From db2d3518d855dbfb6655c6f1a654dd990942f30e Mon Sep 17 00:00:00 2001
From: clarkjohnd <clark.john.d@outlook.com>
Date: Thu, 24 Oct 2024 08:59:41 +0100
Subject: [PATCH] Update clusterLocal docs for exclusions

Signed-off-by: clarkjohnd <clark.john.d@outlook.com>
---
 .../traffic-management/multicluster/index.md       | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/content/en/docs/ops/configuration/traffic-management/multicluster/index.md b/content/en/docs/ops/configuration/traffic-management/multicluster/index.md
index 65c0948a1a080..e5abc7bdf73f8 100644
--- a/content/en/docs/ops/configuration/traffic-management/multicluster/index.md
+++ b/content/en/docs/ops/configuration/traffic-management/multicluster/index.md
@@ -61,6 +61,20 @@ serviceSettings:
 
 {{< /tabset >}}
 
+You can also refine service access down by setting a global cluster-local rule and adding explicit exceptions, which can be specific or wildcard. In the following example, all services in the cluster will be kept cluster-local, except any service in the `myns` namespace.
+
+{{< text yaml >}}
+serviceSettings:
+- settings:
+    clusterLocal: true
+  hosts:
+  - "*"
+- settings:
+    clusterLocal: false
+  hosts:
+  - "*.myns.svc.cluster.local"
+{{< /text >}}
+
 ## Partitioning Services {#partitioning-services}
 
 [`DestinationRule.subsets`](/docs/reference/config/networking/destination-rule/#Subset) allows partitioning a service