Skip to main content
Calico Cloud documentation

Global report

A global report resource is a configuration for generating compliance reports. A global report configuration in Calico Cloud lets you:

  • Specify report contents, frequency, and data filtering
  • Specify the node(s) on which to run the report generation jobs
  • Enable/disable creation of new jobs for generating the report

For kubectl commands, the following case-insensitive aliases may be used to specify the resource type on the CLI: globalreport.projectcalico.org, globalreports.projectcalico.org and abbreviations such as globalreport.p and globalreports.p.

Sample YAML

apiVersion: projectcalico.org/v3
kind: GlobalReport
metadata:
name: weekly-full-inventory
spec:
reportType: inventory
schedule: 0 0 * * 0
jobNodeSelector:
nodetype: infrastructure

---
apiVersion: projectcalico.org/v3
kind: GlobalReport
metadata:
name: hourly-accounts-networkaccess
spec:
reportType: network-access
endpoints:
namespaces:
names: ['payable', 'collections', 'payroll']
schedule: 0 * * * *

---
apiVersion: projectcalico.org/v3
kind: GlobalReport
metadata:
name: monthly-widgets-controller-tigera-policy-audit
spec:
reportType: policy-audit
schedule: 0 0 1 * *
endpoints:
serviceAccounts:
names: ['controller']
namespaces:
names: ['widgets']

---
apiVersion: projectcalico.org/v3
kind: GlobalReport
metadata:
name: daily-cis-benchmark
spec:
reportType: cis-benchmark
schedule: 0 0 * * *
cis:
resultsFilters:
- benchmarkSelection: { kubernetesVersion: '1.13' }
exclude: ['1.1.4', '1.2.5']

GlobalReport Definition

Metadata

FieldDescriptionAccepted ValuesSchema
nameThe name of this report.Lower-case alphanumeric with optional - or .string
labelsA set of labels to apply to this report.map

Spec

FieldDescriptionRequiredAccepted ValuesSchema
reportTypeThe type of report to produce. This field controls the content of the report - see the links for each type for more details.Yescis‑benchmark, inventory, network‑access, policy‑auditstring
endpointsSpecify which endpoints are in scope. If omitted, selects everything.EndpointsSelection
scheduleConfigure report frequency by specifying start and end time in cron-format. Reports are started 30 minutes (configurable) after the scheduled value to allow enough time for data archival. A maximum limit of 12 schedules per hour is enforced (an average of one report every 5 minutes).Yesstring
jobNodeSelectorSpecify the node(s) for scheduling the report jobs using selectors.map
suspendDisable future scheduled report jobs. In-flight reports are not affected.bool
cisParameters related to generating a CIS benchmark report.CISBenchmarkParams

EndpointsSelection

FieldDescriptionSchema
selectorEndpoint label selector to restrict endpoint selection.string
namespacesNamespace name and label selector to restrict endpoints by selected namespaces.NamesAndLabelsMatch
serviceAccountsService account name and label selector to restrict endpoints by selected service accounts.NamesAndLabelsMatch

CISBenchmarkParams

FieldsDescriptionRequiredSchema
highThresholdInteger percentage value that determines the lower limit of passing tests to consider a node as healthy. Default: 100Noint
medThresholdInteger percentage value that determines the lower limit of passing tests to consider a node as unhealthy. Default: 50Noint
includeUnscoredTestsBoolean value that when false, applies a filter to exclude tests that are marked as “Unscored” by the CIS benchmark standard. If true, the tests will be included in the report. Default: falseNobool
numFailedTestsInteger value that sets the number of tests to display in the Top-failed Tests section of the CIS benchmark report. Default: 5Noint
resultsFiltersSpecifies an include or exclude filter to apply on the test results that will appear on the report.NoCISBenchmarkFilter

CISBenchmarkFilter

FieldsDescriptionRequiredSchema
benchmarkSelectionSpecify which set of benchmarks that this filter should apply to. Selects all benchmark types.NoCISBenchmarkSelection
excludeSpecify which benchmark tests to excludeNoarray of strings
includeSpecify which benchmark tests to include only (higher precedence than exclude)Noarray of strings

CISBenchmarkSelection

FieldsDescriptionRequiredSchema
kubernetesVersionSpecifies a version of the benchmarks.Yesstring

NamesAndLabelsMatch

FieldDescriptionSchema
namesSet of resource names.list
selectorSelects a set of resources by label.string

Use the NamesAndLabelsMatchto limit the scope of endpoints. If both names and selector are specified, the resource is identified using label AND name match.

note

To use the Calico Cloud compliance reporting feature, you must ensure all required resource types are being audited and the logs archived in Elasticsearch. You must explicitly configure the Kubernetes API Server to send audit logs for Kubernetes-owned resources to Elasticsearch.

Supported operations

Datastore typeCreate/DeleteUpdateGet/ListNotes
Kubernetes API serverYesYesYes