Skip to main content
Calico Open Source 3.29 (latest) documentation

Calico automatic labels

As a convenience, Calico provides immutable labels that are used for specific resources when evaluating selectors in policies. The labels make it easier to match resources in common ways (such as matching a namespace by name).

Labels for matching namespaces

The label projectcalico.org/name is set to the name of the namespace. This allows for matching namespaces by name when using a namespaceSelector field.

For example, the following GlobalNetworkPolicy applies to workloads with label, color: red in namespaces named, "foo" and "bar". The policy allows ingress traffic to port 8080 from all workloads in a third namespace named, "baz":

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: foo-and-bar
spec:
namespaceSelector: projectcalico.org/name in {"foo", "bar"}
selector: color == "red"
types:
- Ingress
ingress:
- action: Allow
source:
namespaceSelector: projectcalico.org/name == "baz"
destination:
ports:
- 8080

Be aware that the default values for namespaceSelector for NetworkPolicy and GlobalNetworkPolicy are different. For example:

In a network policy,

namespaceSelector:  <empty>
selector: foo == "bar"

means "resources in the same namespace as the network policy that matches foo == 'bar'".

In a global network policy,

namespaceSelector:  <empty>
selector: foo == "bar"

means "resources in any namespace and non-namespaced resources that match foo == 'bar'".

Further,

namespaceSelector: projectcalico.org/name == "some-namespace"
selector: foo == "bar"

is equivalent to:

namespaceSelector: <empty>
selector: (foo == "bar") && (projectcalico.org/namespace == "some-namespace")

Labels for matching service accounts

Similarly, the projectcalico.org/name label is applied to ServiceAccounts and allows for matching by name in a serviceAccountSelector.

Kubernetes labels for matching namespaces

Kubernetes also has automatic labeling, for example kubernetes.io/metadata.name. The Kubernetes namespace label serves the same purpose and can be used in the same way as the Calico label. The projectcalico.org/name label predates the automatic Kubernetes label.

Labels for matching workload endpoints

WorkloadEndpoints (which represent Pods in Kubernetes, or VM instances in OpenStack), receive several automatic labels:

  • projectcalico.org/orchestrator is applied to all WorkloadEndpoints and allows Kubernetes Pods to be distinguished from OpenStack VM instances, and from HostEndpoints (which do not have the label):

  • has(projectcalico.org/orchestrator) matches only WorkloadEndpoints

  • projectcalico.org/orchestrator == "k8s" matches only Kubernetes Pods

  • For WorkloadEndpoints that represent Kubernetes Pods, projectcalico.org/namespace contains the name of the pod's namespace. projectcalico.org/namespace predates the addition of namespaceSelector fields to GlobalNetworkPolicies; it serves the same purpose as the projectcalico.org/name label in a namespaceSelector field. The following GlobalNetworkPolicy is exactly equivalent to the example shown in the Namespaces section:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: foo-and-bar
spec:
selector: projectcalico.org/namespace in {"foo", "bar"} && color == "red"
types:
- Ingress
ingress:
- action: Allow
source:
selector: projectcalico.org/namespace == "baz"
destination:
ports:
- 8080

Use the correct selector with labels in policies

Calico labels must be used with the correct selector or the policy will not work as designed (and there are no error messages in Manager UI or when applying the YAML).

Calico labelUsage requirementsUse in these resources...
projectcalico.org/nameUse with a namespaceSelector or serviceAccountSelector.- Network policy
- Staged network policy

Namespaced resources that apply only to workload endpoint resources in the namespace.
projectcalico.org/namespaceUse only with selectors.

Use the label as the label name, and a namespace name as the value to compare against (for example projectcalico.org/namespace == "default").
- Global network policy
- Staged global network policy

Cluster-wide (non-namespaced) resources that apply to workload endpoint resources in all namespaces, and to host endpoint resources.