Policy tiers tutorial

Seamless network policy integration

Network policy is the primary tool for securing a Kubernetes network. It lets you restrict network traffic in your cluster so only the traffic that you want to flow is allowed. Calico Cloud provides more robust policy than Kubernetes, but you can use them together -- seamlessly. Calico Cloud supports:

Calico Cloud network policy, (namespaced)
Calico Cloud global network policy (non-namespaced, global)
Kubernetes network policy

Tiers: what and why?

Tiers are a hierarchical construct used to group policies and enforce higher precedence policies that cannot be circumvented by other teams. As you will learn in this tutorial, tiers have built-in features that support workload microsegmentation.

All Calico Cloud and Kubernetes network policies reside in tiers. You can start "thinking in tiers" by grouping your teams and types of policies within each group. For example, we recommend these three tiers (platform, security, and application).

policy types

Next, you can determine the priority of policies in tiers (from top to bottom). In the following example, that platform and security tiers use Calico Cloud global network policies that apply to all pods, while developer teams can safely manage pods within namespaces using Kubernetes network policy for their applications and microservices.

policy tiers

Create a tier and policy

To create a tier and policy in Manager UI:

In the left navbar, click Policies.
On the Policies Board, click Add Tier.
Name the tier, select Order, Add after tigera-security, and save.
To create a policy in the tier, click + Add policy.

You can export all policies or a single policy to a YAML file.

Here is a sample YAML that creates a security tier and uses kubectl to apply it.

apiVersion: projectcalico.org/v3
kind: Tier
metadata:
  name: security
spec:
  order: 300

kubectl apply -f security.yaml

The default tier: always last

The default tier is created during installation and is always the last tier.

default tier

The default tier is where:

You manage all Kubernetes network policies
Network and global network policies are placed when you upgrade from Project Calico to Calico Cloud
Recommended policies are placed when you use the Recommend a policy feature

System tiers

System tiers are added during installation and are hidden by default. Always add your tiers after allow-tigera and tigera-security (in terms of order).

allow-tigera tier contains policies to secure Calico Cloud components and are controlled by the Tigera Operator. These policies should not be edited, and the tier should not be moved. Inadvertent changes are automatically reverted by the Operator to ensure your cluster is always protected.

danger

Although it is possible to change the behavior of the allow-tigera using adjacent tiers, it is not a trivial task. You can break critical cluster traffic and impact the operation of Calico Cloud. To prevent loss of cluster services, see Change allow-tigera tier behavior, and contact Support for help.

tigera-security - contains threat protection policies

Moving tiers

You can move tiers by dragging and moving them in the graphical sequence, but all tiers must be visible first before you reorder tiers.

To show all tiers, click View and select all of the tiers in the Show tiers list.

hidden tiers

Now you can reorder tiers by dragging and moving them.

Tier order

Tiers are ordered from left to right, starting with the highest priority (also called highest precedence) tiers.

tier order

In the example above, tier priorities are as follows:

security tier - is higher priority than platform tier
platform tier - is higher priority than default tier
default tier - is always the last tier, and cannot be reordered

The tier you put as the highest priority (after system tiers), depends on your environment. In compliance-driven environments, the security tier may be the highest priority (as shown above). There is no one-size-fits-all order.

Policy processing

Policies are processed in sequential order from top to bottom.

policy processing

Two mechanisms drive how traffic is processed across tiered policies:

Labels and selectors
Policy action rules

It is important to understand the roles they play.

Labels and selectors

Instead of IP addresses and IP ranges, network policies in Kubernetes depend on labels and selectors to determine which workloads can talk to each other. Workload identity is the same for Kubernetes and Calico Cloud network policies: as pods dynamically come and go, network policy is enforced based on the labels and selectors that you define.

The following diagrams show the relationship between all of the elements that affect traffic flow:

Tiers group and order policies
Policy action rules define how to process traffic in and across tiers, and policy labels and selectors specify how groups of pods are allowed to communicate with each other and other network endpoints
The CNI, Calico Cloud components, and underlying dataplane (iptables/eBPF) all make use of labels and selectors as part of routing traffic.

tier funnel

Policy action rules

Calico Cloud network policy uses action rules to specify how to process traffic/packets:

Allow or Deny - traffic is allowed or denied and the packet is handled accordingly. No further rules are processed.
Pass - skips to the next tier that contains a policy that applies to the endpoint, and processes the packet. If the tier applies to the endpoint but no action is taken on the packet, the packet is dropped.
Log - creates a log, and evaluation continues processing to the next rule

Implicit default deny

As shown in the following diagram, at the end of each tier is an implicit default deny. This is a safeguard that helps mitigate against unsecured policy. Because of this safeguard, you must explicitly apply the Pass action rule when you want traffic evaluation to continue. In the following example, the Pass action in a policy ensures that traffic evaluation continues, and overrides the implicit default deny.

implicit deny

Let’s look at a Dev/Ops global network policy in a high precedence tier (Platform). The policy denies ingress and egress traffic to workloads that match selector, env != "stage". To ensure that policies continue to evaluate traffic after this policy, the policy adds a Pass action for both ingress and egress.

Pass action rule example

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: devops.stage-env
spec:
  tier: devops
  order: 255
  selector: env == "stage"
  ingress:
    - action: Deny
      source:
        selector: env != "stage"
    - action: Pass
  egress:
    - action: Deny
      destination:
        selector: env != "stage"
    - action: Pass
  types:
    - Ingress
    - Egress

Policy endpoint matching across tiers

Whoever is responsible for tier creation, also needs to understand how policy selects matching endpoints across tiers. For normal policy processing (without apply-on-forward, pre-DNAT, and do-not-track), if no policies within a tier apply to endpoints, the tier is skipped, and the tier's implicit deny behavior is not executed.

In the following example, policy D in the Security tier includes a Pass action rule because we want traffic evaluation to continue to the next tier in sequence. In the Platform tier, there are no selectors in policies that match endpoints so the tier is skipped, including the end of tier deny. Evaluation continues to the Application tier. Policy J is the first policy with a matching endpoint.

endpoint match

Default endpoint behavior

Also, tier managers need to understand the default behavior for endpoints based on whether the endpoint is known or unknown, and the endpoint type. As shown in the following table:

Known endpoints - Calico Cloud resources that are managed by Felix
Unknown endpoints - interfaces/resources not recognizable as part of our data model

Endpoint type	Default behavior for known endpoints	Default behavior for unknown endpoints (outside of our data model)
Workload, Calico Cloud	Deny	Deny
Workload, Kubernetes	Allow ingress from same Kubernetes namespace; allow all egress	Deny
Host	Deny. With exception of auto host endpoints, which get `default-allow`.	Fall through and use iptables rules

Best practices for tiered policy

To control and authorize access to Calico Cloud tiers, policies, and Kubernetes network policies, you use Kubernetes RBAC. Security teams can prevent unauthorized viewing or modification of higher precedence (lower order) tiers, while still allowing developers or service owners to manage the detailed policies related to their workloads.

We recommend:

Limit tier creation permissions to Admin users only; creating and reordering tiers affects your policy processing workflow
Limit full CRUD operations on tiers and policy management to select Admin users
Review your policy processing whenever you add/reorder tiers
For example, you may need to update Pass action rules to policies before or after the new tier. Intervening tiers may require changes to policies before and after, depending on the endpoints.
Use the policy preview feature to see effects of policy in action before enforcing it, and use the staged network policy feature to test the entire tier workflow before pushing it to production

Policy tiers tutorial

Seamless network policy integration​

Tiers: what and why?​

Create a tier and policy​

The default tier: always last​

System tiers​

Moving tiers​

Tier order​

Policy processing​

Labels and selectors​

Policy action rules​

Implicit default deny​

Policy endpoint matching across tiers​

Default endpoint behavior​

Best practices for tiered policy​