Skip to main content

Workload endpoint

A workload endpoint resource (WorkloadEndpoint) represents an interface connecting a Calico Cloud networked container or VM to its host.

Each endpoint may specify a set of labels and list of profiles that Calico Cloud will use to apply policy to the interface.

A workload endpoint is a namespaced resource, that means a NetworkPolicy in a specific namespace only applies to the WorkloadEndpoint in that namespace. Two resources are in the same namespace if the namespace value is set the same on both.

This resource is not supported in kubectl.


While calicoctl allows the user to fully manage Workload Endpoint resources, the lifecycle of these resources is generally handled by an orchestrator-specific plugin such as the Calico Cloud CNI plugin. In general, we recommend that you only use calicoctl to view this resource type.

Multiple networks

If multiple networks are enabled, workload endpoints will have additional labels which can be used in network policy selectors:

  • The name of the network specified in the NetworkAttachmentDefinition.
  • This namespace the network is in.
  • The network interface for the workload endpoint.

For more information, see the multiple-networks how-to guide.

Sample YAML

kind: WorkloadEndpoint
name: node1-k8s-my--nginx--b1337a-eth0
namespace: default
app: frontend default k8s
node: node1
orchestrator: k8s
endpoint: eth0
containerID: 1337495556942031415926535
pod: my-nginx-b1337a
endpoint: eth0
interfaceName: cali0ef24ba
mac: ca:fe:1d:52:bb:e9
- profile1
- name: some-port
port: 1234
protocol: TCP
- name: another-port
port: 5432
protocol: UDP



FieldDescriptionAccepted ValuesSchemaDefault
nameThe name of this workload endpoint resource. Required.Alphanumeric string with optional ., _, or -string
namespaceNamespace provides an additional qualification to a resource name.string"default"
labelsA set of labels to apply to this


FieldDescriptionAccepted ValuesSchemaDefault
workloadThe name of the workload to which this endpoint belongs.string
orchestratorThe orchestrator that created this endpoint.string
nodeThe node where this endpoint resides.string
containerIDThe CNI CONTAINER_ID of the workload endpoint.string
podKubernetes pod name for this workload endpoint.string
endpointContainer network interface name.string
ipNetworksThe CIDRs assigned to the interface.List of strings
ipNATsList of 1:1 NAT mappings to apply to the endpoint.List of IPNATs
awsElasticIPsList of AWS Elastic IP addresses that should be considered for this workload; only used for workloads in an AWS-backed IP pool. This should be set via the Pod annotation.List of valid IP addresses
ipv4GatewayThe gateway IPv4 address for traffic from the workload.string
ipv6GatewayThe gateway IPv6 address for traffic from the workload.string
profilesList of profiles assigned to this endpoint.List of strings
interfaceNameThe name of the host-side interface attached to the workload.string
macThe source MAC address of traffic generated by the workload.IEEE 802 MAC-48, EUI-48, or EUI-64
portsList on named ports that this workload exposes.List of WorkloadEndpointPorts


IPNAT contains a single NAT mapping for a WorkloadEndpoint resource.

FieldDescriptionAccepted ValuesSchemaDefault
internalIPThe internal IP address of the NAT mapping.A valid IP addressstring
externalIPThe external IP address.A valid IP addressstring


A WorkloadEndpointPort associates a name with a particular TCP/UDP/SCTP port of the endpoint, allowing it to be referenced as a named port in policy rules.

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name to attach to this port, allowing it to be referred to in policy rules. Names must be unique within an endpoint.string
protocolThe protocol of this named port.TCP, UDP, SCTPstring
portThe workload port number.1-65535int
hostPortPort on the host that is forwarded to this port.1-65535int
hostIPIP address on the host on which the hostPort is accessible.1-65535int

On their own, WorkloadEndpointPort entries don't result in any change to the connectivity of the port. They only have an effect if they are referred to in policy.


The hostPort and hostIP fields are read-only and determined from Kubernetes hostPort configuration. These fields are used only when host ports are enabled in Calico.

Supported operations

Datastore typeCreate/DeleteUpdateGet/ListNotes
Kubernetes API serverNoYesYesWorkloadEndpoints are directly tied to a Kubernetes pod.