Workload Endpoint Resource (WorkloadEndpoint)

A workload endpoint resource (WorkloadEndpoint) represents an interface connecting a Calico networked container or VM to its host.

Each endpoint may specify a set of labels and list of profiles that Calico will use to apply policy to the interface.

A workload endpoint is a namespaced resource, that means a NetworkPolicy in a specific namespace only applies to the WorkloadEndpoint in that namespace. Two resources are in the same namespace if the namespace value is set the same on both.

For calicoctl commands that specify a resource type on the CLI, the following aliases are supported (all case insensitive): workloadendpoint, workloadendpoints, wep, weps.

Note: While calicoctl allows the user to fully manage Workload Endpoint resources, the lifecycle of these resources is generally handled by an orchestrator-specific plugin such as the Calico CNI plugin. In general, we recommend that you only use calicoctl to view this resource type.

Sample YAML

apiVersion: projectcalico.org/v3
kind: WorkloadEndpoint
metadata:
  name: node1-k8s-my--nginx--b1337a-eth0
  namespace: default
  labels:
    app: frontend
    projectcalico.org/namespace: default
    projectcalico.org/orchestrator: k8s
spec:
  node: node1
  orchestrator: k8s
  endpoint: eth0
  containerID: 1337495556942031415926535
  pod: my-nginx-b1337a
  endpoint: eth0
  interfaceName: cali0ef24ba
  mac: ca:fe:1d:52:bb:e9
  ipNetworks:
  - 192.168.0.0/32
  profiles:
  - profile1
  ports:
  - name: some-port
    port: 1234
    protocol: TCP
  - name: another-port
    port: 5432
    protocol: UDP

Definitions

Metadata

Field Description Accepted Values Schema Default
name The name of this workload endpoint resource. Required. Alphanumeric string with optional ., _, or - string  
namespace Namespace provides an additional qualification to a resource name.   string “default”
labels A set of labels to apply to this endpoint.   map  

Spec

Field Description Accepted Values Schema Default
workload The name of the workload to which this endpoint belongs.   string  
orchestrator The orchestrator that created this endpoint.   string  
node The node where this endpoint resides.   string  
containerID The CNI CONTAINER_ID of the workload endpoint.   string  
pod Kubernetes pod name for this woekload endpoint.   string  
endpoint Container network interface name.   string  
ipNetworks The CIDRs assigned to the interface.   List of strings  
ipNATs List of 1:1 NAT mappings to apply to the endpoint.   List of IPNATs  
ipv4Gateway The gateway IPv4 address for traffic from the workload.   string  
ipv6Gateway The gateway IPv6 address for traffic from the workload.   string  
profiles List of profiles assigned to this endpoint.   List of strings  
interfaceName The name of the host-side interface attached to the workload.   string  
mac The source MAC address of traffic generated by the workload.   IEEE 802 MAC-48, EUI-48, or EUI-64  
ports List on named ports that this workload exposes.   List of EndpointPorts  

IPNAT

IPNAT contains a single NAT mapping for a WorkloadEndpoint resource.

Field Description Accepted Values Schema Default
internalIP The internal IP address of the NAT mapping. A valid IP address string  
externalIP The external IP address. A valid IP address string  

EndpointPort

An EndpointPort associates a name with a particular TCP/UDP port of the endpoint, allowing it to be referenced as a named port in policy rules.

Field Description Accepted Values Schema Default
name The name to attach to this port, allowing it to be referred to in policy rules. Names must be unique within an endpoint.   string  
protocol The protocol of this named port. TCP, UDP string  
port The workload port number. 1-65535 int  

Note: On their own, EndpointPort entries don’t result in any change to the connectivity of the port. They only have an effect if they are referred to in policy.

Supported operations

Datastore type Create/Delete Update Get/List Notes
etcdv3 Yes Yes Yes  
Kubernetes API server No Yes Yes WorkloadEndpoints are directly tied to a Kubernetes pod.