Skip to main content
Version selector rules filter which deployment versions are allowed to deploy to matching environments. Use them to restrict production to stable releases, enforce naming conventions, or block specific versions.

Overview

Why Use Version Selectors?

Version selector rules help you:
  • Enforce release channels - Only stable versions in production
  • Block bad versions - Prevent known-bad releases from deploying
  • Naming conventions - Require specific version formats
  • Feature flags - Control rollout of experimental features

Configuration

Add a version selector rule to your policy: 
policies:
  - name: production-stable-only
    selectors:
      - environment: environment.name == "production"
    rules:
      - versionSelector:
          selector:
            matchExpression:
              - key: tag
                operator: DoesNotContain
                value: "-rc"
          description: "Only stable versions (no release candidates)"

Properties

PropertyTypeRequiredDescription
selectorSelectorYesCEL expression to match allowed versions
descriptionstringNoHuman-readable explanation of the rule

Selector Expressions

Version selectors use CEL expressions to evaluate version metadata:

Available Fields

FieldTypeDescription
version.tagstringVersion tag (e.g., “v1.2.3”)
version.metadataobjectCustom metadata on the version
version.createdAtstringWhen the version was created

Common Patterns

Stable Versions Only

Block pre-release versions from production: 
policies:
  - name: production-stable
    selectors:
      - environment: environment.name == "production"
    rules:
      - versionSelector:
          selector:
            matchExpression:
              - key: tag
                operator: DoesNotContain
                value: "-"
          description: "No pre-release versions (no hyphens in tag)"

Semantic Version Pattern

Require semantic versioning format: 
policies:
  - name: require-semver
    selectors:
      - environment: environment.name == "production"
    rules:
      - versionSelector:
          selector:
            matchExpression:
              - key: tag
                operator: Matches
                value: "^v[0-9]+\\.[0-9]+\\.[0-9]+$"
          description: "Must be semantic version (vX.Y.Z)"

Block Specific Versions

Prevent known-bad versions from deploying: 
policies:
  - name: block-bad-versions
    rules:
      - versionSelector:
          selector:
            matchExpression:
              - key: tag
                operator: NotIn
                values:
                  - "v2.1.0"
                  - "v2.1.1"
          description: "Blocked versions with critical bugs"

Release Channel by Metadata

Use version metadata for release channels: 
policies:
  # Production: Only 'stable' channel
  - name: production-channel
    selectors:
      - environment: environment.name == "production"
    rules:
      - versionSelector:
          selector:
            matchLabels:
              channel: stable
          description: "Only stable channel versions"

  # Staging: Allow 'stable' and 'beta' channels
  - name: staging-channels
    selectors:
      - environment: environment.name == "staging"
    rules:
      - versionSelector:
          selector:
            matchExpression:
              - key: metadata.channel
                operator: In
                values:
                  - stable
                  - beta
          description: "Stable and beta channels allowed"

Major Version Restriction

Restrict major version changes: 
policies:
  - name: v2-only
    selectors:
      - environment: environment.name == "production"
    rules:
      - versionSelector:
          selector:
            matchExpression:
              - key: tag
                operator: StartsWith
                value: "v2."
          description: "Only v2.x versions allowed"

Feature Flag Versions

Control feature rollout by version metadata: 
policies:
  - name: new-ui-rollout
    selectors:
      - environment: environment.name == "production"
      - resource: resource.metadata.region == "us-east-1"
    rules:
      - versionSelector:
          selector:
            matchLabels:
              feature.newUI: "true"
          description: "New UI enabled for us-east-1"

Selector Operators

OperatorDescriptionExample
EqualsExact matchtag Equals "v1.0.0"
NotEqualsNot equaltag NotEquals "v1.0.0"
InValue in listtag In ["v1.0.0", "v1.0.1"]
NotInValue not in listtag NotIn ["v1.0.0"]
ContainsString containstag Contains "beta"
DoesNotContainString does not containtag DoesNotContain "rc"
StartsWithString starts withtag StartsWith "v2."
EndsWithString ends withtag EndsWith "-stable"
MatchesRegex matchtag Matches "^v[0-9]+"
ExistsField existsmetadata.approved Exists
DoesNotExistField does not existmetadata.blocked DoesNotExist

Best Practices

Environment Guidelines

EnvironmentVersion Policy
DevelopmentAllow all versions
QAAllow all or beta+
StagingStable and beta
ProductionStable only

Recommendations

  • ✅ Use description to explain why versions are restricted
  • ✅ Start permissive and tighten over time
  • ✅ Use metadata for release channels instead of parsing tags
  • ✅ Document blocked versions with links to issues
  • ✅ Test selectors in lower environments first

Anti-Patterns

  • ❌ Overly complex regex patterns
  • ❌ Blocking without documentation
  • ❌ Inconsistent version tagging conventions
  • ❌ Forgetting to update blocked version lists

Next Steps