调用DescribePolicyInstancesStatus获取集群当前不同策略类型对应的实例部署状态,包括每种策略规则对应开启的实例计数,以及不同治理等级下开启的策略种类计数。

调试

您可以在OpenAPI Explorer中直接运行该接口,免去您计算签名的困扰。运行成功后,OpenAPI Explorer可以自动生成SDK代码示例。

请求语法

GET /clusters/cluster_id/policies/status HTTP/1.1
Content-Type:application/json

请求参数

表 1. 请求Path参数
参数名称 类型 是否必选 示例 说明
cluster_id String c8155823d057948c69a****

目标集群ID

响应体语法

HTTP/1.1 200 OK
Content-Type:application/json

{
  "policy_instances" : [ {
    "policy_category" : "String",
    "policy_name" : "String",
    "policy_description" : "String",
    "policy_severity" : "String",
    "policy_instances_count" : Long
  } ]
}

响应参数

表 2. 响应Body参数
参数名称 类型 示例 说明
policy_instances Array of policy_instances

不同策略类型下的策略实例计数列表

policy_category String cis-k8s

策略类型。支持的策略类型和类型说明详见容器安全策略规则库说明

policy_name String ACKRestrictRoleBindings

策略名称

policy_description String Restricts use of the cluster-admin role.

策略描述

policy_severity String medium

策略治理等级

policy_instances_count Long 1

已部署的策略实例计数,如果字段为空说明未部署该类型策略实例。

instances_severity_count Map

集群中当前部署的不同治理等级的策略实例计数

请求示例

根据以下示例获取集群当前不同策略类型对应的实例部署状态:

GET /clusters/{cluster_id}/policies/status HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json

正常返回示例

XML格式

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribePolicyInstancesStatusResponse>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKBlockNodePort</policy_name>
        <policy_description>Disallows all Services with type NodePort.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKExternalIPs</policy_name>
        <policy_description>Restricts Services from containing externalIPs except those in a provided allowlist.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPHostNamespace</policy_name>
        <policy_description>Controls usage of host namespaces.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPReadOnlyRootFilesystem</policy_name>
        <policy_description>Requires the use of a read only root file system.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPVolumeTypes</policy_name>
        <policy_description>Controls usage of volume types.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>infra</policy_category>
        <policy_name>ACKOSSStorageLocationConstraint</policy_name>
        <policy_description>Restricts location of oss storage in cluster.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKBlockAutoinjectServiceEnv</policy_name>
        <policy_description>Disable autoinjecting information about services into pod's environment variables.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKImageDigests</policy_name>
        <policy_description>Requires container images to contain a digest.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPAllowedUsers</policy_name>
        <policy_description>Controls the user and group IDs of the container.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPHostFilesystem</policy_name>
        <policy_description>Controls usage of the host filesystem.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>infra</policy_category>
        <policy_name>ACKBlockProcessNamespaceSharing</policy_name>
        <policy_description>Restricts shareProcessNamespace used in pod.</policy_description>
        <policy_severity>high</policy_severity>
        <policy_instances_count>2</policy_instances_count>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPCapabilities</policy_name>
        <policy_description>Controls Linux capabilities.</policy_description>
        <policy_severity>high</policy_severity>
        <policy_instances_count>5</policy_instances_count>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPForbiddenSysctls</policy_name>
        <policy_description>Controls the `sysctl` profile used by containers.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPSeccomp</policy_name>
        <policy_description>Controls the seccomp profile used by containers.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKBlockLoadBalancer</policy_name>
        <policy_description>Disallows all Services with type LoadBalancer.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPAppArmor</policy_name>
        <policy_description>Controls the AppArmor profile used by containers.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPPrivilegedContainer</policy_name>
        <policy_description>Controls running of privileged containers.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPProcMount</policy_name>
        <policy_description>Controls the allowed `procMount` types for the container.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPSELinuxV2</policy_name>
        <policy_description>Controls the SELinux context of the container.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>infra</policy_category>
        <policy_name>ACKEmptyDirHasSizeLimit</policy_name>
        <policy_description>Requires that emptydir volume must have a `sizelimit` defined.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPAllowPrivilegeEscalationContainer</policy_name>
        <policy_description>Controls restricting escalation to root privileges.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPFSGroup</policy_name>
        <policy_description>Controls allocating an FSGroup that owns the Pod's volumes.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>cis-k8s</policy_category>
        <policy_name>ACKPodsRequireSecurityContext</policy_name>
        <policy_description>Requires that Pods must have a `securityContext` defined.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>cis-k8s</policy_category>
        <policy_name>ACKRestrictNamespaces</policy_name>
        <policy_description>Restricts resources from using the `default` namespace.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKContainerLimits</policy_name>
        <policy_description>Requires containers to have memory and CPU limits set and within a specified maximum amount.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPHostNetworkingPorts</policy_name>
        <policy_description>Controls usage of host networking and ports.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKBlockAutomountToken</policy_name>
        <policy_description>Disable automounting API credentials.</policy_description>
        <policy_severity>high</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKRequiredLabels</policy_name>
        <policy_description>Requires all resources to contain a specified label with a value matching a provided regular expression.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>psp</policy_category>
        <policy_name>ACKPSPFlexVolumes</policy_name>
        <policy_description>Controls the allowlist of Flexvolume drivers.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKAllowedRepos</policy_name>
        <policy_description>Requires container images to begin with a repo string from a specified list.</policy_description>
        <policy_severity>high</policy_severity>
        <policy_instances_count>4</policy_instances_count>
    </policy_instances>
    <policy_instances>
        <policy_category>cis-k8s</policy_category>
        <policy_name>ACKNoEnvVarSecrets</policy_name>
        <policy_description>Restricts secrets used in pod envs.</policy_description>
        <policy_severity>medium</policy_severity>
        <policy_instances_count>1</policy_instances_count>
    </policy_instances>
    <policy_instances>
        <policy_category>cis-k8s</policy_category>
        <policy_name>ACKRestrictRoleBindings</policy_name>
        <policy_description>Restricts use of the cluster-admin role.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>infra</policy_category>
        <policy_name>ACKLocalStorageRequireSafeToEvict</policy_name>
        <policy_description>Restricts safe to evict annotation existing in pod with local storage.</policy_description>
        <policy_severity>low</policy_severity>
    </policy_instances>
    <policy_instances>
        <policy_category>k8s-general</policy_category>
        <policy_name>ACKRequiredProbes</policy_name>
        <policy_description>Requires Pods to have readiness and/or liveness probes.</policy_description>
        <policy_severity>medium</policy_severity>
    </policy_instances>
    <instances_severity_count>
        <high>11</high>
        <medium>1</medium>
    </instances_severity_count>
</DescribePolicyInstancesStatusResponse>

JSON格式

HTTP/1.1 200 OK
Content-Type:application/json

{
  "policy_instances" : [ {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKBlockNodePort",
    "policy_description" : "Disallows all Services with type NodePort.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKExternalIPs",
    "policy_description" : "Restricts Services from containing externalIPs except those in a provided allowlist.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPHostNamespace",
    "policy_description" : "Controls usage of host namespaces.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPReadOnlyRootFilesystem",
    "policy_description" : "Requires the use of a read only root file system.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPVolumeTypes",
    "policy_description" : "Controls usage of volume types.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "infra",
    "policy_name" : "ACKOSSStorageLocationConstraint",
    "policy_description" : "Restricts location of oss storage in cluster.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKBlockAutoinjectServiceEnv",
    "policy_description" : "Disable autoinjecting information about services into pod's environment variables.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKImageDigests",
    "policy_description" : "Requires container images to contain a digest.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPAllowedUsers",
    "policy_description" : "Controls the user and group IDs of the container.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPHostFilesystem",
    "policy_description" : "Controls usage of the host filesystem.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "infra",
    "policy_name" : "ACKBlockProcessNamespaceSharing",
    "policy_description" : "Restricts shareProcessNamespace used in pod.",
    "policy_severity" : "high",
    "policy_instances_count" : 2
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPCapabilities",
    "policy_description" : "Controls Linux capabilities.",
    "policy_severity" : "high",
    "policy_instances_count" : 5
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPForbiddenSysctls",
    "policy_description" : "Controls the `sysctl` profile used by containers.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPSeccomp",
    "policy_description" : "Controls the seccomp profile used by containers.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKBlockLoadBalancer",
    "policy_description" : "Disallows all Services with type LoadBalancer.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPAppArmor",
    "policy_description" : "Controls the AppArmor profile used by containers.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPPrivilegedContainer",
    "policy_description" : "Controls running of privileged containers.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPProcMount",
    "policy_description" : "Controls the allowed `procMount` types for the container.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPSELinuxV2",
    "policy_description" : "Controls the SELinux context of the container.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "infra",
    "policy_name" : "ACKEmptyDirHasSizeLimit",
    "policy_description" : "Requires that emptydir volume must have a `sizelimit` defined.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPAllowPrivilegeEscalationContainer",
    "policy_description" : "Controls restricting escalation to root privileges.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPFSGroup",
    "policy_description" : "Controls allocating an FSGroup that owns the Pod's volumes.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "cis-k8s",
    "policy_name" : "ACKPodsRequireSecurityContext",
    "policy_description" : "Requires that Pods must have a `securityContext` defined.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "cis-k8s",
    "policy_name" : "ACKRestrictNamespaces",
    "policy_description" : "Restricts resources from using the `default` namespace.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKContainerLimits",
    "policy_description" : "Requires containers to have memory and CPU limits set and within a specified maximum amount.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPHostNetworkingPorts",
    "policy_description" : "Controls usage of host networking and ports.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKBlockAutomountToken",
    "policy_description" : "Disable automounting API credentials.",
    "policy_severity" : "high"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKRequiredLabels",
    "policy_description" : "Requires all resources to contain a specified label with a value matching a provided regular expression.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "psp",
    "policy_name" : "ACKPSPFlexVolumes",
    "policy_description" : "Controls the allowlist of Flexvolume drivers.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKAllowedRepos",
    "policy_description" : "Requires container images to begin with a repo string from a specified list.",
    "policy_severity" : "high",
    "policy_instances_count" : 4
  }, {
    "policy_category" : "cis-k8s",
    "policy_name" : "ACKNoEnvVarSecrets",
    "policy_description" : "Restricts secrets used in pod envs.",
    "policy_severity" : "medium",
    "policy_instances_count" : 1
  }, {
    "policy_category" : "cis-k8s",
    "policy_name" : "ACKRestrictRoleBindings",
    "policy_description" : "Restricts use of the cluster-admin role.",
    "policy_severity" : "medium"
  }, {
    "policy_category" : "infra",
    "policy_name" : "ACKLocalStorageRequireSafeToEvict",
    "policy_description" : "Restricts safe to evict annotation existing in pod with local storage.",
    "policy_severity" : "low"
  }, {
    "policy_category" : "k8s-general",
    "policy_name" : "ACKRequiredProbes",
    "policy_description" : "Requires Pods to have readiness and/or liveness probes.",
    "policy_severity" : "medium"
  } ],
  "instances_severity_count" : {
    "high" : 11,
    "medium" : 1
  }
}

错误码

访问错误中心查看更多错误码。