Skip to main content
Calico Cloud documentation

Enable compliance reports

deprecation notice

The compliance features described on this page are deprecated and will be removed in a future release. We're building a new compliance reporting system that will eventually replace the current one.

Big picture

Enabling compliance reports improves the cluster's compliance posture. It involves generating compliance reports for Kubernetes clusters based on archived flow and audit logs for Calico Enterprise and Kubernetes resources. The process includes components for snapshotting configurations, generating reports, managing jobs, providing APIs with RBAC, and benchmarking security.

Value

The compliance system consists of several key components that work together to ensure comprehensive compliance monitoring and reporting:

  • compliance-snapshotter : Lists required configurations and pushes snapshots to Elasticsearch, providing visibility into configuration changes.
  • compliance-reporter : Generates reports by analyzing configuration history, determining configuration evolution and identifying "worst-case outliers."
  • compliance-controller : Manages the creation, deletion, and monitoring of report generation jobs.
  • compliance-server : Offers API for report management and enforces RBAC.
  • compliance-benchmarker : Runs CIS Kubernetes Benchmark checks on each node to ensure secure deployment.

Enable compliance reports using kubectl

  • Create a compliance custom resource, named tigera-secure, in the cluster.

    kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: Compliance
    metadata:
    name: tigera-secure
    EOF

Enable compliance reports using Manager UI

On the Manager UI, click Compliance Reports, Enable Compliance Reports.

Compliance services