When deploying a new microservice, security policies must be created to define which other microservices it can and should connect to. But before deployment, each new policy and service must be reviewed to ensure it will not override or interfere with an existing policy. Review and approval typically occur at a central point of control, creating a choke point when microservice deployments scale.
Using policy tiers, Calico enables site reliability engineers (SREs) and developer teams to easily make self-service security policy changes to a cluster without the risk of overriding an existing policy. No central manager or control point is required to create, review, or approve new policies. Deployment of new microservices along with the creation of necessary security policies is fully-automated, adding speed and predictability to the process.
Microservices can be deployed along with security policies, without the risk of overriding other critical security policies required for compliance.
Automatically identify and eliminate any potential problems caused by incorrect, incomplete, or conflicting security policy deployments.
Fully automate and accelerate the end-to-end microservices deployment process, including any necessary security changes, using policy as code.
When deploying a new microservice, you must define what other microservices it can and should connect to. Changes to microservices may also require additional connections to additional services.
This action requires a security policy change, and when hundreds of deployments happen every day, it’s impossible to have a single individual govern and administer those changes without impacting velocity.
With Calico Enterprise and Calico Cloud, microservices can be deployed along with security policies without the risk of overriding the critical security policies that are required for compliance.
Security policies are represented as code that is deployed alongside your microservices. With policy as code, you’re able to fully automate the end-to-end deployment process including any necessary security changes. This dramatically improves the speed of deployment into protected clusters.
You can also automate a validation step that ensures your security policy works properly before being committed. Calico can deploy your policies in a “staged” mode that will display which traffic is being allowed or denied before the policy rule is enforced. The policy can then be committed if it is operating properly. This step avoids any potential problems caused by incorrect, incomplete, or conflicting security policy definitions.
Calico introduces the concept of policy tiers. Policy tiers define the order in which security policies are evaluated. Higher tiers evaluate traffic first. This is where security controls are defined and implemented. Self-service deployments cannot override these controls.