{
"policy_instances" : [ {
"policy_category" : "String",
"policy_name" : "String",
"policy_description" : "String",
"policy_severity" : "String",
"policy_instances_count" : Long
} ]
}
响应参数
参数名称 | 类型 | 示例 | 说明 |
---|---|---|---|
policy_instances | Array of policy_instances | 不同策略类型下的策略实例计数列表 |
|
policy_category | String | cis-k8s | 策略类型。支持的策略类型和类型说明详见容器安全策略规则库说明 |
policy_name | String | ACKRestrictRoleBindings | 策略名称 |
policy_description | String | Restricts use of the cluster-admin role. | 策略描述 |
policy_severity | String | medium | 策略治理等级 |
policy_instances_count | Long | 1 | 已部署的策略实例计数,如果字段为空说明未部署该类型策略实例。 |
instances_severity_count | Map | 集群中当前部署的不同治理等级的策略实例计数 |
请求示例
根据以下示例获取集群当前不同策略类型对应的实例部署状态:
GET /clusters/{cluster_id}/policies/status HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json
正常返回示例
XML
格式
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribePolicyInstancesStatusResponse>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKBlockNodePort</policy_name>
<policy_description>Disallows all Services with type NodePort.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKExternalIPs</policy_name>
<policy_description>Restricts Services from containing externalIPs except those in a provided allowlist.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPHostNamespace</policy_name>
<policy_description>Controls usage of host namespaces.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPReadOnlyRootFilesystem</policy_name>
<policy_description>Requires the use of a read only root file system.</policy_description>
<policy_severity>medium</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPVolumeTypes</policy_name>
<policy_description>Controls usage of volume types.</policy_description>
<policy_severity>medium</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>infra</policy_category>
<policy_name>ACKOSSStorageLocationConstraint</policy_name>
<policy_description>Restricts location of oss storage in cluster.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKBlockAutoinjectServiceEnv</policy_name>
<policy_description>Disable autoinjecting information about services into pod's environment variables.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKImageDigests</policy_name>
<policy_description>Requires container images to contain a digest.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPAllowedUsers</policy_name>
<policy_description>Controls the user and group IDs of the container.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPHostFilesystem</policy_name>
<policy_description>Controls usage of the host filesystem.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>infra</policy_category>
<policy_name>ACKBlockProcessNamespaceSharing</policy_name>
<policy_description>Restricts shareProcessNamespace used in pod.</policy_description>
<policy_severity>high</policy_severity>
<policy_instances_count>2</policy_instances_count>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPCapabilities</policy_name>
<policy_description>Controls Linux capabilities.</policy_description>
<policy_severity>high</policy_severity>
<policy_instances_count>5</policy_instances_count>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPForbiddenSysctls</policy_name>
<policy_description>Controls the `sysctl` profile used by containers.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPSeccomp</policy_name>
<policy_description>Controls the seccomp profile used by containers.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKBlockLoadBalancer</policy_name>
<policy_description>Disallows all Services with type LoadBalancer.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPAppArmor</policy_name>
<policy_description>Controls the AppArmor profile used by containers.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPPrivilegedContainer</policy_name>
<policy_description>Controls running of privileged containers.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPProcMount</policy_name>
<policy_description>Controls the allowed `procMount` types for the container.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPSELinuxV2</policy_name>
<policy_description>Controls the SELinux context of the container.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>infra</policy_category>
<policy_name>ACKEmptyDirHasSizeLimit</policy_name>
<policy_description>Requires that emptydir volume must have a `sizelimit` defined.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPAllowPrivilegeEscalationContainer</policy_name>
<policy_description>Controls restricting escalation to root privileges.</policy_description>
<policy_severity>medium</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPFSGroup</policy_name>
<policy_description>Controls allocating an FSGroup that owns the Pod's volumes.</policy_description>
<policy_severity>medium</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>cis-k8s</policy_category>
<policy_name>ACKPodsRequireSecurityContext</policy_name>
<policy_description>Requires that Pods must have a `securityContext` defined.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>cis-k8s</policy_category>
<policy_name>ACKRestrictNamespaces</policy_name>
<policy_description>Restricts resources from using the `default` namespace.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKContainerLimits</policy_name>
<policy_description>Requires containers to have memory and CPU limits set and within a specified maximum amount.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPHostNetworkingPorts</policy_name>
<policy_description>Controls usage of host networking and ports.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKBlockAutomountToken</policy_name>
<policy_description>Disable automounting API credentials.</policy_description>
<policy_severity>high</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKRequiredLabels</policy_name>
<policy_description>Requires all resources to contain a specified label with a value matching a provided regular expression.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>psp</policy_category>
<policy_name>ACKPSPFlexVolumes</policy_name>
<policy_description>Controls the allowlist of Flexvolume drivers.</policy_description>
<policy_severity>medium</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKAllowedRepos</policy_name>
<policy_description>Requires container images to begin with a repo string from a specified list.</policy_description>
<policy_severity>high</policy_severity>
<policy_instances_count>4</policy_instances_count>
</policy_instances>
<policy_instances>
<policy_category>cis-k8s</policy_category>
<policy_name>ACKNoEnvVarSecrets</policy_name>
<policy_description>Restricts secrets used in pod envs.</policy_description>
<policy_severity>medium</policy_severity>
<policy_instances_count>1</policy_instances_count>
</policy_instances>
<policy_instances>
<policy_category>cis-k8s</policy_category>
<policy_name>ACKRestrictRoleBindings</policy_name>
<policy_description>Restricts use of the cluster-admin role.</policy_description>
<policy_severity>medium</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>infra</policy_category>
<policy_name>ACKLocalStorageRequireSafeToEvict</policy_name>
<policy_description>Restricts safe to evict annotation existing in pod with local storage.</policy_description>
<policy_severity>low</policy_severity>
</policy_instances>
<policy_instances>
<policy_category>k8s-general</policy_category>
<policy_name>ACKRequiredProbes</policy_name>
<policy_description>Requires Pods to have readiness and/or liveness probes.</policy_description>
<policy_severity>medium</policy_severity>
</policy_instances>
<instances_severity_count>
<high>11</high>
<medium>1</medium>
</instances_severity_count>
</DescribePolicyInstancesStatusResponse>
JSON
格式
HTTP/1.1 200 OK
Content-Type:application/json
{
"policy_instances" : [ {
"policy_category" : "k8s-general",
"policy_name" : "ACKBlockNodePort",
"policy_description" : "Disallows all Services with type NodePort.",
"policy_severity" : "high"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKExternalIPs",
"policy_description" : "Restricts Services from containing externalIPs except those in a provided allowlist.",
"policy_severity" : "high"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPHostNamespace",
"policy_description" : "Controls usage of host namespaces.",
"policy_severity" : "high"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPReadOnlyRootFilesystem",
"policy_description" : "Requires the use of a read only root file system.",
"policy_severity" : "medium"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPVolumeTypes",
"policy_description" : "Controls usage of volume types.",
"policy_severity" : "medium"
}, {
"policy_category" : "infra",
"policy_name" : "ACKOSSStorageLocationConstraint",
"policy_description" : "Restricts location of oss storage in cluster.",
"policy_severity" : "low"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKBlockAutoinjectServiceEnv",
"policy_description" : "Disable autoinjecting information about services into pod's environment variables.",
"policy_severity" : "low"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKImageDigests",
"policy_description" : "Requires container images to contain a digest.",
"policy_severity" : "low"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPAllowedUsers",
"policy_description" : "Controls the user and group IDs of the container.",
"policy_severity" : "low"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPHostFilesystem",
"policy_description" : "Controls usage of the host filesystem.",
"policy_severity" : "high"
}, {
"policy_category" : "infra",
"policy_name" : "ACKBlockProcessNamespaceSharing",
"policy_description" : "Restricts shareProcessNamespace used in pod.",
"policy_severity" : "high",
"policy_instances_count" : 2
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPCapabilities",
"policy_description" : "Controls Linux capabilities.",
"policy_severity" : "high",
"policy_instances_count" : 5
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPForbiddenSysctls",
"policy_description" : "Controls the `sysctl` profile used by containers.",
"policy_severity" : "high"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPSeccomp",
"policy_description" : "Controls the seccomp profile used by containers.",
"policy_severity" : "low"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKBlockLoadBalancer",
"policy_description" : "Disallows all Services with type LoadBalancer.",
"policy_severity" : "high"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPAppArmor",
"policy_description" : "Controls the AppArmor profile used by containers.",
"policy_severity" : "low"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPPrivilegedContainer",
"policy_description" : "Controls running of privileged containers.",
"policy_severity" : "high"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPProcMount",
"policy_description" : "Controls the allowed `procMount` types for the container.",
"policy_severity" : "low"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPSELinuxV2",
"policy_description" : "Controls the SELinux context of the container.",
"policy_severity" : "low"
}, {
"policy_category" : "infra",
"policy_name" : "ACKEmptyDirHasSizeLimit",
"policy_description" : "Requires that emptydir volume must have a `sizelimit` defined.",
"policy_severity" : "low"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPAllowPrivilegeEscalationContainer",
"policy_description" : "Controls restricting escalation to root privileges.",
"policy_severity" : "medium"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPFSGroup",
"policy_description" : "Controls allocating an FSGroup that owns the Pod's volumes.",
"policy_severity" : "medium"
}, {
"policy_category" : "cis-k8s",
"policy_name" : "ACKPodsRequireSecurityContext",
"policy_description" : "Requires that Pods must have a `securityContext` defined.",
"policy_severity" : "low"
}, {
"policy_category" : "cis-k8s",
"policy_name" : "ACKRestrictNamespaces",
"policy_description" : "Restricts resources from using the `default` namespace.",
"policy_severity" : "low"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKContainerLimits",
"policy_description" : "Requires containers to have memory and CPU limits set and within a specified maximum amount.",
"policy_severity" : "low"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPHostNetworkingPorts",
"policy_description" : "Controls usage of host networking and ports.",
"policy_severity" : "high"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKBlockAutomountToken",
"policy_description" : "Disable automounting API credentials.",
"policy_severity" : "high"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKRequiredLabels",
"policy_description" : "Requires all resources to contain a specified label with a value matching a provided regular expression.",
"policy_severity" : "low"
}, {
"policy_category" : "psp",
"policy_name" : "ACKPSPFlexVolumes",
"policy_description" : "Controls the allowlist of Flexvolume drivers.",
"policy_severity" : "medium"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKAllowedRepos",
"policy_description" : "Requires container images to begin with a repo string from a specified list.",
"policy_severity" : "high",
"policy_instances_count" : 4
}, {
"policy_category" : "cis-k8s",
"policy_name" : "ACKNoEnvVarSecrets",
"policy_description" : "Restricts secrets used in pod envs.",
"policy_severity" : "medium",
"policy_instances_count" : 1
}, {
"policy_category" : "cis-k8s",
"policy_name" : "ACKRestrictRoleBindings",
"policy_description" : "Restricts use of the cluster-admin role.",
"policy_severity" : "medium"
}, {
"policy_category" : "infra",
"policy_name" : "ACKLocalStorageRequireSafeToEvict",
"policy_description" : "Restricts safe to evict annotation existing in pod with local storage.",
"policy_severity" : "low"
}, {
"policy_category" : "k8s-general",
"policy_name" : "ACKRequiredProbes",
"policy_description" : "Requires Pods to have readiness and/or liveness probes.",
"policy_severity" : "medium"
} ],
"instances_severity_count" : {
"high" : 11,
"medium" : 1
}
}
错误码
访问错误中心查看更多错误码。