Skip to main content

Host endpoint

A host endpoint resource (HostEndpoint) represents one or more real or virtual interfaces attached to a host that is running Calico Cloud. It enforces Calico Cloud policy on the traffic that is entering or leaving the host's default network namespace through those interfaces.

  • A host endpoint with interfaceName: * represents all of a host's real or virtual interfaces.

  • A host endpoint for one specific real interface is configured by interfaceName: <name-of-that-interface>, for example interfaceName: eth0, or by leaving interfaceName empty and including one of the interface's IPs in expectedIPs.

Each host endpoint may include a set of labels and list of profiles that Calico Cloud will use to apply policy to the interface. If no profiles or labels are applied, Calico Cloud will not apply any policy.

For kubectl commands, the following case-insensitive aliases may be used to specify the resource type on the CLI:, and abbreviations such as hostendpoint.p and hostendpoints.p.

Default behavior of external traffic to/from host

If a host endpoint is created and network policy is not in place, the Calico Cloud default is to deny traffic to/from that endpoint (except for traffic allowed by failsafe rules). For a named host endpoint (i.e. a host endpoint representing a specific interface), Calico Cloud blocks traffic only to/from the interface specified in the host endpoint. Traffic to/from other interfaces is ignored.


Host endpoints with interfaceName: * do not support untracked policy.

For a wildcard host endpoint (i.e. a host endpoint representing all of a host's interfaces), Calico Cloud blocks traffic to/from all interfaces on the host (except for traffic allowed by failsafe rules).

However, profiles can be used in conjunction with host endpoints to modify default behavior of external traffic to/from the host in the absence of network policy. Calico Cloud provides a default profile resource named projectcalico-default-allow that consists of allow-all ingress and egress rules. Host endpoints with the projectcalico-default-allow profile attached will have "allow-all" semantics instead of "deny-all" in the absence of policy.

Note: If you have custom iptables rules, using host endpoints with allow-all rules (with no policies) will accept all traffic and therefore bypass those custom rules.


Auto host endpoints specify the projectcalico-default-allow profile so they behave similarly to pod workload endpoints.


When rendering security rules on other hosts, Calico Cloud uses the expectedIPs field to resolve label selectors to IP addresses. If the expectedIPs field is omitted then security rules that use labels will fail to match this endpoint.

Host to local workload traffic: Traffic from a host to its workload endpoints (e.g. Kubernetes pods) is always allowed, despite any policy in place. This ensures that kubelet liveness and readiness probes always work.

Sample YAML

kind: HostEndpoint
type: production
interfaceName: eth0
node: myhost
- profile1
- profile2
- name: some-port
port: 1234
protocol: TCP
- name: another-port
port: 5432
protocol: UDP

Host endpoint definition


FieldDescriptionAccepted ValuesSchema
nameThe name of this hostEndpoint. Required.Alphanumeric string with optional ., _, or -.string
labelsA set of labels to apply to this


FieldDescriptionAccepted ValuesSchemaDefault
nodeThe name of the node where this HostEndpoint resides.string
interfaceNameEither * or the name of the specific interface on which to apply policy.string
expectedIPsThe expected IP addresses associated with the interface.Valid IPv4 or IPv6 addresslist
profilesThe list of profiles to apply to the endpoint.list
portsList of named ports that this workload exposes.List of EndpointPorts


An EndpointPort associates a name with a particular TCP/UDP/SCTP port of the endpoint, allowing it to be referenced as a named port in policy rules.

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name to attach to this port, allowing it to be referred to in policy rules. Names must be unique within an endpoint.string
protocolThe protocol of this named port.TCP, UDP, SCTPstring
portThe workload port number.1-65535int

On their own, EndpointPort entries don't result in any change to the connectivity of the port. They only have an effect if they are referred to in policy.

Supported operations

Datastore typeCreate/DeleteUpdateGet/ListNotes
Kubernetes API serverYesYesYes