Host Endpoint Resource (HostEndpoint)
A host endpoint resource (
HostEndpoint) represents an interface attached to a host that is running Calico.
Each host endpoint may include a set of labels and list of profiles that Calico will use to apply policy to the interface. If no profiles or labels are applied, Calico will not apply any policy.
calicoctl commands that specify a resource type on the CLI, the following
aliases are supported (all case insensitive):
Default behavior of external traffic to/from host
If a host endpoint is added and network policy is not in place, the Calico default is to deny traffic to/from that endpoint (except for traffic allowed by failsafe rules). For host endpoints, Calico blocks traffic only to/from interfaces that it’s been explicitly told about in network policy. Traffic to/from other interfaces is ignored.
Important: When rendering security rules on other hosts, Calico uses the
expectedIPsfield to resolve label selectors to IP addresses. If the
expectedIPsfield is omitted then security rules that use labels will fail to match this endpoint.
apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: some.name labels: type: production spec: interfaceName: eth0 node: myhost expectedIPs: - 192.168.0.1 - 192.168.0.2 profiles: - profile1 - profile2 ports: - name: some-port port: 1234 protocol: TCP - name: another-port port: 5432 protocol: UDP
|name||The name of this hostEndpoint. Required.||Alphanumeric string with optional
|labels||A set of labels to apply to this endpoint.||map|
|node||The name of the node where this HostEndpoint resides.||string|
|interfaceName||The name of the interface on which to apply policy.||string|
|expectedIPs||The expected IP addresses associated with the interface.||Valid IPv4 or IPv6 address||list|
|profiles||The list of profiles to apply to the endpoint.||list|
|ports||List on named ports that this workload exposes.||List of EndpointPorts|
An EndpointPort associates a name with a particular TCP/UDP port of the endpoint, allowing it to be referenced as a named port in policy rules.
|name||The name to attach to this port, allowing it to be referred to in policy rules. Names must be unique within an endpoint.||string|
|protocol||The protocol of this named port.||
|port||The workload port number.||
Note: On their own, EndpointPort entries don’t result in any change to the connectivity of the port. They only have an effect if they are referred to in policy.
|Kubernetes API server||Yes||Yes||Yes|