Policy tiers tutorial
Seamless network policy integration
Network policy is the primary tool for securing a Kubernetes network. It lets you restrict network traffic in your cluster so only the traffic that you want to flow is allowed. Calico Cloud provides more robust policy than Kubernetes, but you can use them together -- seamlessly. Calico Cloud supports:
- Calico Cloud network policy, (namespaced)
- Calico Cloud global network policy (non-namespaced, global)
- Kubernetes network policy
Tiers: what and why?
Tiers are a hierarchical construct used to group policies and enforce higher precedence policies that cannot be circumvented by other teams. As you will learn in this tutorial, tiers have built-in features that support workload microsegmentation.
All Calico Cloud and Kubernetes network policies reside in tiers. You can start "thinking in tiers" by grouping your teams and types of policies within each group. For example, we recommend these three tiers (platform, security, and application).
Next, you can determine the priority of policies in tiers (from top to bottom). In the following example, that platform and security tiers use Calico Cloud global network policies that apply to all pods, while developer teams can safely manage pods within namespaces using Kubernetes network policy for their applications and microservices.
Create a tier and policy
To create a tier and policy in Manager UI:
- In the left navbar, click Policies.
- On the Policies Board, click Add Tier.
- Name the tier, select Order, Add after
tigera-security, and save.
- To create a policy in the tier, click + Add policy.
You can export all policies or a single policy to a YAML file.
Here is a sample YAML that creates a security tier and uses
kubectl to apply it.
kubectl apply -f security.yaml
The default tier: always last
The default tier is created during installation and is always the last tier.
The default tier is where:
- You manage all Kubernetes network policies
- Network and global network policies are placed when you upgrade from Project Calico to Calico Cloud
- Recommended policies are placed when you use the Recommend a policy feature
System tiers are added during installation and are hidden by default. Always add your tiers after
tigera-security (in terms of order).
- allow-tigera tier contains policies to secure Calico Cloud components and are controlled by the Tigera Operator. These policies should not be edited, and the tier should not be moved. Inadvertent changes are automatically reverted by the Operator to ensure your cluster is always protected.
Although it is possible to change the behavior of the
allow-tigera using adjacent tiers, it is not a trivial task. You can break critical cluster traffic and impact the operation of Calico Cloud. To prevent loss of cluster services, see Change allow-tigera tier behavior, and contact Support for help.
- tigera-security - contains threat protection policies
You can move tiers by dragging and moving them in the graphical sequence, but all tiers must be visible first before you reorder tiers.
To show all tiers, click View and select all of the tiers in the Show tiers list.
Now you can reorder tiers by dragging and moving them.
Tiers are ordered from left to right, starting with the highest priority (also called highest precedence) tiers.
In the example above, tier priorities are as follows:
- security tier - is higher priority than platform tier
- platform tier - is higher priority than default tier
- default tier - is always the last tier, and cannot be reordered
The tier you put as the highest priority (after system tiers), depends on your environment. In compliance-driven environments, the security tier may be the highest priority (as shown above). There is no one-size-fits-all order.
Policies are processed in sequential order from top to bottom.
Two mechanisms drive how traffic is processed across tiered policies:
- Labels and selectors
- Policy action rules
It is important to understand the roles they play.
Labels and selectors
Instead of IP addresses and IP ranges, network policies in Kubernetes depend on labels and selectors to determine which workloads can talk to each other. Workload identity is the same for Kubernetes and Calico Cloud network policies: as pods dynamically come and go, network policy is enforced based on the labels and selectors that you define.
The following diagrams show the relationship between all of the elements that affect traffic flow:
- Tiers group and order policies
- Policy action rules define how to process traffic in and across tiers, and policy labels and selectors specify how groups of pods are allowed to communicate with each other and other network endpoints
- The CNI, Calico Cloud components, and underlying dataplane (iptables/eBPF) all make use of labels and selectors as part of routing traffic.
Policy action rules
Calico Cloud network policy uses action rules to specify how to process traffic/packets:
- Allow or Deny - traffic is allowed or denied and the packet is handled accordingly. No further rules are processed.
- Pass - skips to the next tier that contains a policy that applies to the endpoint, and processes the packet. If the tier applies to the endpoint but no action is taken on the packet, the packet is dropped.
- Log - creates a log, and evaluation continues processing to the next rule
Implicit default deny
As shown in the following diagram, at the end of each tier is an implicit default deny. This is a safeguard that helps mitigate against unsecured policy. Because of this safeguard, you must explicitly apply the Pass action rule when you want traffic evaluation to continue. In the following example, the Pass action in a policy ensures that traffic evaluation continues, and overrides the implicit default deny.
Let’s look at a Dev/Ops global network policy in a high precedence tier (Platform). The policy denies ingress and egress traffic to workloads that match selector,
env != "stage". To ensure that policies continue to evaluate traffic after this policy, the policy adds a Pass action for both ingress and egress.
Pass action rule example
selector: env == "stage"
- action: Deny
selector: env != "stage"
- action: Pass
- action: Deny
selector: env != "stage"
- action: Pass
Policy endpoint matching across tiers
Whoever is responsible for tier creation, also needs to understand how policy selects matching endpoints across tiers. For normal policy processing (without apply-on-forward, pre-DNAT, and do-not-track), if no policies within a tier apply to endpoints, the tier is skipped, and the tier's implicit deny behavior is not executed.
In the following example, policy D in the Security tier includes a Pass action rule because we want traffic evaulation to continue to the next tier in sequence. In the Platform tier, there are no selectors in policies that match endpoints so the tier is skipped, including the end of tier deny. Evaluation continues to the Application tier. Policy J is the first policy with a matching endpoint.
Default endpoint behavior
Also, tier managers need to understand the default behavior for endpoints based on whether the endpoint is known or unknown, and the endpoint type. As shown in the following table:
- Known endpoints - Calico Cloud resources that are managed by Felix
- Unknown endpoints - interfaces/resources not recognizable as part of our data model
|Endpoint type||Default behavior for known endpoints||Default behavior for unknown endpoints (outside of our data model)|
|Workload, Calico Cloud||Deny||Deny|
|Workload, Kubernetes||Allow ingress from same Kubernetes namespace; allow all egress||Deny|
|Host||Deny. With exception of auto host endpoints, which get ||Fall through and use iptable rules|
Best practices for tiered policy
To control and authorize access to Calico Cloud tiers, policies, and Kubernetes network policies, you use Kubernetes RBAC. Security teams can prevent unauthorized viewing or modification of higher precedence (lower order) tiers, while still allowing developers or service owners to manage the detailed policies related to their workloads.
Limit tier creation permissions to Admin users only; creating and reordering tiers affects your policy processing workflow
Limit full CRUD operations on tiers and policy management to select Admin users
Review your policy processing whenever you add/reorder tiers
For example, you may need to update Pass action rules to policies before or after the new tier. Intervening tiers may require changes to policies before and after, depending on the endpoints.
Use the policy preview feature to see effects of policy in action before enforcing it, and use the staged network policy feature to test the entire tier workflow before pushing it to production