Selector-based policies

We recommend using selector-based security policy with host endpoints. This allows ordered policy to be applied to endpoints that match particular label selectors.

For example, you could add a second policy for webserver access:

  1. cat <<EOF | dist/calicoctl create -f -
  2. - apiVersion: projectcalico.org/v3
  3. kind: GlobalNetworkPolicy
  4. metadata:
  5. name: webserver
  6. spec:
  7. selector: "role==\"webserver\""
  8. order: 100
  9. ingress:
  10. - action: Allow
  11. protocol: TCP
  12. destination:
  13. ports: [80]
  14. egress:
  15. - action: Allow
  16. EOF