Skip to main content


A tier resource (Tier) represents an ordered collection of NetworkPolicies and/or GlobalNetworkPolicies. Tiers are used to divide these policies into groups of different priorities. These policies are ordered within a Tier: the additional hierarchy of Tiers provides more flexibility because the Pass action in a Rule jumps to the next Tier. Some example use cases for this are.

  • Allowing privileged users to define security policy that takes precedence over other users.
  • Translating hierarchies of physical firewalls directly into Calico Cloud policy.

For kubectl commands, the following case-insensitive aliases may be used to specify the resource type on the CLI:, and abbreviations such as tier.p and tiers.p.

How Policy Is Evaluated

When a new connection is processed by Calico Cloud, each tier that contains a policy that applies to the endpoint processes the packet. Tiers are sorted by their order - smallest number first.

Policies in each Tier are then processed in order.

If the Tier applies to the endpoint, but takes no action on the packet the packet is dropped.

Sample YAML

kind: Tier
name: internal-access
order: 100



FieldDescriptionAccepted ValuesSchema
nameThe name of the tier.string


FieldDescriptionAccepted ValuesSchemaDefault
order(Optional) Indicates priority of this Tier, with lower order taking precedence. No value indicates highest order (lowest precedence)floatnil (highest order)

All Policies created by Calico Cloud orchestrator integrations are created in the default (last) Tier.