Skip to main content
Calico Cloud documentation

Platform application access controls

In this article you will learn some best practices to secure platform tier applications.

Isolate platform applications

You may have several types of platform applications in your environment:

  • Storage platform
  • Secret management
  • Container security
  • Platform monitoring
  • Application performance monitoring

We recommend that you implement all your platform applications controls in a platform tier, implicitly allowing granular ingress and egress controls for platform applications pods and denying everything else. This effectively isolates platform applications from business applications, and extends the multi-tenancy and application microsegmentation controls to platform applications.

Platform order

apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: platform
spec:
order: 200

Order 200 implies that the platform tier comes before the security tier and that its policies are processed first. Some organizations require that security team controls take precedence over other controls. In that case, the security tier policies need to pass controls to the platform tier for granular control.

Map your application access controls to policy

Next, we recommend that you refer to your platform application documentation and get the communication map of application pods, and reflect the controls in your network policy.

Create a global network policy

Here is our global network policy that allows application (platform-app1) and service (platf-app1-svc2), ingress access to service (svc = platf-app1-svc1) from port 12345.

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: platform.platform-app2-svc2
spec:
tier: platform
selector: (app == "platform-app1" && svc == "platf-app1-svc2")
ingress:
- action: Allow
protocol: TCP
source:
selector: svc == "platf-app1-svc1"
destination:
ports:
- '12345'
types:
- Ingress