Tier
A tier resource (Tier
) represents an ordered collection of NetworkPolicies
and/or GlobalNetworkPolicies.
Tiers are used to divide these policies into groups of different priorities. These policies
are ordered within a Tier: the additional hierarchy of Tiers provides more flexibility
because the Pass
action
in a Rule jumps to the next Tier. Some example use cases for this are.
- Allowing privileged users to define security policy that takes precedence over other users.
- Translating hierarchies of physical firewalls directly into Calico Enterprise policy.
For kubectl
commands, the following case-insensitive aliases
may be used to specify the resource type on the CLI:
tier.projectcalico.org
, tiers.projectcalico.org
and abbreviations such as
tier.p
and tiers.p
.
How Policy Is Evaluated​
When a new connection is processed by Calico Enterprise, each tier that contains a policy that applies to the endpoint processes the packet.
Tiers are sorted by their order
- smallest number first.
Policies in each Tier are then processed in order.
- If a NetworkPolicy or GlobalNetworkPolicy in the Tier
Allow
s orDeny
s the packet, then evaluation is done: the packet is handled accordingly. - If a NetworkPolicy or GlobalNetworkPolicy in the Tier
Pass
es the packet, the next Tier containing a Policy that applies to the endpoint processes the packet.
If the Tier applies to the endpoint, but takes no action on the packet the packet is dropped.
If the last Tier applying to the endpoint Pass
es the packet, that endpoint's Profiles are evaluated.
Sample YAML​
apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: internal-access
spec:
order: 100
Definition​
Metadata​
Field | Description | Accepted Values | Schema |
---|---|---|---|
name | The name of the tier. | string |
Spec​
Field | Description | Accepted Values | Schema | Default |
---|---|---|---|---|
order | (Optional) Indicates priority of this Tier, with lower order taking precedence. No value indicates highest order (lowest precedence) | float | nil (highest order) |
All Policies created by Calico Enterprise orchestrator integrations are created in the default (last) Tier.