From 83a81ce4ed3a967e73d08b65bc956c737f6d8bb4 Mon Sep 17 00:00:00 2001 From: Fabio Falzoi Date: Thu, 25 Jul 2024 10:40:12 +0200 Subject: [PATCH] docs: Add upgrade note for CNP empty slices new semantic Following the change in the semantic of an empty non-nil slice in CNPs, an upgrade note is added to the guide for v1.16. The semantic change targeted v1.16 but this release note was inadvertently appended under the "v1.15 Upgrade Notes" section and thus deleted when preparing the documentation for v1.16. Related: e47e295a04 ("docs: cleanup upgrade docs on 1.16") Related: 966757d822 ("docs: add upgrade note for dangling cidrGroupRefs") Fixes: 5f77d50ee3 ("docs: Add upgrade note for CNP empty slices new semantic") Signed-off-by: Fabio Falzoi --- Documentation/operations/upgrade.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Documentation/operations/upgrade.rst b/Documentation/operations/upgrade.rst index e7a51a79f391d..285ff6de6e72d 100644 --- a/Documentation/operations/upgrade.rst +++ b/Documentation/operations/upgrade.rst @@ -391,6 +391,14 @@ communicating via the proxy must reconnect to re-establish connections. * For IPsec, the use of per-tunnel keys is mandatory, via the use of the ``+`` sign in the secret. See the :ref:`encryption_ipsec` guide for more information. +* ``CiliumNetworkPolicy`` changed the semantics of the empty non-nil slice. + For an Ingress CNP, an empty slice in one of the fields ``fromEndpoints``, ``fromCIDR``, + ``fromCIDRSet`` and ``fromEntities`` will not select any identity, thus falling back to + default deny for an allow policy. Similarly, for an Egress CNP, an empty slice in one of + the fields ``toEndpoints``, ``toCIDR``, ``toCIDRSet`` and ``toEntities`` will not select + any identity either. Additionally, the behaviour of a CNP with ``toCIDRSet`` or + ``fromCIDRSet`` selectors using ``cidrGroupRef`` targeting only non-existent CIDR groups + was changed from allow-all to deny-all to align with the new semantics. Removed Options ~~~~~~~~~~~~~~~