Skip to main content
Calico Enterprise 3.19 (latest) documentation

Tier

A tier resource (Tier) represents an ordered collection of NetworkPolicies and/or GlobalNetworkPolicies. Tiers are used to divide these policies into groups of different priorities. These policies are ordered within a Tier: the additional hierarchy of Tiers provides more flexibility because the Pass action in a Rule jumps to the next Tier. Some example use cases for this are.

  • Allowing privileged users to define security policy that takes precedence over other users.
  • Translating hierarchies of physical firewalls directly into Calico Enterprise policy.

For kubectl commands, the following case-insensitive aliases may be used to specify the resource type on the CLI: tier.projectcalico.org, tiers.projectcalico.org and abbreviations such as tier.p and tiers.p.

How Policy Is Evaluated​

When a new connection is processed by Calico Enterprise, each tier that contains a policy that applies to the endpoint processes the packet. Tiers are sorted by their order - smallest number first.

Policies in each Tier are then processed in order.

If the Tier applies to the endpoint, but takes no action on the packet the packet is dropped.

If the last Tier applying to the endpoint Passes the packet, that endpoint's Profiles are evaluated.

Sample YAML​

apiVersion: projectcalico.org/v3
kind: Tier
metadata:
name: internal-access
spec:
order: 100

Definition​

Metadata​

FieldDescriptionAccepted ValuesSchema
nameThe name of the tier.string

Spec​

FieldDescriptionAccepted ValuesSchemaDefault
order(Optional) Indicates priority of this Tier, with lower order taking precedence. No value indicates highest order (lowest precedence)floatnil (highest order)

All Policies created by Calico Enterprise orchestrator integrations are created in the default (last) Tier.