调用DescribePolicyGovernanceInCluster获取集群策略治理详情。

调试

您可以在OpenAPI Explorer中直接运行该接口,免去您计算签名的困扰。运行成功后,OpenAPI Explorer可以自动生成SDK代码示例。

请求语法

GET /clusters/cluster_id/policygovernance HTTP/1.1
Content-Type:application/json

请求参数

表 1. 请求Path参数
参数名称 类型 是否必选 示例 说明
cluster_id String c8155823d057948c69a****

目标集群ID

响应体语法

HTTP/1.1 200 OK
Content-Type:application/json

{
  "on_state" : [ {
    "enabled_count" : Integer,
    "total" : Integer,
    "severity" : "String"
  } ],
  "admit_log" : {
    "progress" : "String",
    "count" : Long,
    "log" : {
      "msg" : "String",
      "cluster_id" : "String",
      "constraint_kind" : "String",
      "resource_name" : "String",
      "resource_kind" : "String",
      "resource_namespace" : "String"
    }
  },
  "totalViolations" : {
    "deny" : {
      "severity" : "String",
      "violations" : Long
    },
    "warn" : {
      "severity" : "String",
      "violations" : Long
    }
  },
  "violations" : {
    "deny" : {
      "policyName" : "String",
      "policyDescription" : "String",
      "violations" : Long,
      "severity" : "String"
    },
    "warn" : {
      "policyName" : "String",
      "policyDescription" : "String",
      "violations" : Long,
      "severity" : "String"
    }
  }
}

响应参数

表 2. 响应Body参数
参数名称 类型 示例 说明
on_state Array of on_state

当前集群中开启的不同等级策略计数统计

enabled_count Integer 3

当前开启的策略种类计数

total Integer 8

该等级下策略种类总数

severity String high

策略治理等级

admit_log Object

集群当前策略治理审计日志

progress String Complete

查询结果的状态

count Long 100

当前查询到的日志总数

log Object

策略治理审计日志内容

msg String d4hdhs*****

策略治理审计日志信息

cluster_id String c8155823d057948c69a****

目标集群ID

constraint_kind String ACKAllowedRepos

策略类型名称

resource_name String nginx-deployment-basic2-84ccb74bfc-df22p

目标资源名称

resource_kind String Pod

目标资源类型

resource_namespace String default

目标资源命名空间

totalViolations Object

集群中当前被拦截和告警两种处理类型下不同治理等级的违规计数。

deny Object

被拦截的不同治理等级的违规计数统计

severity String high

策略治理等级

violations Long 0

被拦截的事件计数

warn Object

告警模式下不同治理等级的违规计数统计

severity String low

策略治理等级

violations Long 5

告警的事件计数

violations Object

集群中针对不同策略类型的拦截和告警的审计计数统计列表

deny Object

被拦截的不同策略类型的审计计数

policyName String policy-gatekeeper-ackallowedrepos

策略名称

policyDescription String Requires container images to begin with a repo string from a specified list.

策略描述

violations Long 11

集群中对应规则类型下被拦截的违规计数统计

severity String high

策略治理等级

warn Object

告警模式下不同治理等级的违规计数统计

policyName String policy-gatekeeper-ackpspcapabilities

策略名称

policyDescription String Controls Linux capabilities.

策略描述

violations Long 81

集群中对应规则类型下被告警的违规计数统计

severity String high

策略治理等级

请求示例

根据以下示例获取集群策略治理详情:

GET /clusters/c8155823d057948c69a****/policygovernance HTTP/1.1
Host:cs.aliyuncs.com
Content-Type:application/json

正常返回示例

XML格式

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribePolicyGovernanceInClusterResponse>
    <on_state>
        <enabled_count>0</enabled_count>
        <total>14</total>
        <severity>low</severity>
    </on_state>
    <on_state>
        <enabled_count>2</enabled_count>
        <total>13</total>
        <severity>high</severity>
    </on_state>
    <on_state>
        <enabled_count>1</enabled_count>
        <total>8</total>
        <severity>medium</severity>
    </on_state>
    <admit_log>
        <progress>Complete</progress>
        <count>75</count>
        <log>
            <__source__>192.168.0.188</__source__>
            <__tag__:__hostname__>iZwz98e621h0kvki3ja****</__tag__:__hostname__>
            <__tag__:__pack_id__>63DE8FD17599E86****</__tag__:__pack_id__>
            <__tag__:__path__>/policy_admit_logs/gatekeeper_admit.log</__tag__:__path__>
            <__tag__:__receive_time__>1631168040</__tag__:__receive_time__>
            <__tag__:__user_defined_id__>k8s-group-cb36d98a701ef4742b50603866809****</__tag__:__user_defined_id__>
            <__tag__:_container_ip_>10.102.0.89</__tag__:_container_ip_>
            <__tag__:_container_name_>manager</__tag__:_container_name_>
            <__tag__:_image_name_>registry-vpc.cn-shenzhen.aliyuncs.com/acs/gatekeeper:v3.6.0.60-g72c4896-aliyun</__tag__:_image_name_>
            <__tag__:_namespace_>kube-system</__tag__:_namespace_>
            <__tag__:_node_ip_>192.168.0.188</__tag__:_node_ip_>
            <__tag__:_node_name_>cn-shenzhen.192.168.XX.XX</__tag__:_node_name_>
            <__tag__:_pod_name_>gatekeeper-7648f64cc8-27nd4</__tag__:_pod_name_>
            <__tag__:_pod_uid_>11083b05-eecd-454c-8d22-81c83ce1****</__tag__:_pod_uid_>
            <__time__>1631168037</__time__>
            <__topic__/>
            <cluster_id>cb36d98a701ef4742b50603866809****</cluster_id>
            <constraint_action>deny</constraint_action>
            <constraint_api_version>v1beta1</constraint_api_version>
            <constraint_group>constraints.gatekeeper.sh</constraint_group>
            <constraint_kind>ACKAllowedRepos</constraint_kind>
            <constraint_name>allowed-repos-80970511-c93d-4c40-b692-be18c077****</constraint_name>
            <event_msg>Admission webhook "validation.gatekeeper.sh" denied request, Resource Namespace: default, Constraint: allowed-repos-80970511-c93d-4c40-b692-be18c0770382, Message: container &lt;nginx&gt; has an invalid image repo &lt;nginx:1.7.9&gt;, allowed repos are ["registry.cn-shanghai.aliyuncs.com/acs/", "registry.cn-hangzhou.aliyuncs.com/acs/"]</event_msg>
            <event_reason>GatekeeperFailedAdmission</event_reason>
            <event_type>violation</event_type>
            <level>info</level>
            <logger>ack_policy_admit_log_for_sls</logger>
            <msg>container &lt;nginx&gt; has an invalid image repo &lt;nginx:1.7.9&gt;, allowed repos are ["registry.cn-shanghai.aliyuncs.com/acs/", "registry.cn-hangzhou.aliyuncs.com/acs/"]</msg>
            <process>admission</process>
            <request_uid>9db8f008-c2e8-4723-a380-18ef358c2827</request_uid>
            <request_username>system:serviceaccount:kube-system:replicaset-controller</request_username>
            <resource_api_version>v1</resource_api_version>
            <resource_group/>
            <resource_kind>Pod</resource_kind>
            <resource_name>nginx-deployment-basic2-84ccb74bfc-df22p</resource_name>
            <resource_namespace>default</resource_namespace>
            <time>2021-09-09T06:13:57Z</time>
            <ts>1631168037.444757</ts>
        </log>
        <log>
            <__source__>192.168.XX.XX</__source__>
        </log>
    </admit_log>
    <Violation>
        <totalViolations>
            <deny>
                <severity>high</severity>
                <violations>75</violations>
            </deny>
            <deny>
                <severity>medium</severity>
                <violations>0</violations>
            </deny>
            <warn>
                <severity>high</severity>
                <violations>0</violations>
            </warn>
            <warn>
                <severity>medium</severity>
                <violations>0</violations>
            </warn>
        </totalViolations>
        <violations>
            <deny>
                <policyName>policy-gatekeeper-ackallowedrepos</policyName>
                <policyDescription>Requires container images to begin with a repo string from a specified list.</policyDescription>
                <severity>high</severity>
                <violations>11</violations>
            </deny>
            <deny>
                <policyName>policy-gatekeeper-ackpspcapabilities</policyName>
                <policyDescription>Controls Linux capabilities.</policyDescription>
                <severity>high</severity>
                <violations>81</violations>
            </deny>
        </violations>
    </Violation>
</DescribePolicyGovernanceInClusterResponse>

JSON格式

HTTP/1.1 200 OK
Content-Type:application/json

{
  "on_state" : [ {
    "enabled_count" : 0,
    "total" : 14,
    "severity" : "low"
  }, {
    "enabled_count" : 2,
    "total" : 13,
    "severity" : "high"
  }, {
    "enabled_count" : 1,
    "total" : 8,
    "severity" : "medium"
  } ],
  "admit_log" : {
    "progress" : "Complete",
    "count" : 75,
    "log" : [ {
      "__source__" : "192.168.0.188",
      "__tag__:__hostname__" : "iZwz98e621h0kvki3ja****",
      "__tag__:__pack_id__" : "63DE8FD17599E86****",
      "__tag__:__path__" : "/policy_admit_logs/gatekeeper_admit.log",
      "__tag__:__receive_time__" : "1631168040",
      "__tag__:__user_defined_id__" : "k8s-group-cb36d98a701ef4742b50603866809****",
      "__tag__:_container_ip_" : "10.102.0.89",
      "__tag__:_container_name_" : "manager",
      "__tag__:_image_name_" : "registry-vpc.cn-shenzhen.aliyuncs.com/acs/gatekeeper:v3.6.0.60-g72c4896-aliyun",
      "__tag__:_namespace_" : "kube-system",
      "__tag__:_node_ip_" : "192.168.0.188",
      "__tag__:_node_name_" : "cn-shenzhen.192.168.XX.XX",
      "__tag__:_pod_name_" : "gatekeeper-7648f64cc8-27nd4",
      "__tag__:_pod_uid_" : "11083b05-eecd-454c-8d22-81c83ce1****",
      "__time__" : "1631168037",
      "__topic__" : "",
      "cluster_id" : "cb36d98a701ef4742b50603866809****",
      "constraint_action" : "deny",
      "constraint_api_version" : "v1beta1",
      "constraint_group" : "constraints.gatekeeper.sh",
      "constraint_kind" : "ACKAllowedRepos",
      "constraint_name" : "allowed-repos-80970511-c93d-4c40-b692-be18c077****",
      "event_msg" : "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: allowed-repos-80970511-c93d-4c40-b692-be18c0770382, Message: container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are [\"registry.cn-shanghai.aliyuncs.com/acs/\", \"registry.cn-hangzhou.aliyuncs.com/acs/\"]",
      "event_reason" : "GatekeeperFailedAdmission",
      "event_type" : "violation",
      "level" : "info",
      "logger" : "ack_policy_admit_log_for_sls",
      "msg" : "container <nginx> has an invalid image repo <nginx:1.7.9>, allowed repos are [\"registry.cn-shanghai.aliyuncs.com/acs/\", \"registry.cn-hangzhou.aliyuncs.com/acs/\"]",
      "process" : "admission",
      "request_uid" : "9db8f008-c2e8-4723-a380-18ef358c2827",
      "request_username" : "system:serviceaccount:kube-system:replicaset-controller",
      "resource_api_version" : "v1",
      "resource_group" : "",
      "resource_kind" : "Pod",
      "resource_name" : "nginx-deployment-basic2-84ccb74bfc-df22p",
      "resource_namespace" : "default",
      "time" : "2021-09-09T06:13:57Z",
      "ts" : "1631168037.444757"
    }, {
      "__source__" : "192.168.XX.XX"
    } ]
  },
  "Violation" : {
    "totalViolations" : {
      "deny" : [ {
        "severity" : "high",
        "violations" : 75
      }, {
        "severity" : "medium",
        "violations" : 0
      } ],
      "warn" : [ {
        "severity" : "high",
        "violations" : 0
      }, {
        "severity" : "medium",
        "violations" : 0
      } ]
    },
    "violations" : {
      "deny" : [ {
        "policyName" : "policy-gatekeeper-ackallowedrepos",
        "policyDescription" : "Requires container images to begin with a repo string from a specified list.",
        "severity" : "high",
        "violations" : 11
      }, {
        "policyName" : "policy-gatekeeper-ackpspcapabilities",
        "policyDescription" : "Controls Linux capabilities.",
        "severity" : "high",
        "violations" : 81
      } ]
    }
  }
}

错误码

访问错误中心查看更多错误码。

开发者资源

  • SDK

    阿里云为您提供多种语言的SDK,帮助您快速通过API集成阿里云的产品和服务,推荐您使用SDK调用API,已免除您手动签名验证。

  • OpenAPI Explorer

    快速检索,可视化调试API,在线命令行工具,同步动态生成可执行的SDK代码示例。

  • 阿里云CLI

    阿里云资产管理和配置工具,可通过命令方式同时管理多个阿里云产品和服务,简单快捷,是您上云好帮手。