Skip to main content
Version: 3.28 (latest)

Workload endpoint

A workload endpoint resource (WorkloadEndpoint) represents an interface connecting a Calico networked container or VM to its host.

Each endpoint may specify a set of labels and list of profiles that Calico will use to apply policy to the interface.

A workload endpoint is a namespaced resource, that means a NetworkPolicy in a specific namespace only applies to the WorkloadEndpoint in that namespace. Two resources are in the same namespace if the namespace value is set the same on both.

note

While calicoctl allows the user to fully manage Workload Endpoint resources, the lifecycle of these resources is generally handled by an orchestrator-specific plugin such as the Calico CNI plugin, the Calico Docker network plugin, or the Calico OpenStack Neutron Driver. In general, we recommend that you only use calicoctl to view this resource type.

Sample YAML

apiVersion: projectcalico.org/v3
kind: WorkloadEndpoint
metadata:
name: node1-k8s-my--nginx--b1337a-eth0
namespace: default
labels:
app: frontend
projectcalico.org/namespace: default
projectcalico.org/orchestrator: k8s
spec:
node: node1
orchestrator: k8s
endpoint: eth0
containerID: 1337495556942031415926535
pod: my-nginx-b1337a
endpoint: eth0
interfaceName: cali0ef24ba
mac: ca:fe:1d:52:bb:e9
ipNetworks:
- 192.168.0.0/32
profiles:
- profile1
ports:
- name: some-port
port: 1234
protocol: TCP
- name: another-port
port: 5432
protocol: UDP

Definitions

Metadata

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name of this workload endpoint resource. Required.Alphanumeric string with optional ., _, or -string
namespaceNamespace provides an additional qualification to a resource name.string"default"
labelsA set of labels to apply to this endpoint.map

Spec

FieldDescriptionAccepted ValuesSchemaDefault
workloadThe name of the workload to which this endpoint belongs.string
orchestratorThe orchestrator that created this endpoint.string
nodeThe node where this endpoint resides.string
containerIDThe CNI CONTAINER_ID of the workload endpoint.string
podKubernetes pod name for this workload endpoint.string
endpointContainer network interface name.string
ipNetworksThe CIDRs assigned to the interface.List of strings
ipNATsList of 1:1 NAT mappings to apply to the endpoint.List of IPNATs
ipv4GatewayThe gateway IPv4 address for traffic from the workload.string
ipv6GatewayThe gateway IPv6 address for traffic from the workload.string
profilesList of profiles assigned to this endpoint.List of strings
interfaceNameThe name of the host-side interface attached to the workload.string
macThe source MAC address of traffic generated by the workload.IEEE 802 MAC-48, EUI-48, or EUI-64
portsList on named ports that this workload exposes.List of WorkloadEndpointPorts

IPNAT

IPNAT contains a single NAT mapping for a WorkloadEndpoint resource.

FieldDescriptionAccepted ValuesSchemaDefault
internalIPThe internal IP address of the NAT mapping.A valid IP addressstring
externalIPThe external IP address.A valid IP addressstring

EndpointPort

A WorkloadEndpointPort associates a name with a particular TCP/UDP/SCTP port of the endpoint, allowing it to be referenced as a named port in policy rules.

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name to attach to this port, allowing it to be referred to in policy rules. Names must be unique within an endpoint.string
protocolThe protocol of this named port.TCP, UDP, SCTPstring
portThe workload port number.1-65535int
hostPortPort on the host that is forwarded to this port.1-65535int
hostIPIP address on the host on which the hostPort is accessible.1-65535int
note

On their own, WorkloadEndpointPort entries don't result in any change to the connectivity of the port. They only have an effect if they are referred to in policy.

note

The hostPort and hostIP fields are read-only and determined from Kubernetes hostPort configuration. These fields are used only when host ports are enabled in Calico.

Supported operations

Datastore typeCreate/DeleteUpdateGet/ListNotes
etcdv3YesYesYes
Kubernetes API serverNoYesYesWorkloadEndpoints are directly tied to a Kubernetes pod.