allowing CIDRs, wildcards and Plural in IP and DNS

[entlein]

Overview

network-wildcards: DNS leading/trailing/mid + CIDR + IPAddresses + "*" sentinel

Additional Information

CEL networkneighborhood helpers now query
projected fields with wildcard/CIDR/DNS-wildcard support and the v0.0.2
spec semantics (port/protocol checks degrade to address-only in v1
when only a CIDR is declared).

• DNS leading-* (RFC 4592 single-label wildcard)
• DNS trailing-* (subdomain-prefix wildcard)
• DNS mid-⋯ (interior dynamic segment)
• IPv4/IPv6 literals and CIDR ranges
• * any-IP sentinel
• IPAddresses list (deprecated single-IP field) preserved on the
  decode path

How to Test

20 declarative fixture YAMLs under tests/resources/network-wildcards/
pin the wildcard contract end-to-end:

• Literal IPv4/IPv6
• CIDR IPv4/IPv6
• * any-IP and * as CIDR
• Mixed IP list
• Deprecated IPAddresses field path
• DNS literal, leading wildcard, mid-⋯, trailing-*
• Trailing-dot normalisation
• Recursive * rejection
• Egress-and-ingress, egress-none
• Realistic Stripe API scenario
• Cluster DNS via mid-⋯
• Port+protocol with CIDR
• Multi-container mixed wildcards

Has sister PR in storage

[coderabbitai]

Warning

Review limit reached

@entlein, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 56 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4cef01a7-9e25-4276-b422-aa2f755134d7

📥 Commits

Reviewing files that changed from the base of the PR and between cc59fa0 and 7529d82.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (28)

• go.mod
• pkg/rulemanager/cel/libraries/networkneighborhood/fixtures_test.go
• pkg/rulemanager/cel/libraries/networkneighborhood/network.go
• pkg/rulemanager/cel/libraries/networkneighborhood/wildcard_test.go
• tests/component_test.go
• tests/resources/known-network-neighborhood.yaml
• tests/resources/network-wildcards/01-literal-ipv4.yaml
• tests/resources/network-wildcards/02-literal-ipv6.yaml
• tests/resources/network-wildcards/03-cidr-ipv4.yaml
• tests/resources/network-wildcards/04-cidr-ipv6.yaml
• tests/resources/network-wildcards/05-any-ip-sentinel.yaml
• tests/resources/network-wildcards/06-any-as-cidr.yaml
• tests/resources/network-wildcards/07-mixed-ip-list.yaml
• tests/resources/network-wildcards/08-deprecated-ipaddress.yaml
• tests/resources/network-wildcards/09-dns-literal.yaml
• tests/resources/network-wildcards/10-dns-leading-wildcard.yaml
• tests/resources/network-wildcards/11-dns-mid-ellipsis.yaml
• tests/resources/network-wildcards/12-dns-trailing-star.yaml
• tests/resources/network-wildcards/13-dns-trailing-dot-normalisation.yaml
• tests/resources/network-wildcards/14-recursive-star-rejected.yaml
• tests/resources/network-wildcards/15-egress-and-ingress.yaml
• tests/resources/network-wildcards/16-egress-none.yaml
• tests/resources/network-wildcards/17-realistic-stripe-api.yaml
• tests/resources/network-wildcards/18-cluster-dns-via-mid-ellipsis.yaml
• tests/resources/network-wildcards/19-port-protocol-with-cidr.yaml
• tests/resources/network-wildcards/20-multi-container-mixed-wildcards.yaml
• tests/resources/network-wildcards/README.md
• tests/resources/nginx-user-defined-deployment.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[entlein]

@coderabbitai review

Collective re-review request after applying your atomic-split advisory + rabbit-feedback fixes across the full SBOB upstream PR set. Each PR is now scoped to a single tier per your dependency map:

Tier 0 (opens):

• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args storage#323 (path-wildcards core: anchored trailing-*, per-port key, WildcardIdentifier + CollapseConfig API — squash per your "merge first / or squash together" note)
• feat(cel): was_path_opened* CEL helpers in applicationprofile library #811 (was_path_opened* CEL helpers — NEW)

Tier 2 (execs):

• allowing wildcards in exec args storage#322 (CompareExecArgs)
• profile-compaction: CollapseConfig CRD + projection overlay + user-maged lifecycle storage#325 (CollapseConfig CRD + processors)
• allowing wildcards in exec args #805 (resolveExecPath + 3-arg parse)
• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args #807 (R0040 args consumer)
• feat(projection): add ExecsByPath composite-key surface to ProjectedContainerProfile #812 (ExecsByPath composite-key surface — NEW)

Tier 3 (network):

• allowing CIDRs, wildcards and Plural in IP and DNS storage#324 (networkmatch package)
• allowing CIDRs, wildcards and Plural in IP and DNS #806 (network wildcards CEL)

Tier 4 (tamper/sign):

• profile-compaction: CollapseConfig CRD + projection overlay + user-ma… #808 (projection overlay + tamper + non-blocking fanout + NN resource)
• sign and detect tampering #809 (cosign sign/verify + tamper detection)

Umbrellas:

• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  storage#326
• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  #810

Please confirm atomicity per your earlier advisory and flag any remaining cross-PR coupling we missed.

[coderabbitai]

@entlein, triggering a fresh review of PR #806 (Tier 3 – network wildcards CEL) now.

On your atomicity question for the full SBOB set: the tier structure you've described looks well-scoped. A few cross-PR coupling observations specific to this PR's position:

Tier 3 coupling checks (PR #806 + storage#324)

• PR #806 (CEL helpers) has a direct dependency on storage#324 (networkmatch package). If storage#324 is not yet merged when #806 lands, the CEL helpers that call into networkmatch will be broken at runtime. Make sure storage#324 is merged (or at minimum vendored/updated in node-agent's go.mod) before #806 is merged.
• No observable upward coupling into Tier 4 from the network layer is expected unless the projection overlay in #808 references network-match results — worth double-checking in #808.

Tier 4 coupling risk

• PR #808 (projection overlay + tamper + NN resource) sits above Tier 3. If its projection overlay reads from fields produced by the Tier 3 CEL helpers, #808 must not merge before #806 + storage#324 are in.

General atomicity verdict
The split looks correct per your dependency map. The merge order constraint is:

storage#323 → storage#324 → node-agent#806
storage#322, `#325` → node-agent#805, `#807`, `#812`
(above) → node-agent#808, `#809`
umbrellas last: storage#326, node-agent#810

No cross-tier coupling jumps are apparent from the tier descriptions alone. The re-review will surface any remaining intra-PR issues in #806.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[matthyx]

Blocking: this introduces github.com/kubescape/storage/pkg/registry/file/networkmatch, but this branch still pins github.com/kubescape/storage v0.0.258, and that version does not ship this package. go test ./pkg/rulemanager/cel/libraries/networkneighborhood/... currently fails immediately with no required module provides package github.com/kubescape/storage/pkg/registry/file/networkmatch.

Can we either bump github.com/kubescape/storage in this PR or add a temporary replace to the sister storage branch so the PR builds in this repo as-is?

[entlein]

replace github.com/kubescape/storage => github.com/k8sstormcenter/storage v0.0.240-0.20260527173728-46f37d32b969 , please remove before merge :)

[matthyx]

Requesting changes for one blocking issue: this PR imports github.com/kubescape/storage/pkg/registry/file/networkmatch, but the repo still pins github.com/kubescape/storage v0.0.258, which does not contain that package. As a result, go test ./pkg/rulemanager/cel/libraries/networkneighborhood/... fails before the new tests can run.

I left the inline comment on the import; once the storage dependency is wired to a version/replace that includes networkmatch, I’m happy to re-review.

[matthyx]

Rechecked the updated branch: the original missing-package blocker is fixed, but the new github.com/kubescape/storage replace still leaves this PR unbuildable.

On a fresh checkout, go test ./pkg/rulemanager/cel/libraries/networkneighborhood/... now stops with go: updates to go.mod needed; to update it: go mod tidy, so go.mod/go.sum are not in a buildable state as committed.

If I let Go resolve modules (GOFLAGS=-mod=mod go build ./pkg/rulemanager/cel/libraries/networkneighborhood/...), the dependency graph shifts and the build then fails in github.com/containerd/containerd/oci with cannot use limit (variable of type int64) as *int64 value in assignment.

So the branch still needs a storage version / dependency set that builds cleanly in node-agent as committed, without requiring local module rewrites.

[entlein]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.