Self Service Security Changes

When adding a new microservice to a secure cluster, it must be deployed along with a security policy to enable the service to communicate with other services and APIs. Often this means having a central control that reviews or creates policies for every microservice deployment. Otherwise, a deployment may inadvertently override an important security policy that’s been implemented to protect sensitive workloads that handle payment information, customer data, etc. This process doesn’t scale when hundreds or thousands of microservices are being deployed every day and are being delayed.

Calico Enterprise and Calico Cloud enable SREs and Dev teams to make “self-service” changes to a secure cluster without the risk of an important policy being overridden. No central manager or team is required to create or review policies. Deployments along with the security policies required to allow access to resources are completely automated.

Tiered Policies

Self Service


Watch Details Video

Tiered Policies

Calico Enterprise and Calico Cloud introduce the concept of Policy Tiers. Policy Tiers define the order in which security policies are evaluated. Higher tiers evaluate traffic first. This is where security controls are defined and implemented. Self-service deployments cannot override these controls.

Self Service

When deploying a new microservice, you must define what other microservices it can and should connect to. Changes to microservices may also require additional connections to additional services.

This action requires a security policy change, and when hundreds of deployments happen every day, it’s impossible to have a single individual govern and administer those changes without impacting velocity.

With Calico Enterprise and Calico Cloud, microservices can be deployed along with security policies without the risk of overriding the critical security policies that are required for compliance.


Security policies are represented as code that is deployed alongside your microservices. With policy-as-code, you’re able to fully automate the end-to-end deployment process including any necessary security changes. This dramatically improves the speed of deployment into protected clusters.

You can also automate a validation step that ensures your security policy works properly before being committed. Calico Enterprise and Calico Cloud can deploy your policies in a “staged” mode that will display which traffic is being allowed or denied before the policy rule is enforced. The policy can then be committed if it is operating properly. This step avoids any potential problems caused by incorrect, incomplete, or conflicting security policy definitions.

Watch Product Details Video


📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>