Skip to main content
Version: 3.27 (latest)

Selector-based policies

We recommend using selector-based security policy with host endpoints. This allows ordered policy to be applied to endpoints that match particular label selectors.

For example, you could add a second policy for webserver access:

cat <<EOF | dist/calicoctl create -f -
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: webserver
spec:
selector: "role==\"webserver\""
order: 100
ingress:
- action: Allow
protocol: TCP
destination:
ports: [80]
egress:
- action: Allow
EOF