Workload endpoint


A workload endpoint resource (WorkloadEndpoint) represents an interface connecting a Calico networked container or VM to its host.

Each endpoint may specify a set of labels and list of profiles that Calico will use to apply policy to the interface.

A workload endpoint is a namespaced resource, that means a NetworkPolicy in a specific namespace only applies to the WorkloadEndpoint in that namespace. Two resources are in the same namespace if the namespace value is set the same on both.

Note: While calicoctl allows the user to fully manage Workload Endpoint resources, the lifecycle of these resources is generally handled by an orchestrator-specific plugin such as the Calico CNI plugin, the Calico Docker network plugin, or the Calico OpenStack Neutron Driver. In general, we recommend that you only use calicoctl to view this resource type.

Sample YAML

kind: WorkloadEndpoint
  name: node1-k8s-my--nginx--b1337a-eth0
  namespace: default
    app: frontend default k8s
  node: node1
  orchestrator: k8s
  endpoint: eth0
  containerID: 1337495556942031415926535
  pod: my-nginx-b1337a
  endpoint: eth0
  interfaceName: cali0ef24ba
  mac: ca:fe:1d:52:bb:e9
  - profile1
  - name: some-port
    port: 1234
    protocol: TCP
  - name: another-port
    port: 5432
    protocol: UDP



Field Description Accepted Values Schema Default
name The name of this workload endpoint resource. Required. Alphanumeric string with optional ., _, or - string  
namespace Namespace provides an additional qualification to a resource name.   string “default”
labels A set of labels to apply to this endpoint.   map  


Field Description Accepted Values Schema Default
workload The name of the workload to which this endpoint belongs.   string  
orchestrator The orchestrator that created this endpoint.   string  
node The node where this endpoint resides.   string  
containerID The CNI CONTAINER_ID of the workload endpoint.   string  
pod Kubernetes pod name for this workload endpoint.   string  
endpoint Container network interface name.   string  
ipNetworks The CIDRs assigned to the interface.   List of strings  
ipNATs List of 1:1 NAT mappings to apply to the endpoint.   List of IPNATs  
ipv4Gateway The gateway IPv4 address for traffic from the workload.   string  
ipv6Gateway The gateway IPv6 address for traffic from the workload.   string  
profiles List of profiles assigned to this endpoint.   List of strings  
interfaceName The name of the host-side interface attached to the workload.   string  
mac The source MAC address of traffic generated by the workload.   IEEE 802 MAC-48, EUI-48, or EUI-64  
ports List on named ports that this workload exposes.   List of WorkloadEndpointPorts  


IPNAT contains a single NAT mapping for a WorkloadEndpoint resource.

Field Description Accepted Values Schema Default
internalIP The internal IP address of the NAT mapping. A valid IP address string  
externalIP The external IP address. A valid IP address string  


A WorkloadEndpointPort associates a name with a particular TCP/UDP/SCTP port of the endpoint, allowing it to be referenced as a named port in policy rules.

Field Description Accepted Values Schema Default
name The name to attach to this port, allowing it to be referred to in policy rules. Names must be unique within an endpoint.   string  
protocol The protocol of this named port. TCP, UDP, SCTP string  
port The workload port number. 1-65535 int  
hostPort Port on the host that is forwarded to this port. 1-65535 int  
hostIP IP address on the host on which the hostPort is accessible. 1-65535 int  

Note: On their own, WorkloadEndpointPort entries don’t result in any change to the connectivity of the port. They only have an effect if they are referred to in policy.

Note: The hostPort and hostIP fields are read-only and determined from Kubernetes hostPort configuration. These fields are used only when host ports are enabled in Calico.

Supported operations

Datastore type Create/Delete Update Get/List Notes
etcdv3 Yes Yes Yes  
Kubernetes API server No Yes Yes WorkloadEndpoints are directly tied to a Kubernetes pod.