diff --git a/go.mod b/go.mod
index b683c8bdb..942e86631 100644
--- a/go.mod
+++ b/go.mod
@@ -55,7 +55,7 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/projectcalico/kube-controllers v3.8.8+incompatible
-	github.com/projectcalico/libcalico-go v1.7.2-0.20191104213956-8f81e1e344ce
+	github.com/projectcalico/libcalico-go v1.7.2-0.20191014160346-2382c6cdd056
 	github.com/prometheus-community/prom-label-proxy v0.2.0
 	github.com/prometheus-operator/prometheus-operator v0.42.2-0.20200928114327-fbd01683839a
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.42.1
@@ -98,12 +98,12 @@ require (
 	k8s.io/kubectl v0.18.6
 	k8s.io/metrics v0.18.6
 	k8s.io/utils v0.0.0-20200603063816-c1c6865ac451
+	kubesphere.io/client-go v0.0.0
 	openpitrix.io/openpitrix v0.4.9-0.20200611125425-ae07f141e797
 	sigs.k8s.io/application v0.8.4-0.20201016185654-c8e2959e57a0
 	sigs.k8s.io/controller-runtime v0.6.4
 	sigs.k8s.io/controller-tools v0.4.0
 	sigs.k8s.io/kubefed v0.4.0
-	kubesphere.io/client-go v0.0.0
 )
 
 replace (
@@ -559,7 +559,7 @@ replace (
 	github.com/projectcalico/go-yaml => github.com/projectcalico/go-yaml v0.0.0-20161201183616-955bc3e451ef
 	github.com/projectcalico/go-yaml-wrapper => github.com/projectcalico/go-yaml-wrapper v0.0.0-20161127220527-598e54215bee
 	github.com/projectcalico/kube-controllers => github.com/projectcalico/kube-controllers v3.8.8+incompatible
-	github.com/projectcalico/libcalico-go => github.com/projectcalico/libcalico-go v1.7.2-0.20191104213956-8f81e1e344ce
+	github.com/projectcalico/libcalico-go => github.com/projectcalico/libcalico-go v1.7.2-0.20191014160346-2382c6cdd056
 	github.com/prometheus-community/prom-label-proxy => github.com/prometheus-community/prom-label-proxy v0.2.0
 	github.com/prometheus-operator/prometheus-operator => github.com/prometheus-operator/prometheus-operator v0.42.2-0.20200928114327-fbd01683839a
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring => github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.42.1
@@ -735,6 +735,7 @@ replace (
 	k8s.io/kubectl => k8s.io/kubectl v0.18.6
 	k8s.io/metrics => k8s.io/metrics v0.18.6
 	k8s.io/utils => k8s.io/utils v0.0.0-20200603063816-c1c6865ac451
+	kubesphere.io/client-go => ./staging/src/kubesphere.io/client-go
 	kubesphere.io/im => kubesphere.io/im v0.1.0
 	openpitrix.io/iam => openpitrix.io/iam v0.1.0
 	openpitrix.io/libqueue => openpitrix.io/libqueue v0.4.1
@@ -758,6 +759,4 @@ replace (
 	sigs.k8s.io/yaml => sigs.k8s.io/yaml v1.2.0
 	sourcegraph.com/sourcegraph/appdash => sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0
 	vbom.ml/util => vbom.ml/util v0.0.0-20160121211510-db5cfe13f5cc
-
-	kubesphere.io/client-go => ./staging/src/kubesphere.io/client-go
 )
diff --git a/go.sum b/go.sum
index ba15f7f70..1cd294de9 100644
--- a/go.sum
+++ b/go.sum
@@ -596,8 +596,8 @@ github.com/projectcalico/go-yaml-wrapper v0.0.0-20161127220527-598e54215bee h1:y
 github.com/projectcalico/go-yaml-wrapper v0.0.0-20161127220527-598e54215bee/go.mod h1:UgC0aTQ2KMDxlX3lU/stndk7DMUBJqzN40yFiILHgxc=
 github.com/projectcalico/kube-controllers v3.8.8+incompatible h1:ZbCg0wJ+gd7i81CB6vOASiUN//oR4ZBl+wEdy0Vk1uI=
 github.com/projectcalico/kube-controllers v3.8.8+incompatible/go.mod h1:ZEafKeKN5wiNARRw1LZP8l10uEfp04C7redU848MMZw=
-github.com/projectcalico/libcalico-go v1.7.2-0.20191104213956-8f81e1e344ce h1:O/R67iwUe8TvZwgKbDB2cvF2/8L8PR4zVOcBtYEHD5Y=
-github.com/projectcalico/libcalico-go v1.7.2-0.20191104213956-8f81e1e344ce/go.mod h1:z4tuFqrAg/423AMSaDamY5LgqeOZ5ETui6iOxDwJ/ag=
+github.com/projectcalico/libcalico-go v1.7.2-0.20191014160346-2382c6cdd056 h1:qs29Hus4cY8XlsmMLUsSAHT0metSTyqu2Tnpuwy5dkM=
+github.com/projectcalico/libcalico-go v1.7.2-0.20191014160346-2382c6cdd056/go.mod h1:tUt8rirmysRy7TR1S80XDriwBK1z2igwwX79lnUrSf4=
 github.com/prometheus-community/prom-label-proxy v0.2.0 h1:2cNKhNjbTmmEDvBTW/6WUsE2x7bh76rBMZVBn4ey6To=
 github.com/prometheus-community/prom-label-proxy v0.2.0/go.mod h1:XdjyZg7LCbCC5FADHtpgNp6kQ0W9beXVGfmcvndMj5Y=
 github.com/prometheus-operator/prometheus-operator v0.42.2-0.20200928114327-fbd01683839a h1:21yBrtc90hdEhJaL815CHNV0GW0DEdgxDOiL5OYoSHo=
@@ -812,7 +812,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
-gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
diff --git a/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/globalnetworkpolicy.go b/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/globalnetworkpolicy.go
index 7cfd10abf..131a30e9e 100644
--- a/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/globalnetworkpolicy.go
+++ b/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/globalnetworkpolicy.go
@@ -90,7 +90,7 @@ type GlobalNetworkPolicySpec struct {
 	// 	type in {"frontend", "backend"}
 	// 	deployment != "dev"
 	// 	! has(label_name)
-	Selector string `json:"selector,omitempty" validate:"selector"`
+	Selector string `json:"selector" validate:"selector"`
 	// Types indicates whether this policy applies to ingress, or to egress, or to both.  When
 	// not explicitly specified (and so the value on creation is empty or nil), Calico defaults
 	// Types according to what Ingress and Egress rules are present in the policy.  The
diff --git a/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/ipam_block.go b/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/ipam_block.go
index 745fd4ac8..e0a6dbc1e 100644
--- a/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/ipam_block.go
+++ b/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/ipam_block.go
@@ -43,7 +43,7 @@ type IPAMBlockSpec struct {
 	Allocations    []*int                `json:"allocations"`
 	Unallocated    []int                 `json:"unallocated"`
 	Attributes     []AllocationAttribute `json:"attributes"`
-	Deleted        bool                  `json:"deleted`
+	Deleted        bool                  `json:"deleted"`
 }
 
 type AllocationAttribute struct {
diff --git a/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/networkpolicy.go b/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/networkpolicy.go
index f204acbbe..6e5dcec14 100644
--- a/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/networkpolicy.go
+++ b/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/networkpolicy.go
@@ -71,7 +71,7 @@ type NetworkPolicySpec struct {
 	// 	type in {"frontend", "backend"}
 	// 	deployment != "dev"
 	// 	! has(label_name)
-	Selector string `json:"selector,omitempty" validate:"selector"`
+	Selector string `json:"selector" validate:"selector"`
 	// Types indicates whether this policy applies to ingress, or to egress, or to both.  When
 	// not explicitly specified (and so the value on creation is empty or nil), Calico defaults
 	// Types according to what Ingress and Egress are present in the policy.  The
diff --git a/vendor/github.com/projectcalico/libcalico-go/lib/backend/k8s/conversion/conversion.go b/vendor/github.com/projectcalico/libcalico-go/lib/backend/k8s/conversion/conversion.go
index bf71aee19..8b0c9dec2 100644
--- a/vendor/github.com/projectcalico/libcalico-go/lib/backend/k8s/conversion/conversion.go
+++ b/vendor/github.com/projectcalico/libcalico-go/lib/backend/k8s/conversion/conversion.go
@@ -535,15 +535,45 @@ func (c Converter) k8sRuleToCalico(rPeers []networkingv1.NetworkPolicyPeer, rPor
 		ports = []*networkingv1.NetworkPolicyPort{nil}
 	}
 
-	// Combine destinations with sources to generate rules.
-	// TODO: This currently creates a lot of rules by making every combination of from / ports
-	// into a rule.  We can combine these so that we don't need as many rules!
+	protocolPorts := map[string][]numorstring.Port{}
+
 	for _, port := range ports {
 		protocol, calicoPorts, err := c.k8sPortToCalicoFields(port)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse k8s port: %s", err)
 		}
 
+		// These are either both present or both nil
+		if protocol == nil && calicoPorts == nil {
+			// If nil, no ports were specified, or an empty port struct was provided, which we translate to allowing all.
+			// We want to use a nil protocol and a nil list of ports, which will allow any destination (for ingress).
+			// Given we're gonna allow all, we may as well break here and keep only this rule
+			protocolPorts = map[string][]numorstring.Port{"": nil}
+			break
+		}
+
+		pStr := protocol.String()
+		protocolPorts[pStr] = append(protocolPorts[pStr], calicoPorts...)
+	}
+
+	protocols := make([]string, 0, len(protocolPorts))
+	for k := range protocolPorts {
+		protocols = append(protocols, k)
+	}
+	// Ensure deterministic output
+	sort.Strings(protocols)
+
+	// Combine destinations with sources to generate rules. We generate one rule per protocol,
+	// with each rule containing all the allowed ports.
+	for _, protocolStr := range protocols {
+		calicoPorts := protocolPorts[protocolStr]
+
+		var protocol *numorstring.Protocol
+		if protocolStr != "" {
+			p := numorstring.ProtocolFromString(protocolStr)
+			protocol = &p
+		}
+
 		for _, peer := range peers {
 			selector, nsSelector, nets, notNets := c.k8sPeerToCalicoFields(peer, ns)
 			if ingress {
diff --git a/vendor/github.com/projectcalico/libcalico-go/lib/backend/model/block.go b/vendor/github.com/projectcalico/libcalico-go/lib/backend/model/block.go
index a9de73326..10f55a603 100644
--- a/vendor/github.com/projectcalico/libcalico-go/lib/backend/model/block.go
+++ b/vendor/github.com/projectcalico/libcalico-go/lib/backend/model/block.go
@@ -120,7 +120,7 @@ func (b *AllocationBlock) IsDeleted() bool {
 
 func (b *AllocationBlock) Host() string {
 	if b.Affinity != nil && strings.HasPrefix(*b.Affinity, "host:") {
-		return strings.TrimPrefix(*b.Affinity, "host:")
+		return strings.TrimLeft(*b.Affinity, "host:")
 	}
 	return ""
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index d2a284a80..e6993045b 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -471,7 +471,7 @@ github.com/pquerna/cachecontrol/cacheobject
 # github.com/projectcalico/kube-controllers v3.8.8+incompatible => github.com/projectcalico/kube-controllers v3.8.8+incompatible
 github.com/projectcalico/kube-controllers/pkg/cache
 github.com/projectcalico/kube-controllers/pkg/converter
-# github.com/projectcalico/libcalico-go v1.7.2-0.20191104213956-8f81e1e344ce => github.com/projectcalico/libcalico-go v1.7.2-0.20191104213956-8f81e1e344ce
+# github.com/projectcalico/libcalico-go v1.7.2-0.20191014160346-2382c6cdd056 => github.com/projectcalico/libcalico-go v1.7.2-0.20191014160346-2382c6cdd056
 github.com/projectcalico/libcalico-go/lib/apis/v1
 github.com/projectcalico/libcalico-go/lib/apis/v1/unversioned
 github.com/projectcalico/libcalico-go/lib/apis/v3