Workload endpoint

A workload endpoint resource (WorkloadEndpoint) represents an interface connecting a Calico networked container or VM to its host.

Each endpoint may specify a set of labels and list of profiles that Calico will use to apply policy to the interface.

A workload endpoint is a namespaced resource, that means a NetworkPolicy in a specific namespace only applies to the WorkloadEndpoint in that namespace. Two resources are in the same namespace if the namespace value is set the same on both.

Workload endpoint - 图1note

While calicoctl allows the user to fully manage Workload Endpoint resources, the lifecycle of these resources is generally handled by an orchestrator-specific plugin such as the Calico CNI plugin, the Calico Docker network plugin, or the Calico OpenStack Neutron Driver. In general, we recommend that you only use calicoctl to view this resource type.

Sample YAML

  1. apiVersion: projectcalico.org/v3
  2. kind: WorkloadEndpoint
  3. metadata:
  4.   name: node1-k8s-my--nginx--b1337a-eth0
  5.   namespace: default
  6.   labels:
  7.     app: frontend
  8.     projectcalico.org/namespace: default
  9.     projectcalico.org/orchestrator: k8s
  10. spec:
  11.   node: node1
  12.   orchestrator: k8s
  13.   endpoint: eth0
  14.   containerID: 1337495556942031415926535
  15.   pod: my-nginx-b1337a
  16.   endpoint: eth0
  17.   interfaceName: cali0ef24ba
  18.   mac: ca:fe:1d:52:bb:e9
  19.   ipNetworks:
  20.   - 192.168.0.0/32
  21.   profiles:
  22.   - profile1
  23.   ports:
  24.   - name: some-port
  25.     port: 1234
  26.     protocol: TCP
  27.   - name: another-port
  28.     port: 5432
  29.     protocol: UDP

Definitions

Metadata

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name of this workload endpoint resource. Required.Alphanumeric string with optional ., _, or -string
namespaceNamespace provides an additional qualification to a resource name.string“default”
labelsA set of labels to apply to this endpoint.map

Spec

FieldDescriptionAccepted ValuesSchemaDefault
workloadThe name of the workload to which this endpoint belongs.string
orchestratorThe orchestrator that created this endpoint.string
nodeThe node where this endpoint resides.string
containerIDThe CNI CONTAINER_ID of the workload endpoint.string
podKubernetes pod name for this workload endpoint.string
endpointContainer network interface name.string
ipNetworksThe CIDRs assigned to the interface.List of strings
ipNATsList of 1:1 NAT mappings to apply to the endpoint.List of IPNATs
ipv4GatewayThe gateway IPv4 address for traffic from the workload.string
ipv6GatewayThe gateway IPv6 address for traffic from the workload.string
profilesList of profiles assigned to this endpoint.List of strings
interfaceNameThe name of the host-side interface attached to the workload.string
macThe source MAC address of traffic generated by the workload.IEEE 802 MAC-48, EUI-48, or EUI-64
portsList on named ports that this workload exposes.List of WorkloadEndpointPorts

IPNAT

IPNAT contains a single NAT mapping for a WorkloadEndpoint resource.

FieldDescriptionAccepted ValuesSchemaDefault
internalIPThe internal IP address of the NAT mapping.A valid IP addressstring
externalIPThe external IP address.A valid IP addressstring

EndpointPort

A WorkloadEndpointPort associates a name with a particular TCP/UDP/SCTP port of the endpoint, allowing it to be referenced as a named port in policy rules.

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name to attach to this port, allowing it to be referred to in policy rules. Names must be unique within an endpoint.string
protocolThe protocol of this named port.TCP, UDP, SCTPstring
portThe workload port number.1-65535int
hostPortPort on the host that is forwarded to this port.1-65535int
hostIPIP address on the host on which the hostPort is accessible.1-65535int

Workload endpoint - 图2note

On their own, WorkloadEndpointPort entries don’t result in any change to the connectivity of the port. They only have an effect if they are referred to in policy.

Workload endpoint - 图3note

The hostPort and hostIP fields are read-only and determined from Kubernetes hostPort configuration. These fields are used only when host ports are enabled in Calico.

Supported operations

Datastore typeCreate/DeleteUpdateGet/ListNotes
etcdv3YesYesYes
Kubernetes API serverNoYesYesWorkloadEndpoints are directly tied to a Kubernetes pod.