diff --git a/calico-cloud/network-policy/hosts/kubernetes-nodes.mdx b/calico-cloud/network-policy/hosts/kubernetes-nodes.mdx
index 0f9717c97c..b309935403 100644
--- a/calico-cloud/network-policy/hosts/kubernetes-nodes.mdx
+++ b/calico-cloud/network-policy/hosts/kubernetes-nodes.mdx
@@ -28,6 +28,10 @@ $[prodname] creates a wildcard host endpoint for each node, with the host endpoi
$[prodname] will ensure these managed host endpoints maintain the same labels and IP addresses as its node by periodic syncs.
This means that policy targeting these automatic host endpoints will function correctly with the policy put in place to select those nodes, even if over time the node's IPs or labels change.
+$[prodname] is also able to create and manage custom host endpoints for nodes, based on user specified templates.
+This allows you to fine-tune which interfaces should be included in the host endpoint and for which nodes these host endpoints should be created.
+The host endpoint templates can be enabled by updating [KubeControllersConfig](../../reference/resources/kubecontrollersconfig.mdx).
+
Automatic host endpoints are differentiated from other host endpoints by the label `projectcalico.org/created-by: calico-kube-controllers`.
Enable or disable automatic host endpoints by configuring the default KubeControllersConfiguration resource.
diff --git a/calico-cloud/reference/resources/kubecontrollersconfig.mdx b/calico-cloud/reference/resources/kubecontrollersconfig.mdx
index 47e1a96784..e495c66bc1 100644
--- a/calico-cloud/reference/resources/kubecontrollersconfig.mdx
+++ b/calico-cloud/reference/resources/kubecontrollersconfig.mdx
@@ -2,6 +2,8 @@
description: API for KubeControllersConfiguration resource.
---
+import Selectors from '@site/calico-cloud/_includes/content/_selectors.mdx';
+
# Kubernetes controllers configuration
A $[prodname] [Kubernetes controllers](../component-resources/kube-controllers/configuration.mdx) configuration resource (`KubeControllersConfiguration`) represents configuration options for the $[prodname] Kubernetes controllers.
@@ -24,6 +26,14 @@ spec:
syncLabels: Enabled
hostEndpoint:
autoCreate: Disabled
+ createDefaultHostEndpoint: Enabled
+ templates:
+ - name: custom-host-endpoint
+ interfaceSelectorCIDR:
+ - 1.2.3.0/24
+ nodeSelector: "has(my-label)"
+ labels:
+ key: value
loadbalancer:
assignIPs: AllServices
```
@@ -59,18 +69,33 @@ spec:
The node controller automatically cleans up configuration for nodes that no longer exist. Optionally, it can create host endpoints for all Kubernetes nodes.
-| Field | Description | Accepted Values | Schema | Default |
-| ---------------- | --------------------------------------------------------------------------------- | ----------------- | --------------------------------- | ------- |
+| Field | Description | Accepted Values | Schema | Default |
+| ---------------- | -------------------------------------------------------------------------------- | ----------------- | --------------------------------- | ------- |
| reconcilerPeriod | Period to perform reconciliation with the $[prodname] datastore | | [Duration string][parse-duration] | 5m |
| syncLabels | When enabled, Kubernetes node labels will be copied to $[prodname] node objects. | Enabled, Disabled | string | Enabled |
-| hostEndpoint | Controls allocation of host endpoints | | [HostEndpoint](#hostendpoint) | |
-| leakGracePeriod | Grace period to use when garbage collecting suspected leaked IP addresses. | | [Duration string][parse-duration] | 15m |
+| hostEndpoint | Configures the host endpoint controller | | [HostEndpoint](#hostendpoint) | |
+| leakGracePeriod | Grace period to use when garbage collecting suspected leaked IP addresses. | | [Duration string][parse-duration] | 15m |
### HostEndpoint
-| Field | Description | Accepted Values | Schema | Default |
-| ---------- | ---------------------------------------------------------------- | ----------------- | ------ | -------- |
-| autoCreate | When enabled, automatically create a host endpoint for each node | Enabled, Disabled | string | Disabled |
+| Field | Description | Accepted Values | Schema | Default |
+| ------------------------- | ---------------------------------------------------------------- | ----------------- | --------------------- | -------- |
+| autoCreate | When enabled, automatically create host endpoints | Enabled, Disabled | string | Disabled |
+| createDefaultHostEndpoint | When enabled, default host endpoint will be created | Enabled, Disabled | string | Enabled |
+| templates | Controls creation of custom host endpoints | | [Template](#template) | |
+
+### Template
+
+| Field | Description | Accepted Values | Schema | Default |
+| ------------------------- | ----------------------------------------------------------------------------------- | ------------------- | ----------------------------------- | -------- |
+| name | Unique name used as suffix for host endpoints created based on this template | Alphanumeric string | string | |
+| nodeSelector | Selects the nodes for which this template should create host endpoints | | [Selector](#selectors) | all() |
+| interfaceSelectorCIDR | List of networks specified in CIDR notation | List of valid CIDRs | List string | |
+| labels | Labels to be added to generated host endpoints matching this template | | map of string key to string values | |
+
+### Selectors
+
+
### FederatedServicesController
diff --git a/calico-enterprise/network-policy/hosts/kubernetes-nodes.mdx b/calico-enterprise/network-policy/hosts/kubernetes-nodes.mdx
index c150726e5a..8fb50e17e3 100644
--- a/calico-enterprise/network-policy/hosts/kubernetes-nodes.mdx
+++ b/calico-enterprise/network-policy/hosts/kubernetes-nodes.mdx
@@ -28,6 +28,10 @@ $[prodname] creates a wildcard host endpoint for each node, with the host endpoi
$[prodname] will ensure these managed host endpoints maintain the same labels and IP addresses as its node by periodic syncs.
This means that policy targeting these automatic host endpoints will function correctly with the policy put in place to select those nodes, even if over time the node's IPs or labels change.
+$[prodname] is also able to create and manage custom host endpoints for nodes, based on user specified templates.
+This allows you to fine-tune which interfaces should be included in the host endpoint and for which nodes these host endpoints should be created.
+The host endpoint templates can be enabled by updating [KubeControllersConfig](../../reference/resources/kubecontrollersconfig.mdx).
+
Automatic host endpoints are differentiated from other host endpoints by the label `projectcalico.org/created-by: calico-kube-controllers`.
Enable or disable automatic host endpoints by configuring the default KubeControllersConfiguration resource.
diff --git a/calico-enterprise/reference/resources/kubecontrollersconfig.mdx b/calico-enterprise/reference/resources/kubecontrollersconfig.mdx
index f528c9cdca..a50e9be1fc 100644
--- a/calico-enterprise/reference/resources/kubecontrollersconfig.mdx
+++ b/calico-enterprise/reference/resources/kubecontrollersconfig.mdx
@@ -2,6 +2,8 @@
description: API for KubeControllersConfiguration resource.
---
+import Selectors from '@site/calico-enterprise/_includes/content/_selectors.mdx';
+
# Kubernetes controllers configuration
A $[prodname] [Kubernetes controllers](../component-resources/kube-controllers/configuration.mdx) configuration resource (`KubeControllersConfiguration`) represents configuration options for the $[prodname] Kubernetes controllers.
@@ -24,6 +26,14 @@ spec:
syncLabels: Enabled
hostEndpoint:
autoCreate: Disabled
+ createDefaultHostEndpoint: Enabled
+ templates:
+ - name: custom-host-endpoint
+ interfaceSelectorCIDR:
+ - 1.2.3.0/24
+ nodeSelector: "has(my-label)"
+ labels:
+ key: value
loadbalancer:
assignIPs: AllServices
```
@@ -58,18 +68,33 @@ spec:
The node controller automatically cleans up configuration for nodes that no longer exist. Optionally, it can create host endpoints for all Kubernetes nodes.
-| Field | Description | Accepted Values | Schema | Default |
-| ---------------- | --------------------------------------------------------------------------------- | ----------------- | --------------------------------- | ------- |
+| Field | Description | Accepted Values | Schema | Default |
+| ---------------- | -------------------------------------------------------------------------------- | ----------------- | --------------------------------- | ------- |
| reconcilerPeriod | Period to perform reconciliation with the $[prodname] datastore | | [Duration string][parse-duration] | 5m |
| syncLabels | When enabled, Kubernetes node labels will be copied to $[prodname] node objects. | Enabled, Disabled | string | Enabled |
-| hostEndpoint | Controls allocation of host endpoints | | [HostEndpoint](#hostendpoint) | |
-| leakGracePeriod | Grace period to use when garbage collecting suspected leaked IP addresses. | | [Duration string][parse-duration] | 15m |
+| hostEndpoint | Configures the host endpoint controlle | | [HostEndpoint](#hostendpoint) | |
+| leakGracePeriod | Grace period to use when garbage collecting suspected leaked IP addresses. | | [Duration string][parse-duration] | 15m |
### HostEndpoint
-| Field | Description | Accepted Values | Schema | Default |
-| ---------- | ---------------------------------------------------------------- | ----------------- | ------ | -------- |
-| autoCreate | When enabled, automatically create a host endpoint for each node | Enabled, Disabled | string | Disabled |
+| Field | Description | Accepted Values | Schema | Default |
+| ------------------------- | ---------------------------------------------------------------- | ----------------- | --------------------- | -------- |
+| autoCreate | When enabled, automatically create host endpoints | Enabled, Disabled | string | Disabled |
+| createDefaultHostEndpoint | When enabled, default host endpoint will be created | Enabled, Disabled | string | Enabled |
+| templates | Controls creation of custom host endpoints | | [Template](#template) | |
+
+### Template
+
+| Field | Description | Accepted Values | Schema | Default |
+| ------------------------- | ----------------------------------------------------------------------------------- | ------------------- | ----------------------------------- | -------- |
+| name | Unique name used as suffix for host endpoints created based on this template | Alphanumeric string | string | |
+| nodeSelector | Selects the nodes for which this template should create host endpoints | | [Selector](#selectors) | all() |
+| interfaceSelectorCIDR | List of networks specified in CIDR notation | List of valid CIDRs | List string | |
+| labels | Labels to be added to generated host endpoints matching this template | | map of string key to string values | |
+
+### Selectors
+
+
### FederatedServicesController
diff --git a/calico/network-policy/hosts/kubernetes-nodes.mdx b/calico/network-policy/hosts/kubernetes-nodes.mdx
index a5f98de4e7..46c673c13b 100644
--- a/calico/network-policy/hosts/kubernetes-nodes.mdx
+++ b/calico/network-policy/hosts/kubernetes-nodes.mdx
@@ -28,6 +28,10 @@ $[prodname] creates a wildcard host endpoint for each node, with the host endpoi
$[prodname] will ensure these managed host endpoints maintain the same labels and IP addresses as its node by periodic syncs.
This means that policy targeting these automatic host endpoints will function correctly with the policy put in place to select those nodes, even if over time the node's IPs or labels change.
+$[prodname] is also able to create and manage custom host endpoints for nodes, based on user specified templates.
+This allows you to fine-tune which interfaces should be included in the host endpoint and for which nodes these host endpoints should be created.
+The host endpoint templates can be enabled by updating [KubeControllersConfig](../../reference/resources/kubecontrollersconfig.mdx).
+
Automatic host endpoints are differentiated from other host endpoints by the label `projectcalico.org/created-by: calico-kube-controllers`.
Enable or disable automatic host endpoints by configuring the default KubeControllersConfiguration resource.
diff --git a/calico/reference/resources/kubecontrollersconfig.mdx b/calico/reference/resources/kubecontrollersconfig.mdx
index 686a66bde8..32edc2db2c 100644
--- a/calico/reference/resources/kubecontrollersconfig.mdx
+++ b/calico/reference/resources/kubecontrollersconfig.mdx
@@ -2,6 +2,8 @@
description: API for KubeControllersConfiguration resource.
---
+import Selectors from '@site/calico/_includes/content/_selectors.mdx';
+
# Kubernetes controllers configuration
A $[prodname] [Kubernetes controllers](../kube-controllers/configuration.mdx) configuration resource (`KubeControllersConfiguration`) represents configuration options for the $[prodname] Kubernetes controllers.
@@ -25,6 +27,14 @@ spec:
syncLabels: Enabled
hostEndpoint:
autoCreate: Disabled
+ createDefaultHostEndpoint: Enabled
+ templates:
+ - name: custom-host-endpoint
+ interfaceSelectorCIDR:
+ - 1.2.3.0/24
+ nodeSelector: "has(my-label)"
+ labels:
+ key: value
policy:
reconcilerPeriod: 5m
workloadEndpoint:
@@ -73,16 +83,31 @@ The node controller automatically cleans up configuration for nodes that no long
| Field | Description | Accepted Values | Schema | Default |
| ---------------- | --------------------------------------------------------------------------------- | ----------------- | --------------------------------- | ------- |
-| reconcilerPeriod | Period to perform reconciliation with the $[prodname] datastore | | [Duration string][parse-duration] | 5m |
-| syncLabels | When enabled, Kubernetes node labels will be copied to $[prodname] node objects. | Enabled, Disabled | string | Enabled |
-| hostEndpoint | Controls allocation of host endpoints | | [HostEndpoint](#hostendpoint) | |
+| reconcilerPeriod | Period to perform reconciliation with the $[prodname] datastore | | [Duration string][parse-duration] | 5m |
+| syncLabels | When enabled, Kubernetes node labels will be copied to $[prodname] node objects. | Enabled, Disabled | string | Enabled |
+| hostEndpoint | Configures the host endpoint controller | | [HostEndpoint](#hostendpoint) | |
| leakGracePeriod | Grace period to use when garbage collecting suspected leaked IP addresses. | | [Duration string][parse-duration] | 15m |
### HostEndpoint
-| Field | Description | Accepted Values | Schema | Default |
-| ---------- | ---------------------------------------------------------------- | ----------------- | ------ | -------- |
-| autoCreate | When enabled, automatically create a host endpoint for each node | Enabled, Disabled | string | Disabled |
+| Field | Description | Accepted Values | Schema | Default |
+| ------------------------- | ---------------------------------------------------------------- | ----------------- | --------------------- | -------- |
+| autoCreate | When enabled, automatically create host endpoints | Enabled, Disabled | string | Disabled |
+| createDefaultHostEndpoint | When enabled, default host endpoint will be created | Enabled, Disabled | string | Enabled |
+| templates | Controls creation of custom host endpoints | | [Template](#template) | |
+
+### Template
+
+| Field | Description | Accepted Values | Schema | Default |
+| ------------------------- | ----------------------------------------------------------------------------------- | ------------------- | ----------------------------------- | -------- |
+| name | Unique name used as suffix for host endpoints created based on this template | Alphanumeric string | string | |
+| nodeSelector | Selects the nodes for which this template should create host endpoints | | [Selector](#selectors) | all() |
+| interfaceSelectorCIDR | List of networks specified in CIDR notation | List of valid CIDRs | List string | |
+| labels | Labels to be added to generated host endpoints matching this template | | map of string key to string values | |
+
+### Selectors
+
+
### PolicyController