Skip to content

Fix validation of CIDR fields #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix validation of CIDR fields #324

wants to merge 1 commit into from
+4 −4

Conversation

danwinship
Copy link
Contributor

re kubernetes/kubernetes#134224; isCIDR() allows both "mask-like" CIDRs ("192.168.0.0/24") and "address-like" CIDRs ("192.168.0.5/24"). We only want the former.

(If isCIDR() gets changed, then the extra clause here will just be a no-op, but we'll have better backward-compatibility this way.)

@danwinship danwinship requested a review from tssurya September 24, 2025 15:36
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 24, 2025
@netlify Netlify
Copy link

netlify bot commented Sep 24, 2025
edited
Loading

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
🔨 Latest commit 785ec40
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-sigs-network-policy-api/deploys/68e7b22cd071700008538321
😎 Deploy Preview https://deploy-preview-324--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@danwinship
Copy link
Contributor Author

uh...

The CustomResourceDefinition "adminnetworkpolicies.policy.networking.k8s.io" is invalid: spec.validation.openAPIV3Schema.properties[spec].properties[egress].items.properties[to].items.properties[networks].items.x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of 1.475000x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)

@danwinship
Copy link
Contributor Author

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

@aojea aojea requested a review from Copilot September 29, 2025 13:44
Copilot
Copilot AI reviewed Sep 29, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances CIDR validation in Kubernetes Custom Resource Definitions to ensure only "mask-like" CIDRs (e.g., "192.168.0.0/24") are accepted, rejecting "address-like" CIDRs (e.g., "192.168.0.5/24").

  • Updated validation rules from isCIDR(self) to isCIDR(self) && cidr(self) == cidr(self).masked()
  • Applied changes consistently across both standard and experimental CRD files
  • Modified Go type definitions to reflect the stricter validation requirements

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
config/crd/standard/policy.networking.k8s.io_clusternetworkpolicies.yaml Updated CIDR validation rule to enforce mask-like format
config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml Updated CIDR validation rule to enforce mask-like format
config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml Updated CIDR validation rule to enforce mask-like format
config/crd/experimental/policy.networking.k8s.io_clusternetworkpolicies.yaml Updated CIDR validation rule to enforce mask-like format
config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml Updated CIDR validation rule to enforce mask-like format
config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml Updated CIDR validation rule to enforce mask-like format
apis/v1alpha2/clusternetworkpolicy_types.go Updated CIDR type validation annotation to enforce mask-like format
apis/v1alpha1/shared_types.go Updated CIDR type validation annotation to enforce mask-like format

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@tssurya
Copy link
Contributor

tssurya commented Sep 29, 2025
edited
Loading

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

this suggests something is unbounded OR if everything is bounded then yea I remember hitting this error before and I had to play around with the maximum numbers to make it reasonable.
IIRC the problem is that we can have 100 egress rules and each rule can have 100 peers and then each peer could be 25 network cidrs.. that's too much? 100x100x25?
the only way to fix this is to reduce this number somewhere..

so see if 20 cidr's or 15 fixes this?

I remember I chose 25 cidrs cause back then as well cost exceeded for higher numbers.. :)

@aojea
Copy link
Contributor

aojea commented Sep 29, 2025

uh...

The CustomResourceDefinition "adminnetworkpolicies.policy.networking.k8s.io" is invalid: spec.validation.openAPIV3Schema.properties[spec].properties[egress].items.properties[to].items.properties[networks].items.x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of 1.475000x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

this suggests something is unbounded OR if everything is bounded then yea I remember hitting this error before and I had to play around with the maximum numbers to make it reasonable. IIRC the problem is that we can have 100 egress rules and each rule can have 100 peers and then each peer could be 25 network cidrs.. that's too much? 100x100x25? the only way to fix this is to reduce this number somewhere..

so see if 20 cidr's or 15 fixes this?

I remember I chose 25 cidrs cause back then as well cost exceeded for higher numbers.. :)

@jpbetz @cici37 any best practices or guidelines we can follow here?

@danwinship danwinship mentioned this pull request Sep 30, 2025
Open
@bowei
Copy link
Contributor

bowei commented Oct 3, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 3, 2025
@tssurya tssurya added this to the v1alpha2 milestone Oct 7, 2025
@danwinship
Copy link
Contributor Author

kubernetes/kubernetes#120973 (comment)

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 9, 2025
@danwinship
Fix validation of CIDR fields
785ec40 
isCIDR() accepts both "mask-like" CIDRs and "address-like" CIDRs
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 9, 2025
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 9, 2025
@k8s-ci-robot
Copy link
Contributor

@danwinship: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-network-policy-api-crd-e2e 785ec40 link true /test pull-network-policy-api-crd-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@npinaeva
Copy link
Member

will rebasing help since #329 merged?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tssurya tssurya Awaiting requested review from tssurya

@astoycos astoycos Awaiting requested review from astoycos

@Dyanngg Dyanngg Awaiting requested review from Dyanngg

Assignees

@bowei bowei

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

v1alpha2

Development

Successfully merging this pull request may close these issues.

6 participants

@danwinship @k8s-ci-robot @tssurya @aojea @bowei @npinaeva