Workload endpoint

Each endpoint may specify a set of labels and list of profiles that Calico will use to apply policy to the interface.

A workload endpoint is a namespaced resource, that means a NetworkPolicy in a specific namespace only applies to the WorkloadEndpoint in that namespace. Two resources are in the same namespace if the namespace value is set the same on both.

While calicoctl allows the user to fully manage Workload Endpoint resources, the lifecycle of these resources is generally handled by an orchestrator-specific plugin such as the Calico CNI plugin, the Calico Docker network plugin, or the Calico OpenStack Neutron Driver. In general, we recommend that you only use calicoctl to view this resource type.

IPNAT contains a single NAT mapping for a WorkloadEndpoint resource.

note

On their own, WorkloadEndpointPort entries don’t result in any change to the connectivity of the port. They only have an effect if they are referred to in policy.

The hostPort and hostIP fields are read-only and determined from Kubernetes hostPort configuration. These fields are used only when host ports are enabled in Calico.