docs: Add upgrade note for CNP empty slices new semantic

Following the change in the semantic of an empty non-nil slice in CNPs, an upgrade note is added to the guide for v1.16. The semantic change targeted v1.16 but this release note was inadvertently appended under the "v1.15 Upgrade Notes" section and thus deleted when preparing the documentation for v1.16. Related: e47e295 ("docs: cleanup upgrade docs on 1.16") Related: 966757d ("docs: add upgrade note for dangling cidrGroupRefs") Fixes: 5f77d50 ("docs: Add upgrade note for CNP empty slices new semantic") Signed-off-by: Fabio Falzoi <[email protected]>
DataDog · Jul 25, 2024 · 83a81ce · 83a81ce
1 parent 0b0e716
commit 83a81ce
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/Documentation/operations/upgrade.rst b/Documentation/operations/upgrade.rst
@@ -391,6 +391,14 @@ communicating via the proxy must reconnect to re-establish connections.
 * For IPsec, the use of per-tunnel keys is mandatory, via the use of the ``+``
   sign in the secret. See the :ref:`encryption_ipsec` guide for more
   information.
+* ``CiliumNetworkPolicy`` changed the semantics of the empty non-nil slice.
+  For an Ingress CNP, an empty slice in one of the fields ``fromEndpoints``, ``fromCIDR``,
+  ``fromCIDRSet`` and ``fromEntities`` will not select any identity, thus falling back to
+  default deny for an allow policy. Similarly, for an Egress CNP, an empty slice in one of
+  the fields ``toEndpoints``, ``toCIDR``, ``toCIDRSet`` and ``toEntities`` will not select
+  any identity either. Additionally, the behaviour of a CNP with ``toCIDRSet`` or
+  ``fromCIDRSet`` selectors using ``cidrGroupRef`` targeting only non-existent CIDR groups
+  was changed from allow-all to deny-all to align with the new semantics.
 
 Removed Options
 ~~~~~~~~~~~~~~~