Creating host endpoint objects

    There are two ways to specify the interface that a host endpoint should refer to. You can either specify the name of the interface or its expected IP address. In either case, you’ll also need to know the name given to the Calico node running on the host that owns the interface; in most cases this will be the same as the hostname of the host.

    For example, to secure the interface named eth0 with IP 10.0.0.1 on host my-host, run the command below. The name of the endpoint is an arbitrary name required for endpoint identification.

    When running this command, replace the placeholders in angle brackets with appropriate values for your deployment.

    note

    Where <list of profile IDs> is an optional list of security profiles to apply to the endpoint and labels contains a set of arbitrary key/value pairs that can be used in selector expressions.

    Creating host endpoint objects - 图2note

    When rendering security rules on other hosts, Calico uses the expectedIPs field to resolve label selectors to IP addresses. If the field is omitted then security rules that use labels will fail to match this endpoint. Or, if you knew that the IP address should be 10.0.0.1, but not the name of the interface:

    After you create host endpoint objects, Felix will start policing traffic to/from that interface. If you have no policy or profiles in place, then you should see traffic being dropped on the interface.

    By default, Calico has a failsafe in place that allows certain traffic such as ssh. See below for more details on disabling/configuring the failsafe rules.

    If you don’t see traffic being dropped, check the hostname, IP address and (if used) the interface name in the configuration. If there was something wrong with the endpoint data, Felix will log a validation error at WARNING level and it will ignore the endpoint:

    A grep through the Felix logs for the string “Validation failed” should allow you to locate the error.

    An example error follows.