Change wording on toServices limitations (see #20067)

PR #21052 updated Cilium documentation to say that, in network policy rules, `toServices` statements cannot be combined with `toPorts` statements. I believe it would be more informative for Cilium users to say (following RFC 2119) that `toServices` _must not_ be combined with `toPorts`, as technically Cilium accepts such a network policy as valid but handles it in the unexpected and potentially dangerous (e.g. if a setup relies on Cilium network policy to implement egress filtering) manner described in #20067. Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
cilium · Jun 26, 2023 · a279f80 · a279f80
1 parent 049e77a
commit a279f80
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/Documentation/security/policy/language.rst b/Documentation/security/policy/language.rst
@@ -304,8 +304,9 @@ have ``external:yes`` set as the label.
 Limitations
 ~~~~~~~~~~~
 
-``toServices`` statements cannot be combined with ``toPorts`` statements in the
-same rule.
+``toServices`` statements must not be combined with ``toPorts`` statements in the
+same rule. In the presence of a ``toPorts`` statement, ``toServices`` does nothing
+and as a result all egress traffic to port(s) specified by ``toPorts`` is allowed.
 
 .. _Entities based: