Enable compliance reports
This feature was deprecated in Calico Cloud version 21.1.0 and will be removed in a future release. Availability depends on when you started using Calico Cloud.
- For users who started using Calico Cloud in April 2025 or later, this feature is not available.
- Legacy users, who started using Calico Cloud before April 2025, can continue to use this feature until it is removed in a future release.
Big picture​
Enabling compliance reports improves the cluster's compliance posture. It involves generating compliance reports for Kubernetes clusters based on archived flow and audit logs for Calico Enterprise and Kubernetes resources. The process includes components for snapshotting configurations, generating reports, managing jobs, providing APIs with RBAC, and benchmarking security.
Value​
The compliance system consists of several key components that work together to ensure comprehensive compliance monitoring and reporting:
compliance-snapshotter: Lists required configurations and pushes snapshots to Elasticsearch, providing visibility into configuration changes.compliance-reporter: Generates reports by analyzing configuration history, determining configuration evolution and identifying "worst-case outliers."compliance-controller: Manages the creation, deletion, and monitoring of report generation jobs.compliance-server: Offers API for report management and enforces RBAC.compliance-benchmarker: Runs CIS Kubernetes Benchmark checks on each node to ensure secure deployment.
Enable compliance reports using kubectl​
-
Create a compliance custom resource, named
tigera-secure, in the cluster.kubectl apply -f - <<EOF
apiVersion: operator.tigera.io/v1
kind: Compliance
metadata:
name: tigera-secure
EOF
Enable compliance reports using the web console​
On the web console, click Compliance Reports, Enable Compliance Reports.
