Skip to content

Allow empty AllowedHosts in EgressPolicy for deny-all#66

Merged
JAORMX merged 1 commit intomainfrom
jaosorior/allow-empty-egress-hosts
Apr 9, 2026
Merged

Allow empty AllowedHosts in EgressPolicy for deny-all#66
JAORMX merged 1 commit intomainfrom
jaosorior/allow-empty-egress-hosts

Conversation

@JAORMX
Copy link
Copy Markdown
Contributor

@JAORMX JAORMX commented Apr 9, 2026

Summary

  • Remove validation that rejected EgressPolicy with empty AllowedHosts slice
  • Empty AllowedHosts now means "deny all egress" — firewall default is Deny with no hosts whitelisted
  • Add TestBuildNetConfig_WithEgressPolicy_DenyAll to verify the deny-all config path

Fixes #54

Test plan

  • TestRun_EgressPolicy_EmptyHosts_DenyAll — empty hosts no longer rejected at validation
  • TestBuildNetConfig_WithEgressPolicy_DenyAll — empty hosts produces valid config with firewall.Deny
  • Existing egress tests still pass (wildcard validation, empty name rejection, valid policy)

🤖 Generated with Claude Code

@JAORMX @claude
Allow empty AllowedHosts in EgressPolicy for deny-all
7b4cdfd 
Remove the validation that rejected an EgressPolicy with an empty
AllowedHosts slice. An empty list now means "deny all egress" — the
firewall default is set to Deny and no hosts are whitelisted, so no
outbound connections are permitted.

Fixes #54

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@JAORMX JAORMX merged commit 50b4675 into main Apr 9, 2026
7 checks passed
@JAORMX JAORMX deleted the jaosorior/allow-empty-egress-hosts branch April 9, 2026 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek jhrozek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support empty AllowedHosts in EgressPolicy for deny-all egress

2 participants

@JAORMX @jhrozek