Querying a Cluster Component Protection Policy Template

Function

This API is used to query a cluster protection policy template.

Calling Method

For details, see Calling APIs.

URI

GET /v5/{project_id}/container/clusters/protection-policy-templates/{policy_template_id}

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID, which is used to specify the project that an asset belongs to. After the project ID is configured, you can query assets in the project using the project ID. For details about how to obtain it, see Obtaining a Project ID. Constraints N/A Range The value can contain 1 to 256 characters. Default Value N/A
policy_template_id	Yes	String	Policy template ID

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Specifies the ID of the enterprise project that the server belongs to. An enterprise project can be configured only after the enterprise project function is enabled. Enterprise project ID. The value 0 indicates the default enterprise project. To query servers in all enterprise projects, set this parameter to all_granted_eps. If you have only the permission on an enterprise project, you need to transfer the enterprise project ID to query the server in the enterprise project. Otherwise, an error is reported due to insufficient permission.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token, which contains user identity and permissions. The token can be used for identity authentication when an API is called. For details about how to obtain the token, see Obtaining a User Token. Constraints N/A Range The value can contain 1 to 32,768 characters. Default Value N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
id	String	Template ID
template_name	String	Template Name
template_type	String	Template type.
description	String	Description
target_kind	String	Resource type of the policy template application. Multiple resource types are separated by semicolons (;).
tag	String	Label
level	String	Level of Recommendation
constraint_template	String	Policy Template Content

Example Requests

None

Example Responses

Status code: 200

Request succeeded.

{
  "id" : "string",
  "template_name" : "string",
  "template_type" : "string",
  "description" : "string",
  "target_kind" : "Deployment;ReplicaSet;CornJob",
  "tag" : "string",
  "level" : "strin",
  "constraint_template" : {
    "kind" : "ConstraintTemplate",
    "apiVersion" : "templates.gatekeeper.sh/v1",
    "metadata" : {
      "name" : "k8spspprocmount",
      "creationTimestamp" : null,
      "annotations" : {
        "description" : "Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes",
        "description-chinese" : "Restrict the proc types that can be mounted to a pod.",
        "level" : "3",
        "metadata.gatekeeper.sh/title" : "Proc Mount",
        "metadata.gatekeeper.sh/version" : "1.0.0",
        "name-chinese" : "K8sPSPProcMount",
        "tag" : "Container/ApplicationSecurityPolicies",
        "tag-chinese" : "Container/Application security policy",
        "targetKind" : "Pod",
        "type" : "security"
      }
    },
    "spec" : {
      "crd" : {
        "spec" : {
          "names" : {
            "kind" : "K8sPSPProcMount"
          },
          "validation" : {
            "openAPIV3Schema" : {
              "description" : "Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes",
              "type" : "object",
              "properties" : {
                "exemptImages" : {
                  "description" : "Any container that uses an image that matches an entry in this list will be excluded from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.\nIt is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.",
                  "type" : "array",
                  "items" : {
                    "type" : "string"
                  }
                },
                "procMount" : {
                  "description" : "Defines the strategy for the security exposure of certain paths in `/proc` by the container runtime. Setting to `Default` uses the runtime defaults, where `Unmasked` bypasses the default behavior.",
                  "type" : "string",
                  "enum" : [ "Default", "Unmasked" ]
                }
              }
            }
          }
        }
      },
      "targets" : [ {
        "target" : "admission.k8s.gatekeeper.sh",
        "rego" : "package k8spspprocmount\nimport data.lib.exempt_container.is_exempt\nviolation[{\"msg\": msg, \"details\": {}}] {\n    c := input_containers[_]\n    not is_exempt(c)\n    allowedProcMount := get_allowed_proc_mount(input)\n    not input_proc_mount_type_allowed(allowedProcMount, c)\n    msg := sprintf(\"ProcMount type is not allowed, container: %v. Allowed procMount types: %v\", [c.name, allowedProcMount])\n}\ninput_proc_mount_type_allowed(allowedProcMount, c) {\n    allowedProcMount == \"default\"\n    lower(c.securityContext.procMount) == \"default\"\n}\ninput_proc_mount_type_allowed(allowedProcMount, c) {\n    allowedProcMount == \"unmasked\"\n}\ninput_containers[c] {\n    c := input.review.object.spec.containers[_]\n    c.securityContext.procMount\n}\ninput_containers[c] {\n    c := input.review.object.spec.initContainers[_]\n    c.securityContext.procMount\n}\ninput_containers[c] {\n    c := input.review.object.spec.ephemeralContainers[_]\n    c.securityContext.procMount\n}\nget_allowed_proc_mount(arg) = out {\n    not arg.parameters\n    out = \"default\"\n}\nget_allowed_proc_mount(arg) = out {\n    not arg.parameters.procMount\n    out = \"default\"\n}\nget_allowed_proc_mount(arg) = out {\n    not valid_proc_mount(arg.parameters.procMount)\n    out = \"default\"\n}\nget_allowed_proc_mount(arg) = out {\n    out = lower(arg.parameters.procMount)\n}\nvalid_proc_mount(str) {\n    lower(str) == \"default\"\n}\nvalid_proc_mount(str) {\n    lower(str) == \"unmasked\"\n}",
        "libs" : [ "package lib.exempt_container\nis_exempt(container) {\n    exempt_images := object.get(object.get(input, \"parameters\", {}), \"exemptImages\", [])\n    img := container.image\n    exemption := exempt_images[_]\n    _matches_exemption(img, exemption)\n}\n_matches_exemption(img, exemption) {\n    not endswith(exemption, \"*\")\n    exemption == img\n}\n_matches_exemption(img, exemption) {\n    endswith(exemption, \"*\")\n    prefix := trim_suffix(exemption, \"*\")\n    startswith(img, prefix)\n}" ]
      } ]
    },
    "status" : { }
  }
}

SDK Sample Code

The SDK sample code is as follows.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;


public class ShowClusterProtectPolicyTemplateSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        HssClient client = HssClient.newBuilder()
                .withCredential(auth)
                .withRegion(HssRegion.valueOf("<YOUR REGION>"))
                .build();
        ShowClusterProtectPolicyTemplateRequest request = new ShowClusterProtectPolicyTemplateRequest();
        request.withPolicyTemplateId("{policy_template_id}");
        try {
            ShowClusterProtectPolicyTemplateResponse response = client.showClusterProtectPolicyTemplate(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

      
       
         
         
           # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = HssClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(HssRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ShowClusterProtectPolicyTemplateRequest()
        request.policy_template_id = "{policy_template_id}"
        response = client.show_cluster_protect_policy_template(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := hss.NewHssClient(
        hss.HssClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ShowClusterProtectPolicyTemplateRequest{}
	request.PolicyTemplateId = "{policy_template_id}"
	response, err := client.ShowClusterProtectPolicyTemplate(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     