Network policy misbehaving with "egressDeny" field

[giaku]

I came to realize that some connectivity tests were consistently failing due to a policy misbehaving. I tested the same policy inside a Cilium lab and it seems that it misbehaves also there. I checked the policy out with the Visualizer and the whole field egressDeny doesn't get loaded.

Bug report

General Information

• Cilium CLI version (run cilium version)

cilium version
cilium-cli: enterprise/cilium-cli/v0.15.8-cee.1 compiled with go1.21.0 on linux/amd64
cilium image (default): v1.14.1
cilium image (stable): v1.15.1
cilium image (running): 1.14.1

• Orchestration system version in use (e.g. kubectl version, ...)

kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.3", GitCommit:"25b4e43193bcda6c7328a6d147b1fb73a33f1598", GitTreeState:"clean", BuildDate:"2023-06-14T09:53:42Z", GoVersion:"go1.20.5", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.3", GitCommit:"25b4e43193bcda6c7328a6d147b1fb73a33f1598", GitTreeState:"clean", BuildDate:"2023-06-15T00:36:28Z", GoVersion:"go1.20.5", Compiler:"gc", Platform:"linux/amd64"}

• Platform / infrastructure information (e.g. AWS / Azure / GCP, image / kernel versions)

The "cilium-getting-started" lab would suffice to see the problem

• Link to relevant artifacts (policies, deployments scripts, ...)

https://github.com/cilium/cilium-cli/blob/70bd400f14714dadbbc2d57dba3030ab090e349b/connectivity/builder/manifests/client-egress-to-cidr-external-deny.yaml

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: client-egress-to-cidr-deny
spec:
  endpointSelector:
    matchLabels:
      kind: client
  egressDeny:
  - toCIDRSet:
    - cidr: {{.ExternalCIDR}}
      except:
        - {{.ExternalIP}}/32

How to reproduce the issue

1. kubectl create ns test; kubectl run pod-to-cidr-deny -n test --image=alpine -l="kind=client" -- /bin/sh -c "apk --update add curl; while true; do sleep 1; curl -m 3 -I https://1.1.1.1; done"
2. kubectl run pod-to-cidr-deny -n test --image=alpine -l="kind=client" -- /bin/sh -c "apk --update add curl; while true; do sleep 1; curl -m 3 -I https://1.1.1.1; done"
3. Inspect the logs, both are reaching out to their destination
4. Apply the following network policy

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: client-egress-to-cidr-deny
  namespace: test
spec:
  endpointSelector:
    matchLabels:
      kind: client
  egressDeny:
  - toCIDRSet:
    - cidr: 1.1.1.1/8
      except:
      - 1.0.0.1/32

5. Check again the logs, both pods' connections are being blocked..
6. Try to load the policy in the Visualizer, the egressDeny field is dropped
7. Check out documentation, there is no reference to such a field, while there is in kubectl explain cnp.spec
8. Try out a reverse policy to see if that actually blocks one the two test pods, apply

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: client-egress-to-cidr-deny
  namespace: test
spec:
  endpointSelector:
    matchLabels:
      kind: client
  egress:
    - toCIDRSet:
        - cidr: 1.0.0.1/32

9. Check out the logs and see that now only one pod's outgoing connections are being blocked.