Policy Tiers

Challenges:
Security can mean different things to different teams in your organization. You may have compliance requirements like PCI-DSS and HIPAA and need to apply security policies to adhere to those regulations. Or you may be a cluster operator who wants to limit access to the management plane and Kubernetes APIs. As the owner of a microservice, you probably care more about which services can connect to your service and what APIs and web methods they can access.
Your compliance requirements are likely of highest-importance, followed by cluster access and API access. But with Kubernetes network policy you cannot define importance, and a developer could easily override your PCI-DSS rule with their own policy.
Solution:
Calico Enterprise and Calico Cloud use Policy Tiers to prioritize one set of policies above another.
- Policies are evaluated from top-to-bottom and from left-to-right
- Policies are RBAC-controlled. Developers may only have access to the lowest policy tier
- Policies and their tiers can be federated across multiple clusters
Benefits:
Policy Tiers enable you to meet security and compliance requirements while enforcing tamper-proof governance across all teams.