Design Multi-Tenant Network Policies with Calico Tier Enforcement
Overview
What this challenge is about.
Receive the cluster topology (120 customer namespaces + 4 platform namespaces), the application traffic patterns (frontend talks to backend talks to its tenant's database), and the current (empty) NetworkPolicy state. Design 3 Calico tiers: 'baseline' (cluster-wide rules: allow DNS, allow metrics-server, default-deny), 'tenant' (per-namespace deny cross-tenant), 'application' (per-app allow only intended traffic). Implement the policies as Helm templates parameterized by tenant. Build a test harness that runs from a debug pod in each tenant trying to reach every other tenant + each platform namespace; expected results in a 120x124 matrix. Roll out using Calico's stage policies feature to log violations for 7 days before flipping to enforce. Deliver the policy templates, the test harness, the 7-day staging report, the rollout runbook, and a 6-page security-engineering memo.
The Brief
What you'll do, and what you'll demonstrate.
Design and roll out tiered Calico network policies enforcing default-deny with per-tenant allowlists across 120 customer namespaces and validate isolation with a 120x124 test matrix.
Earning criteria — what you'll demonstrate
- Design tiered network policies that scale across many tenants
- Use Calico stage policies to avoid breaking-change rollouts
- Validate isolation with an end-to-end test matrix
- Document policies cleanly enough that tenant onboarding stays cheap
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.