Fix validation of CIDR fields by danwinship · Pull Request #324 · kubernetes-sigs/network-policy-api

danwinship · 2025-09-24T15:36:55Z

re kubernetes/kubernetes#134224; isCIDR() allows both "mask-like" CIDRs ("192.168.0.0/24") and "address-like" CIDRs ("192.168.0.5/24"). We only want the former.

(If isCIDR() gets changed, then the extra clause here will just be a no-op, but we'll have better backward-compatibility this way.)

k8s-ci-robot · 2025-09-24T15:37:02Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

netlify · 2025-09-24T15:38:10Z

✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name	Link
🔨 Latest commit	`f4c54cc`
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-sigs-network-policy-api/deploys/6977f0021991690008298360
😎 Deploy Preview	https://deploy-preview-324--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

danwinship · 2025-09-24T16:08:34Z

uh...

The CustomResourceDefinition "adminnetworkpolicies.policy.networking.k8s.io" is invalid: spec.validation.openAPIV3Schema.properties[spec].properties[egress].items.properties[to].items.properties[networks].items.x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of 1.475000x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)

danwinship · 2025-09-29T13:22:51Z

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

Copilot

Pull Request Overview

This PR enhances CIDR validation in Kubernetes Custom Resource Definitions to ensure only "mask-like" CIDRs (e.g., "192.168.0.0/24") are accepted, rejecting "address-like" CIDRs (e.g., "192.168.0.5/24").

Updated validation rules from isCIDR(self) to isCIDR(self) && cidr(self) == cidr(self).masked()
Applied changes consistently across both standard and experimental CRD files
Modified Go type definitions to reflect the stricter validation requirements

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
config/crd/standard/policy.networking.k8s.io_clusternetworkpolicies.yaml	Updated CIDR validation rule to enforce mask-like format
config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml	Updated CIDR validation rule to enforce mask-like format
config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml	Updated CIDR validation rule to enforce mask-like format
config/crd/experimental/policy.networking.k8s.io_clusternetworkpolicies.yaml	Updated CIDR validation rule to enforce mask-like format
config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml	Updated CIDR validation rule to enforce mask-like format
config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml	Updated CIDR validation rule to enforce mask-like format
apis/v1alpha2/clusternetworkpolicy_types.go	Updated CIDR type validation annotation to enforce mask-like format
apis/v1alpha1/shared_types.go	Updated CIDR type validation annotation to enforce mask-like format

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

tssurya · 2025-09-29T16:15:53Z

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

this suggests something is unbounded OR if everything is bounded then yea I remember hitting this error before and I had to play around with the maximum numbers to make it reasonable.
IIRC the problem is that we can have 100 egress rules and each rule can have 100 peers and then each peer could be 25 network cidrs.. that's too much? 100x100x25?
the only way to fix this is to reduce this number somewhere..

so see if 20 cidr's or 15 fixes this?

I remember I chose 25 cidrs cause back then as well cost exceeded for higher numbers.. :)

aojea · 2025-09-29T21:06:59Z

uh...

The CustomResourceDefinition "adminnetworkpolicies.policy.networking.k8s.io" is invalid: spec.validation.openAPIV3Schema.properties[spec].properties[egress].items.properties[to].items.properties[networks].items.x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of 1.475000x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

this suggests something is unbounded OR if everything is bounded then yea I remember hitting this error before and I had to play around with the maximum numbers to make it reasonable. IIRC the problem is that we can have 100 egress rules and each rule can have 100 peers and then each peer could be 25 network cidrs.. that's too much? 100x100x25? the only way to fix this is to reduce this number somewhere..

so see if 20 cidr's or 15 fixes this?

I remember I chose 25 cidrs cause back then as well cost exceeded for higher numbers.. :)

@jpbetz @cici37 any best practices or guidelines we can follow here?

bowei · 2025-10-03T21:15:34Z

/lgtm

danwinship · 2025-10-08T12:23:07Z

kubernetes/kubernetes#120973 (comment)

k8s-ci-robot · 2025-10-09T13:01:33Z

New changes are detected. LGTM label has been removed.

npinaeva · 2025-10-16T15:43:40Z

will rebasing help since #329 merged?

k8s-triage-robot · 2026-01-19T16:29:19Z

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

Mark this PR as fresh with /remove-lifecycle stale
Close this PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

isCIDR() accepts both "mask-like" CIDRs and "address-like" CIDRs

danwinship · 2026-01-26T22:06:30Z

/retest

Something apparently changed in CRD CEL cost validation in the last few releases; the test fails with kind 0.25 / k8s 1.31, but passes with kind 0.31 / k8s 1.35.

danwinship · 2026-01-26T22:54:59Z

will rebasing help since #329 merged?

not sure if that helped at all or not, but it seems that something about CEL cost computation changed in the last few releases, and updating the e2e test to test against a newer apiserver fixes things. (Just #329 without the new apiserver does not fix it.)

Oh, although that doesn't actually help, because that would mean the new CRDs won't work with older k8s releases.

danwinship · 2026-01-26T22:55:14Z

/hold

removing this from the v1alpha2 milestone. we'll have to figure this out later.

k8s-triage-robot · 2026-04-27T03:25:41Z

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

Mark this PR as fresh with /remove-lifecycle stale
Close this PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-ci-robot · 2026-04-27T03:25:50Z

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-triage-robot · 2026-05-27T03:35:45Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

Mark this PR as fresh with /remove-lifecycle rotten
Close this PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

danwinship requested a review from tssurya September 24, 2025 15:36

k8s-ci-robot requested review from Dyanngg and astoycos September 24, 2025 15:37

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 24, 2025

aojea requested a review from Copilot September 29, 2025 13:44

Copilot AI reviewed Sep 29, 2025

View reviewed changes

danwinship mentioned this pull request Sep 30, 2025

CEL CIDR parser does not behave as documented kubernetes/kubernetes#134224

Open

k8s-ci-robot assigned bowei Oct 3, 2025

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 3, 2025

tssurya added this to the v1alpha2 milestone Oct 7, 2025

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 9, 2025

danwinship force-pushed the cidr-validation branch from 56fa774 to 785ec40 Compare October 9, 2025 13:01

k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 9, 2025

k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 9, 2025

danwinship force-pushed the cidr-validation branch from 785ec40 to e6300dc Compare October 21, 2025 16:15

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 19, 2026

Fix validation of CIDR fields

08624fc

isCIDR() accepts both "mask-like" CIDRs and "address-like" CIDRs

danwinship force-pushed the cidr-validation branch from e6300dc to 08624fc Compare January 26, 2026 22:39

k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 26, 2026

Update to current kind version for crd-e2e test

f4c54cc

Something apparently changed in CRD CEL cost validation in the last few releases; the test fails with kind 0.25 / k8s 1.31, but passes with kind 0.31 / k8s 1.35.

danwinship force-pushed the cidr-validation branch from 32c4e75 to f4c54cc Compare January 26, 2026 22:51

k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 26, 2026

danwinship removed this from the v1alpha2 milestone Jan 26, 2026

danwinship removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 27, 2026

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 27, 2026

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 27, 2026

k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 27, 2026

Uh oh!

Conversation

danwinship commented Sep 24, 2025

Uh oh!

k8s-ci-robot commented Sep 24, 2025

Uh oh!

netlify Bot commented Sep 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!

Uh oh!

danwinship commented Sep 24, 2025

Uh oh!

danwinship commented Sep 29, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

tssurya commented Sep 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

aojea commented Sep 29, 2025

Uh oh!

bowei commented Oct 3, 2025

Uh oh!

danwinship commented Oct 8, 2025

Uh oh!

k8s-ci-robot commented Oct 9, 2025

Uh oh!

npinaeva commented Oct 16, 2025

Uh oh!

k8s-triage-robot commented Jan 19, 2026

Uh oh!

danwinship commented Jan 26, 2026

Uh oh!

danwinship commented Jan 26, 2026

Uh oh!

danwinship commented Jan 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k8s-triage-robot commented Apr 27, 2026

Uh oh!

k8s-ci-robot commented Apr 27, 2026

Uh oh!

k8s-triage-robot commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

netlify Bot commented Sep 24, 2025 •

edited

Loading

tssurya commented Sep 29, 2025 •

edited

Loading

danwinship commented Jan 26, 2026 •

edited

Loading