Kubernetes allows all traffic by default, resulting in unrestricted communication between external and internal endpoints. To change this, security policies for Kubernetes and containers are implemented to automatically secure communications and isolate workloads, and control traffic flow between pods, namespaces, and external endpoints. Admission controller policies are also deployed to control container image deployment in CI/CD pipelines. However, creating and deploying security policies requires knowledge of traffic flows and the upstream and downstream dependencies of application workloads. Users also require the ability to test and preview policies to prevent misconfigurations. Since the responsibility for platform and workload security is often shared between platform operators and application teams, a policy management framework is required to author, test, and deploy policies that address each team’s requirements.
Calico’s policy lifecycle management is built to address these issues with policy recommendation, policy tiers, and policy board to enable cross-team collaboration and bolster your organization’s security while reducing unnecessary processes and overhead.
Self-service policy creation
Provides platform, security, and application teams the autonomy to create and deploy cluster, namespace, and workload-specific policies
Automatic policy recommendations
Recommends security policies based on traffic patterns. Deploy policies with a one click
Security policy workflow
Simplified security policy administration with automated end-to-end workflow to create, stage, update, and delete security policies
- Enforce and evaluate security policies based on a hierarchy.
- Implement RBAC in each tier.
- Delegate trust across the organization.
- Set top-priority policies as guard rails to avoid interference with the microsegmentation of specific applications and namespaces.
- Specify security and observability as code (SOaC).
- SOaC that employs Kubernetes primitives and declarative models, using the same versioning that teams use for source code.
- Since the same source code generates the same binary, a SOaC ensures that any Kubernetes component generated with the code has the exact same security and observability confirmation, regardless of the deployment model, type of distribution, or container type.
- Quickly implement security policies—no coding necessary.
- The policy engine recommends policies based on the traffic flow of your microservices.
- All recommended policies can be modified before enforcement.
Policy Dashboard and Audit Reports
- Get real-time metrics on how policies are being evaluated within and across policy tiers.
- View all active and inactive security policies for your Kubernetes cluster with a hierarchy based on roles and permissions in one interface.
- Get detailed policy change log reports for audit and compliance purposes.
Staged Policies and Impact Preview
- Staged Policies – Preview and stage policies prior to policy enforcement.
- Impact Preview – Obtain immediate feedback on policy rule changes.
How It Works
Watch the video to see Calico’s policy lifecycle management in action.