Skip to content

docs: add egressDeny example to CiliumNetworkPolicy language guide#40272

Merged
qmonnet merged 1 commit intocilium:mainfrom
syedazeez337:egressdeny-changes
Jul 2, 2025
Merged

docs: add egressDeny example to CiliumNetworkPolicy language guide#40272
qmonnet merged 1 commit intocilium:mainfrom
syedazeez337:egressdeny-changes

Conversation

@syedazeez337
Copy link
Copy Markdown
Contributor

@syedazeez337 syedazeez337 commented Jun 30, 2025
edited
Loading

Summary

This PR adds a new section to the network policy language documentation introducing the egressDeny field in CiliumNetworkPolicy. It includes a real-world use case, explanation, and YAML/JSON examples.

What This PR Adds

  • A new section: Simple Egress Deny, following the structure of existing examples like Simple Egress Allow
  • A single YAML usage example: egress-deny.yaml
  • Documentation updated to use the latest literalinclude format (introduced in Deprecate local REST policy api #40212)
  • Clarification on precedence behavior: egressDeny rules override matching egress rules
  • All content has been tested against a local kind + Cilium v1.17.4 cluster and confirmed to function as expected

Testing

Manually verified using:

  • kubectl apply -f egress-deny.yaml
  • Busybox pods with appropriate labels (role=frontend, role=backend)
  • Confirmed enforcement using ping, nslookup, and Hubble (DROP EGRESS PolicyDeny)

Related

This PR provides the missing documentation for egressDeny discussed in #39697.

Release Note

Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy

@maintainer-s-little-helper maintainer-s-little-helper Bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 30, 2025
@github-actions github-actions Bot added the kind/community-contribution This was a contribution made by a community member. label Jun 30, 2025
@syedazeez337 syedazeez337 marked this pull request as ready for review June 30, 2025 09:54
@syedazeez337 syedazeez337 requested review from a team as code owners June 30, 2025 09:54
@syedazeez337 syedazeez337 requested review from bimmlerd and qmonnet June 30, 2025 09:54
@syedazeez337
Copy link
Copy Markdown
Contributor Author

syedazeez337 commented Jun 30, 2025

I have updated the documentation and related examples and I will also include the tests I have done locally in my machine
egress_1
egress_deny_apply
egress_deny_deleted

qmonnet
qmonnet requested changes Jun 30, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Looks good to me, but please rebase your changes on top of #40212.

Comment thread Documentation/security/policy/language.rst Outdated
Comment thread examples/policies/l3/egress-deny/egress-deny.json Outdated
@qmonnet qmonnet added sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/misc This PR makes changes that have no direct user impact. labels Jun 30, 2025
@maintainer-s-little-helper maintainer-s-little-helper Bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 30, 2025
@syedazeez337
docs: add egressDeny example to policy language guide
afde6fe 
Signed-off-by: Syed Azeez <syedazeez337@gmail.com>
@syedazeez337
Copy link
Copy Markdown
Contributor Author

syedazeez337 commented Jul 1, 2025

Hi @qmonnet, I have updated my commit with the changes you have mentioned. Let me know if this is good.

qmonnet
qmonnet approved these changes Jul 1, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it looks good from my side, thank you!

@qmonnet
Copy link
Copy Markdown
Member

qmonnet commented Jul 1, 2025

/test

@syedazeez337
Copy link
Copy Markdown
Contributor Author

syedazeez337 commented Jul 2, 2025

Thank you for your approvals.
Need some clarification, there are two failing tests, so far I don't think they are related to my changes but let me know what I can do?

@bimmlerd
Copy link
Copy Markdown
Member

bimmlerd commented Jul 2, 2025

there are two failing tests

Definitely unrelated to your docs changes. Even worse; I think a bug in the testing infra that these are even run for docs-only changes, will follow up. Reran in the meantime.

@maintainer-s-little-helper maintainer-s-little-helper Bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jul 2, 2025
@qmonnet qmonnet added this pull request to the merge queue Jul 2, 2025
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 2, 2025
@qmonnet qmonnet added this pull request to the merge queue Jul 2, 2025
Merged via the queue into cilium:main with commit 3f9bf57 Jul 2, 2025
69 of 70 checks passed
@syedazeez337
Copy link
Copy Markdown
Contributor Author

syedazeez337 commented Jul 2, 2025

please let me know once an issue is raised and I will fix those tests as well

@alagoutte
Copy link
Copy Markdown
Contributor

alagoutte commented Dec 11, 2025

Can be backport to stable ? because EgressDeny is part of CKS Killer.sh and don't found when search on stable docs

@qmonnet qmonnet added needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Dec 16, 2025
@Artyop Artyop mentioned this pull request Dec 18, 2025
Merged
4 tasks
@Artyop Artyop added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Dec 18, 2025
@Artyop Artyop mentioned this pull request Dec 18, 2025
Merged
1 task
@Artyop Artyop added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Dec 18, 2025
@Artyop Artyop mentioned this pull request Dec 18, 2025
Merged
1 task
@github-actions github-actions Bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. backport-pending/1.16 backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. labels Dec 19, 2025
@cilium-release-bot cilium-release-bot Bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bimmlerd bimmlerd bimmlerd approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees

No one assigned

Labels

backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@syedazeez337 @qmonnet @bimmlerd @alagoutte @Artyop