compliance-reports.md

Compliance reports

Goal: Use global reports to satisfy compliance requirements.

Steps

1. Use Compliance Reports view to see all generated reports.

   We have deployed a few compliance reports in one of the first labs and by this time a few reports should have been already generated. If you don't see any reports, you can manually kick off report generation task. Follow the steps below if you need to do so.

   Calico provides GlobalReport resource to offer Compliance reports capability. There are several types of reports that you can configure:

   • CIS benchmarks
   • Inventory
   • Network access
   • Policy audit

   When using EKS cluster, you need to enable and configure audit log collection on AWS side in order to get the data captured for the policy-audit reports.

   A compliance report could be configured to include only specific endpoints leveraging endpoint labels and selectors. Each report has the schedule field that determines how often the report is going to be generated and sets the timeframe for the data to be included into the report.

   Compliance reports organize data in a CSV format which can be downloaded and moved to a long term data storage to meet compliance requirements.

   

2. Deploy hipstershop policies and observe the score in the next report which wil be different comparing with the previous ones, you may need change the cronjob schedule for those reports if you want to see the results quicker.

   kubectl apply -f demo/app-control/tiers-devops.yaml
   kubectl apply -f demo/app-control/hipstershop-policies.yaml

3. Generate a reports at any time to specify a different start/end time.

   a. Review and apply the yaml file for the managed cluster.

   Instructions below for a Managed cluster only. Follow configuration documentation to configure compliance jobs for management and standalone clusters. We will need change the START/END time accordingly.

   vi demo/compliance-reports/compliance-reporter-pod.yaml

   b. We need to substitute the Cluster Name and config it in the YAML file with the variable CALICOCLUSTERNAME. This enables compliance jobs to target the correct index in Elastic Search

   • Obtain ElasticSearch index and set as variable

   CALICOCLUSTERNAME=$(kubectl get deployment -n tigera-intrusion-detection intrusion-detection-controller -ojson | \
   jq -r '.spec.template.spec.containers[0].env[] | select(.name == "CLUSTER_NAME").value')

   • Replace the vailable in yaml file

   sed -i "s/\$CALICOCLUSTERNAME/${CALICOCLUSTERNAME}/g" ./demo/compliance-reports/compliance-reporter-pod.yaml

   For other variations/shells the following syntax may be required

   sed -i "" "s/\$CALICOCLUSTERNAME/${CALICOCLUSTERNAME}/g" ./demo/compliance-reports/compliance-reporter-pod.yaml

   c. Validate the change by cat the variable

   cat ./demo/compliance-reports/compliance-reporter-pod.yaml | grep -B 2 -A 0 $CALICOCLUSTERNAME

   Output will be like:

     value: "warning"
   - name: ELASTIC_INDEX_SUFFIX
     value: "ky48uazv.aks-cc-repo"
   

   d. We also need modify start/end time for specify the report time range. For examole:

    - name: TIGERA_COMPLIANCE_REPORT_START_TIME
      value: 2021-12-31T23:00:00Z
    - name: TIGERA_COMPLIANCE_REPORT_END_TIME
      value: 2021-12-31T23:59:00Z
      # Modify these values with the start and end time frame that should be reported on.
   

   e. Now apply the compliance job YAML

   kubectl apply -f demo/compliance-reports/compliance-reporter-pod.yaml

   Once the run-reporter job finished, you should be able to see this report in manager UI and download the csv file.

4. Reports are generated 30 minutes after the end of the report as documented. You can also deploy cronjob report to against your sensitive workload which need compliance report in place. Below yaml file is using storefront and hipstershop as example.

   kubectl apply -f demo/compliance-reports/workload-report.yaml

---

➡️ Wireguard Encryption

↩️ Back to README.md