diff --git a/calico/reference/configure-cni-plugins.mdx b/calico/reference/configure-cni-plugins.mdx
index 271fe062a2..f11cb2cb3c 100644
--- a/calico/reference/configure-cni-plugins.mdx
+++ b/calico/reference/configure-cni-plugins.mdx
@@ -248,6 +248,52 @@ you must also run calico/kube-controllers with the policy, profile, and workload
When using `type: k8s`, the {{prodname}} CNI plugin requires read-only Kubernetes API access to the `Pods` resource in all namespaces.
+
+### Enabling policy setup timeout
+
+The `policy_setup_timeout_seconds` option makes the {{prodname}} CNI plugin wait to start a new pod until one of the following conditions occurs:
+
+- The pod's policy has finished being programmed.
+- A specified amount of time has elapsed.
+
+By setting this option, you can avoid errors that can occur when a pod tries to start before the pod's policy is programmed.
+
+Example CNI config:
+
+```json
+{
+ "name": "any_name",
+ "cniVersion": "0.1.0",
+ "type": "calico",
+ "ipam": {
+ "type": "calico-ipam",
+ "policy_setup_timeout_seconds": 10
+ }
+}
+```
+
+The {{prodname}} CNI plugin uses {{prodname}}'s `endpoint-status` directory to determine when the dataplane has been programmed for a pod.
+By default, the {{prodname}} CNI plugin will look for the directory at: `/var/run/calico/endpoint-status`.
+To enable and adjust where {{prodname}} writes `endpoint-status`, the `endpointStatusPathPrefix` option must be configured for [Felix](./felix/configuration.mdx).
+
+To adjust where the {{prodname}} CNI plugin looks for {{prodname}}'s `endpoint-status` directory, you must set the `endpoint_status_dir` option.
+
+Example CNI config:
+
+```json
+{
+ "name": "any_name",
+ "cniVersion": "0.1.0",
+ "type": "calico",
+ "ipam": {
+ "type": "calico-ipam",
+ "policy_setup_timeout_seconds": 10,
+ "endpoint_status_dir": "/path/to/endpoint-status"
+ }
+}
+```
+
+
## IPAM
### Using host-local IPAM
diff --git a/calico/reference/felix/configuration.mdx b/calico/reference/felix/configuration.mdx
index 5aab17dd19..7c96d3c5d4 100644
--- a/calico/reference/felix/configuration.mdx
+++ b/calico/reference/felix/configuration.mdx
@@ -52,6 +52,7 @@ The full list of parameters which can be set is as follows.
| `DisableConntrackInvalidCheck` | `FELIX_DISABLECONNTRACKINVALIDCHECK` | Disable the dropping of packets that aren't either a valid handshake or part of an established connection. [Default: `false`] | boolean |
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
+| `EndpointStatusPathPrefix` | `FELIX_ENDPOINTSTATUSPATHPREFIX` | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. [Default: ""] | string |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
diff --git a/calico/reference/resources/felixconfig.mdx b/calico/reference/resources/felixconfig.mdx
index 09ce964a49..6dd7c0edde 100644
--- a/calico/reference/resources/felixconfig.mdx
+++ b/calico/reference/resources/felixconfig.mdx
@@ -44,6 +44,7 @@ spec:
| deviceRouteSourceAddress | IPv4 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv4 | string | `""` |
| deviceRouteSourceAddressIPv6 | IPv6 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv6 | string | `""` |
| deviceRouteProtocol | This defines the route protocol added to programmed device routes. | Protocol | int | RTPROT_BOOT |
+| endpointStatusPathPrefix | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. | Any existing path in the calico-node container | string | `""`| | string |
| externalNodesCIDRList | A comma-delimited list of CIDRs of external non-calico nodes, which can source tunnel traffic for acceptance by calico-nodes. | IPv4 | string | `""` |
| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - protocol: tcp
port: 22
- protocol: udp
port: 68
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
|
| failsafeOutboundHostPorts | UDP/TCP/SCTP protocol/port groupings that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - protocol: udp
port: 53
- protocol: udp
port: 67
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
|