Skip to content

docs: add egressDeny example to CiliumNetworkPolicy language guide #40272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 2, 2025
Merged

docs: add egressDeny example to CiliumNetworkPolicy language guide #40272

merged 1 commit into from
Jul 2, 2025

Conversation

syedazeez337
Copy link
Contributor

@syedazeez337 syedazeez337 commented Jun 30, 2025
edited
Loading

Summary

This PR adds a new section to the network policy language documentation introducing the egressDeny field in CiliumNetworkPolicy. It includes a real-world use case, explanation, and YAML/JSON examples.

What This PR Adds

  • A new section: Simple Egress Deny, following the structure of existing examples like Simple Egress Allow
  • A single YAML usage example: egress-deny.yaml
  • Documentation updated to use the latest literalinclude format (introduced in Deprecate local REST policy api #40212)
  • Clarification on precedence behavior: egressDeny rules override matching egress rules
  • All content has been tested against a local kind + Cilium v1.17.4 cluster and confirmed to function as expected

Testing

Manually verified using:

  • kubectl apply -f egress-deny.yaml
  • Busybox pods with appropriate labels (role=frontend, role=backend)
  • Confirmed enforcement using ping, nslookup, and Hubble (DROP EGRESS PolicyDeny)

Related

This PR provides the missing documentation for egressDeny discussed in #39697.

Release Note

Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 30, 2025
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jun 30, 2025
@syedazeez337 syedazeez337 marked this pull request as ready for review June 30, 2025 09:54
@syedazeez337 syedazeez337 requested review from a team as code owners June 30, 2025 09:54
@syedazeez337 syedazeez337 requested review from qmonnet and bimmlerd June 30, 2025 09:54
@syedazeez337
Copy link
Contributor Author

I have updated the documentation and related examples and I will also include the tests I have done locally in my machine
egress_1
egress_deny_apply
egress_deny_deleted

qmonnet
qmonnet requested changes Jun 30, 2025
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Looks good to me, but please rebase your changes on top of #40212.

@qmonnet qmonnet added sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/misc This PR makes changes that have no direct user impact. labels Jun 30, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 30, 2025
@syedazeez337
docs: add egressDeny example to policy language guide
afde6fe 
Signed-off-by: Syed Azeez <syedazeez337@gmail.com>
@syedazeez337
Copy link
Contributor Author

Hi @qmonnet, I have updated my commit with the changes you have mentioned. Let me know if this is good.

qmonnet
qmonnet approved these changes Jul 1, 2025
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it looks good from my side, thank you!

@qmonnet
Copy link
Member

qmonnet commented Jul 1, 2025

/test

@syedazeez337
Copy link
Contributor Author

Thank you for your approvals.
Need some clarification, there are two failing tests, so far I don't think they are related to my changes but let me know what I can do?

@bimmlerd
Copy link
Member

bimmlerd commented Jul 2, 2025

there are two failing tests

Definitely unrelated to your docs changes. Even worse; I think a bug in the testing infra that these are even run for docs-only changes, will follow up. Reran in the meantime.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jul 2, 2025
@qmonnet qmonnet added this pull request to the merge queue Jul 2, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 2, 2025
@qmonnet qmonnet added this pull request to the merge queue Jul 2, 2025
Merged via the queue into cilium:main with commit 3f9bf57 Jul 2, 2025
69 of 70 checks passed
@syedazeez337
Copy link
Contributor Author

please let me know once an issue is raised and I will fix those tests as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bimmlerd bimmlerd bimmlerd approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@syedazeez337 @qmonnet @bimmlerd