Issue

When included in a CNP, an empty fromEndpoints is interpreted as "from any Cilium-managed endpoint in the namespace". When included in a CCNP, however, an empty fromEndpoints is interpreted as "any source" (instead of "all Cilium-managed endpoints").

$ cat test.yaml
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "test-all-endpoints"
spec:
  endpointSelector:
    matchLabels:
      name: pod-to-external-fqdn-allow-google-cnp 
  ingress:
  - fromEndpoints:
    - {}
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
$
$ sudo cilium bpf policy get 2506
DIRECTION   LABELS (source:key[=value])                        PORT/PROTO   PROXY PORT   BYTES    PACKETS   
Ingress     reserved:unknown                                   80/TCP       NONE         0        0
[...]

Why?

When converted to EndpointSelector, to/fromEndpoints rules are automatically completed with a namespace match if unspecified. However, CCNPs are not namespace scoped so the namespace match isn't added and we end up with a truly empty EndpointSelector.

Proposed Fix

The proposed fix would be to complete empty to/fromEndpoints in CCNPs with the following:

matchExpressions: {key: io.cilium.kubernetes.namespace, op: exists}

This would implement the expected behavior in that empty to/fromEndpoints in CCNPs would match all endpoints that have a namespace label, i.e., all Cilium-managed endpoints in the cluster. The fix should be simple (cf. getEndpointSelector()) and probably just needs a couple unit tests + documentation update.