Selector-based policies

We recommend using selector-based security policy with host endpoints. This allows ordered policy to be applied to endpoints that match particular label selectors.

For example, you could add a second policy for webserver access:

  1. cat <<EOF | dist/calicoctl create -f -
  2. - apiVersion: projectcalico.org/v3
  3.   kind: GlobalNetworkPolicy
  4.   metadata:
  5.     name: webserver
  6.   spec:
  7.     selector: "role==\"webserver\""
  8.     order: 100
  9.     ingress:
  10.     - action: Allow
  11.       protocol: TCP
  12.       destination:
  13.         ports: [80]
  14.     egress:
  15.     - action: Allow
  16. EOF