Policy Tiers

Security can mean different things to different people. You may have compliance requirements like PCI-DSS and HIPAA and need to apply network security policies to adhere to those regulations. Or you may be a cluster operator that wants to limit access to the management plane and Kubernetes APIs. As the owner of a microservice, you care more about which services can connect to your service and what APIs and web methods they can access.

Your compliance requirements are likely the highest-importance, followed by cluster access and then API access. But with Kubernetes network policy you cannot define importance, and a developer could easily override your PCI-DSS rule with their own policy.

Calico Enterprise uses Policy Tiers to prioritize one set of policies ahead of another.

  • Policies are evaluated from top-to-bottom and from left-to-right
  • Policies are RBAC controlled. Developers may only have access to the lowest policy tier
  • Policies and their tiers can be federated across multiple clusters

Policy tiers enablement you to meeting compliance requirements while enforcing tamper-proof governance across all teams.

Interested in trying Calico Enterprise Policy Tiers?

Sign up for our free trial – we’ll even provide sample workloads to test with.