Enable compliance reports
The compliance features described on this page are deprecated and will be removed in a future release. We're building a new compliance reporting system that will eventually replace the current one.
Big picture
Enabling compliance reports improves the cluster's compliance posture. It involves generating compliance reports for Kubernetes clusters based on archived flow and audit logs for Calico Enterprise and Kubernetes resources. The process includes components for snapshotting configurations, generating reports, managing jobs, providing APIs with RBAC, and benchmarking security.
Value
The compliance system consists of several key components that work together to ensure comprehensive compliance monitoring and reporting:
compliance-snapshotter
: Lists required configurations and pushes snapshots to Elasticsearch, providing visibility into configuration changes.compliance-reporter
: Generates reports by analyzing configuration history, determining configuration evolution and identifying "worst-case outliers."compliance-controller
: Manages the creation, deletion, and monitoring of report generation jobs.compliance-server
: Offers API for report management and enforces RBAC.compliance-benchmarker
: Runs CIS Kubernetes Benchmark checks on each node to ensure secure deployment.
Enable compliance reports using kubectl
-
Create a compliance custom resource, named
tigera-secure
, in the cluster.kubectl apply -f - <<EOF
apiVersion: operator.tigera.io/v1
kind: Compliance
metadata:
name: tigera-secure
EOF
Enable compliance reports using Manager UI
On the Manager UI, click Compliance Reports, Enable Compliance Reports.