Policy Tiers



Security can mean different things to different teams in your organization. You may have compliance requirements like PCI-DSS and HIPAA and need to apply security policies to adhere to those regulations. Or you may be a cluster operator who wants to limit access to the management plane and Kubernetes APIs. As the owner of a microservice, you probably care more about which services can connect to your service and what APIs and web methods they can access.

Your compliance requirements are likely of highest-importance, followed by cluster access and API access. But with Kubernetes network policy you cannot define importance, and a developer could easily override your PCI-DSS rule with their own policy.


Calico Enterprise and Calico Cloud use Policy Tiers to prioritize one set of policies above another.

  • Policies are evaluated from top-to-bottom and from left-to-right
  • Policies are RBAC-controlled. Developers may only have access to the lowest policy tier
  • Policies and their tiers can be federated across multiple clusters


Policy Tiers enable you to meet security and compliance requirements while enforcing tamper-proof governance across all teams.

Watch a Demo


📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>