Tier
A tier resource (Tier) represents an ordered collection of NetworkPolicies
and/or GlobalNetworkPolicies.
Tiers are used to divide these policies into groups of different priorities. These policies
are ordered within a Tier: the additional hierarchy of Tiers provides more flexibility
because the Pass action in a Rule jumps to the next Tier. Some example use cases for this are.
- Allowing privileged users to define security policy that takes precedence over other users.
- Translating hierarchies of physical firewalls directly into Calico Cloud policy.
For kubectl commands, the following case-insensitive aliases
may be used to specify the resource type on the CLI:
tier.projectcalico.org, tiers.projectcalico.org and abbreviations such as
tier.p and tiers.p.
How Policy Is Evaluated
When a new connection is processed by Calico Cloud, each tier that contains a policy that applies to the endpoint processes the packet.
Tiers are sorted by their order - smallest number first.
Policies in each Tier are then processed in order.
- If a NetworkPolicy or GlobalNetworkPolicy in the Tier
Allows orDenys the packet, then evaluation is done: the packet is handled accordingly. - If a NetworkPolicy or GlobalNetworkPolicy in the Tier
Passes the packet, the next Tier containing a Policy that applies to the endpoint processes the packet.
If the Tier applies to the endpoint, but takes no action on the packet the packet is dropped.
Sample YAML
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: internal-access
spec:
order: 100
Definition
Metadata
| Field | Description | Accepted Values | Schema |
|---|---|---|---|
| name | The name of the tier. | string |
Spec
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| order | (Optional) Indicates priority of this Tier, with lower order taking precedence. No value indicates highest order (lowest precedence) | float | nil (highest order) |
All Policies created by Calico Cloud orchestrator integrations are created in the default (last) Tier.