Skip to content

k8s: Validate empty (C)CNPs at admission#45145

Open
HadrienPatte wants to merge 1 commit intomainfrom
pr/HadrienPatte/empty-cnp-validation
Open

k8s: Validate empty (C)CNPs at admission#45145
HadrienPatte wants to merge 1 commit intomainfrom
pr/HadrienPatte/empty-cnp-validation

Conversation

@HadrienPatte
Copy link
Copy Markdown
Member

@HadrienPatte HadrienPatte commented Apr 2, 2026
edited
Loading

Update the CCNP/CNP CRD to add admission time validation preventing CCNP/CNP with neither specs nor spec. These resources could previously be created and would only lead agents to emit an Invalid CiliumNetworkPolicy spec(s): empty policy warning log on parse. Now the API server will reject the creation or update of such resources.

This relies on CRD Validation Rules which have been GA since kubernetes 1.29.

Existing empty policies already present in the cluster are not affected, but any create or update that results in an empty policy will be rejected.

@HadrienPatte
k8s: Validate empty (C)CNPs at admission
ebc830e 
Update the CCNP/CNP CRD to add admision time validation preventing
CCNP/CNP with neither `specs` nor `spec`. These resources could
previously be created and would only lead agents to emit an `Invalid CiliumNetworkPolicy spec(s): empty policy`
warning log on parse. Now the API server will reject the creation or
update of such resources.

This relies on [CRD Validation Rules](https://kubernetes.io/blog/2022/09/23/crd-validation-rules-beta/) which have been GA since kubernetes 1.29.

Existing empty policies already present in the cluster are not affected,
but any create or update that results in an empty policy will be rejected.

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 2, 2026
@HadrienPatte HadrienPatte added area/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Apr 2, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 2, 2026
@HadrienPatte
Copy link
Copy Markdown
Member Author

HadrienPatte commented Apr 2, 2026

/test

@HadrienPatte HadrienPatte marked this pull request as ready for review April 2, 2026 21:00
@HadrienPatte HadrienPatte requested review from a team as code owners April 2, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed Awaiting requested review from squeed squeed is a code owner automatically assigned from cilium/api

@hemanthmalla hemanthmalla Awaiting requested review from hemanthmalla hemanthmalla is a code owner automatically assigned from cilium/docs-structure

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

area/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HadrienPatte