Compliance reports
The Calico Enterprise compliance reporting feature provides the following compliance reports:
Create a GlobalReport
resource to automatically schedule report generation, and specify the report scope (resources to include in the report).
Concepts
In-scope asset
An asset (Pod or HostEndpoint) is flagged as in-scope by endpoint labels, namespace and/or namespace labels, and service account and/or service account labels.
How this applies to the report: The report includes all resources that were in-scope at any point during the report interval. The resource is included when it is first flagged as in-scope according to the configured label selector and name selections. The resource is included even if the resource is deleted or goes out-of-scope before the end of the report interval.
Ingress protected
An endpoint is ingress protected if it has at least one Ingress policy that is applied to it.
A service is ingress protected if all of the inscope endpoints within that service are ingress protected.
A namespace is ingress protected if all of the inscope endpoints within that namespace are ingress protected.
How this applies to the report: An endpoint is ingress protected only if it was ingress protected throughout the entire report interval.
Egress protected
As per ingress, but with egress policy rules. Note that egress statistics are not obtained for services.
Allows ingress traffic from another namespace
An endpoint is flagged as allowing ingress traffic from another namespace if it has one or more policies that apply to it with an ingress allow rule that:
- has an explicit namespace selector configured, or
- has no source selector or source CIDR configured, or
- (for GlobalNetworkPolicy) has no source CIDR.
A service is flagged as allowing ingress traffic from another namespace if any of the inscope endpoints within that service are flagged.
A namespace is flagged as allowing ingress traffic from another namespace if all of the inscope endpoints within that namespace are flagged.
How this applies to the report: An endpoint is flagged as allowing ingress traffic from another namespace if it was flagged at any time during the report interval.
Allows egress traffic to another namespace
As per ingress, but with egress policy rules and destination selector/CIDR. Note that egress statistics are not obtained for services.
Allows ingress traffic from the internet
An endpoint is flagged as allowing ingress traffic from the internet if it has one or more policies that apply to it with an ingress allow rule that:
- has no source selector or source CIDR configured, or
- has a source CIDR in the non-private IP ranges and has no source selector, or
- has a source selector that matches one or more NetworkSets that contain at least one non-private IP.
A service is flagged as allowing ingress traffic from the internet if any of the inscope endpoints within that service are flagged.
A namespace is flagged as allowing ingress traffic from the internet if all of the inscope endpoints within that namespace are flagged.
How this applies to the report: An endpoint is flagged as allowing ingress traffic from the internet if it was flagged as such at any time during the report interval.
Allows egress traffic to the internet
As per ingress, but with egress policy rules and destination selector/CIDR. Note that egress statistics are not obtained for services.
Envoy enabled
An endpoint is flagged as Envoy Enabled if the associated Pod Spec and Annotations indicate that an Istio init and main container are deployed in the Pod. Provided Istio is appropriately configured on the cluster, this can be extrapolated to be indication of whether mTLS is enabled for the endpoint.
A service is flagged as Envoy enabled if all of the inscope endpoints within that service are flagged.
A namespace is flagged as Envoy enabled if all of the inscope endpoints within that namespace are flagged.
How this applies to the report: An endpoint is flagged as Envoy enabled if it was flagged as such throughout the entire report interval.