Please allow to enable auto heps

[cbarbian-sap]

With recent calico versions you can make calico automatically create HostEndpoint resources for all K8s nodes.
See e.g. https://www.tigera.io/blog/securing-kubernetes-nodes-with-calico-automatic-host-endpoints/ ...
Conveniently, the automatically created host endpoint objects directly come along with a decent default calico Profile, and have the same labels as the node.

This is more or less a prerequisite to harden K8s nodes, because you need HostEndpoints to match hosts with selectors in GlobalNetworkPolicy and NetworkPolicy objects.

Of course, one could maintain the HostEndpoint objects manually or with an own control loop, but that's tedious, resp. nonsense because now calico itself can do it for you through this auto-host-endpoints feature.