projectsyn · simu · Nov 12, 2025 · Nov 11, 2025
diff --git a/component/espejote-templates/egress-gateway.libsonnet b/component/espejote-templates/egress-gateway.libsonnet
@@ -113,6 +113,7 @@ local NamespaceEgressPolicy =
               egress_range,
               namespace,
             ],
+          [if bgp_egress_ip then 'cilium.syn.tools/experimental-policy']: 'true',
           'cilium.syn.tools/egress-ip': egress_ip,
           'cilium.syn.tools/interface-prefix': interface_prefix,
           'cilium.syn.tools/egress-range': egress_range,

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -408,12 +408,22 @@ When this field is omitted or empty, the component generates egress policies wit
 Such policies assign the egress IP to all traffic originating in the namespace.
 ====
 
+[IMPORTANT]
+====
+Support for configuring BGP egress IPs through `egress_ip_ranges` is currently experimental.
+
+Policies which configure BGP egress IPs have an additional annotation `cilium.syn.tools/experimental-policy=true`.
+====
+
 [NOTE]
 ====
 Field `bgp_policy_labels` is optional.
+The component's support for configuring BGP egress IPs through `egress_ip_ranges` is currently experimental.
 
 When the field is provided, and not an empty object, the component adds the contents as entries in `metadata.labels` of the resulting policies.
-In this case, the component also configures the egress policies directly with the egress IP and `maxGatewayNodes: 1` in the `spec.egressGroups` entry.
+In this case, the component configures the egress policies with https://docs.isovalent.com/v1.16/configuration-guide/networking/egress-gateway/introduction.html#requirements-for-egress-ip-and-ipam-feature[Cilium's Egress Gateawy IPAM] and `maxGatewayNodes: 1` in the `spec.egressGroups` entry.
+
+Please note that policies which use EGW IPAM will ignore static routes on the active gateway node (as of Cilium 1.16.16 and Cilium 1.17.9).
 
 If the field is omitted or empty, the component configures the egress group with the interface name and doesn't set `maxGatewayNodes`.
 ====

diff --git a/tests/golden/egress-gateway/cilium/cilium/20_namespace_egress_ip_policies.yaml b/tests/golden/egress-gateway/cilium/cilium/20_namespace_egress_ip_policies.yaml
@@ -94,6 +94,7 @@ metadata:
       in egress range "egress_f" (192.0.2.160 - 192.0.2.190) to namespace qux.
     cilium.syn.tools/egress-ip: 192.0.2.160
     cilium.syn.tools/egress-range: 192.0.2.160 - 192.0.2.190
+    cilium.syn.tools/experimental-policy: 'true'
     cilium.syn.tools/interface-prefix: egress_f
     cilium.syn.tools/source-namespace: qux
   labels:

diff --git a/tests/golden/egress-gateway/cilium/cilium/40_egress_ip_managed_resource.yaml b/tests/golden/egress-gateway/cilium/cilium/40_egress_ip_managed_resource.yaml
@@ -264,6 +264,7 @@ spec:
                     egress_range,
                     namespace,
                   ],
+                [if bgp_egress_ip then 'cilium.syn.tools/experimental-policy']: 'true',
                 'cilium.syn.tools/egress-ip': egress_ip,
                 'cilium.syn.tools/interface-prefix': interface_prefix,
                 'cilium.syn.tools/egress-range': egress_range,