Policy Tiers

Security can mean different things to different people. You may have compliance requirements like PCI-DSS and HIPAA and need to apply network security policies to adhere to those regulations. Or you may be a cluster operator that wants to limit access to the management plane and Kubernetes APIs. As the owner of a microservice, you care more about which services can connect to your service and what APIs and web methods they can access.

Your compliance requirements are likely the highest-importance, followed by cluster access and then API access. But with Kubernetes network policy you cannot define importance, and a developer could easily override your PCI-DSS rule with their own policy.

Calico Enterprise uses Policy Tiers to prioritize one set of policies ahead of another.

• Policies are evaluated from top-to-bottom and from left-to-right
• Policies are RBAC controlled. Developers may only have access to the lowest policy tier
• Policies and their tiers can be federated across multiple clusters

Policy tiers enablement you to meeting compliance requirements while enforcing tamper-proof governance across all teams.