@@ -627,6 +627,24 @@ func TestBuildNetConfig_WithEgressPolicy(t *testing.T) {
627627 assert .Equal (t , uint8 (0 ), netCfg .EgressPolicy .AllowedHosts [1 ].Protocol )
628628}
629629
630+ func TestBuildNetConfig_WithEgressPolicy_DenyAll (t * testing.T ) {
631+ t .Parallel ()
632+
633+ cfg := defaultConfig ()
634+ cfg .egressPolicy = & EgressPolicy {
635+ AllowedHosts : []EgressHost {},
636+ }
637+ // Run() sets this when egressPolicy is non-nil; simulate that here
638+ // since buildNetConfig doesn't do validation.
639+ cfg .firewallDefaultAction = firewall .Deny
640+
641+ netCfg := cfg .buildNetConfig ()
642+
643+ require .NotNil (t , netCfg .EgressPolicy )
644+ assert .Empty (t , netCfg .EgressPolicy .AllowedHosts )
645+ assert .Equal (t , firewall .Deny , netCfg .FirewallDefaultAction )
646+ }
647+
630648func TestBuildNetConfig_Empty (t * testing.T ) {
631649 t .Parallel ()
632650
@@ -642,7 +660,7 @@ func TestBuildNetConfig_Empty(t *testing.T) {
642660
643661// --- Egress validation tests ---
644662
645- func TestRun_EgressPolicy_EmptyHosts (t * testing.T ) {
663+ func TestRun_EgressPolicy_EmptyHosts_DenyAll (t * testing.T ) {
646664 t .Parallel ()
647665
648666 dataDir := t .TempDir ()
@@ -651,8 +669,10 @@ func TestRun_EgressPolicy_EmptyHosts(t *testing.T) {
651669 WithDataDir (dataDir ),
652670 WithEgressPolicy (EgressPolicy {AllowedHosts : nil }),
653671 )
672+ // Should NOT fail on empty AllowedHosts validation — empty means deny-all.
673+ // It will fail later (e.g. image pull), but not at egress policy validation.
654674 require .Error (t , err )
655- assert .Contains (t , err .Error (), "AllowedHosts must not be empty" )
675+ assert .NotContains (t , err .Error (), "AllowedHosts must not be empty" )
656676}
657677
658678func TestRun_EgressPolicy_EmptyName (t * testing.T ) {
0 commit comments