Security can mean different things to different people. You may have compliance requirements like PCI-DSS and HIPAA and need to apply network security policies to adhere to those regulations. Or you may be a cluster operator that wants to limit access to the management plane and Kubernetes APIs. As the owner of a microservice, you care more about which services can connect to your service and what APIs and web methods they can access.
Your compliance requirements are likely the highest-importance, followed by cluster access and then API access. But with Kubernetes network policy you cannot define importance, and a developer could easily override your PCI-DSS rule with their own policy.
Calico Enterprise uses Policy Tiers to prioritize one set of policies ahead of another.
- Policies are evaluated from top-to-bottom and from left-to-right
- Policies are RBAC controlled. Developers may only have access to the lowest policy tier
- Policies and their tiers can be federated across multiple clusters
Policy tiers enablement you to meeting compliance requirements while enforcing tamper-proof governance across all teams.
Interested in trying Calico Enterprise Policy Tiers?
Sign up for our free trial – we’ll even provide sample workloads to test with.