Skip to main content
Calico Enterprise 3.20 (latest) documentation

Enable compliance reports

deprecation notice

The compliance features described on this page are deprecated and will be removed in a future release. We're building a new compliance reporting system that will eventually replace the current one.

Big picture​

Enabling compliance reports improves the cluster's compliance posture. It involves generating compliance reports for Kubernetes clusters based on archived flow and audit logs for Calico Enterprise and Kubernetes resources. The process includes components for snapshotting configurations, generating reports, managing jobs, providing APIs with RBAC, and benchmarking security.


The compliance system consists of several key components that work together to ensure comprehensive compliance monitoring and reporting:

  • compliance-snapshotter : Lists required configurations and pushes snapshots to Elasticsearch, providing visibility into configuration changes.
  • compliance-reporter : Generates reports by analyzing configuration history, determining configuration evolution and identifying "worst-case outliers."
  • compliance-controller : Manages the creation, deletion, and monitoring of report generation jobs.
  • compliance-server : Offers API for report management and enforces RBAC.
  • compliance-benchmarker : Runs CIS Kubernetes Benchmark checks on each node to ensure secure deployment.


  • For managed clusters, ensure that compliance reporting is enabled in the management cluster.

Enable compliance reports using kubectl​

  • Create a compliance custom resource, named tigera-secure, in the cluster.
kubectl apply -f - <<EOF
kind: Compliance
name: tigera-secure

Enable compliance reports using the web console​

On the web console, click Compliance Reports, Enable Compliance Reports.

Compliance services