allowing CIDRs, wildcards and Plural in IP and DNS

[entlein]

Overview

network-wildcards: DNS leading/trailing/mid + CIDR + IPAddresses + "*" sentinel

Additional Information

CEL networkneighborhood helpers now query
projected fields with wildcard/CIDR/DNS-wildcard support and the v0.0.2
spec semantics (port/protocol checks degrade to address-only in v1
when only a CIDR is declared).

• DNS leading-* (RFC 4592 single-label wildcard)
• DNS trailing-* (subdomain-prefix wildcard)
• DNS mid-⋯ (interior dynamic segment)
• IPv4/IPv6 literals and CIDR ranges
• * any-IP sentinel
• IPAddresses list (deprecated single-IP field) preserved on the
  decode path

How to Test

20 declarative fixture YAMLs under tests/resources/network-wildcards/
pin the wildcard contract end-to-end:

• Literal IPv4/IPv6
• CIDR IPv4/IPv6
• * any-IP and * as CIDR
• Mixed IP list
• Deprecated IPAddresses field path
• DNS literal, leading wildcard, mid-⋯, trailing-*
• Trailing-dot normalisation
• Recursive * rejection
• Egress-and-ingress, egress-none
• Realistic Stripe API scenario
• Cluster DNS via mid-⋯
• Port+protocol with CIDR
• Multi-container mixed wildcards

Has sister PR in storage

[coderabbitai]

Warning

Rate limit exceeded

@entlein has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 45 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 80c873ee-6d5f-4fe7-ab0b-e1a45e09b01c

📥 Commits

Reviewing files that changed from the base of the PR and between cc59fa0 and b6ade83.

📒 Files selected for processing (24)

• pkg/rulemanager/cel/libraries/networkneighborhood/fixtures_test.go
• pkg/rulemanager/cel/libraries/networkneighborhood/network.go
• pkg/rulemanager/cel/libraries/networkneighborhood/wildcard_test.go
• tests/resources/network-wildcards/01-literal-ipv4.yaml
• tests/resources/network-wildcards/02-literal-ipv6.yaml
• tests/resources/network-wildcards/03-cidr-ipv4.yaml
• tests/resources/network-wildcards/04-cidr-ipv6.yaml
• tests/resources/network-wildcards/05-any-ip-sentinel.yaml
• tests/resources/network-wildcards/06-any-as-cidr.yaml
• tests/resources/network-wildcards/07-mixed-ip-list.yaml
• tests/resources/network-wildcards/08-deprecated-ipaddress.yaml
• tests/resources/network-wildcards/09-dns-literal.yaml
• tests/resources/network-wildcards/10-dns-leading-wildcard.yaml
• tests/resources/network-wildcards/11-dns-mid-ellipsis.yaml
• tests/resources/network-wildcards/12-dns-trailing-star.yaml
• tests/resources/network-wildcards/13-dns-trailing-dot-normalisation.yaml
• tests/resources/network-wildcards/14-recursive-star-rejected.yaml
• tests/resources/network-wildcards/15-egress-and-ingress.yaml
• tests/resources/network-wildcards/16-egress-none.yaml
• tests/resources/network-wildcards/17-realistic-stripe-api.yaml
• tests/resources/network-wildcards/18-cluster-dns-via-mid-ellipsis.yaml
• tests/resources/network-wildcards/19-port-protocol-with-cidr.yaml
• tests/resources/network-wildcards/20-multi-container-mixed-wildcards.yaml
• tests/resources/network-wildcards/README.md

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[entlein]

@coderabbitai review

Collective re-review request after applying your atomic-split advisory + rabbit-feedback fixes across the full SBOB upstream PR set. Each PR is now scoped to a single tier per your dependency map:

Tier 0 (opens):

• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args storage#323 (path-wildcards core: anchored trailing-*, per-port key, WildcardIdentifier + CollapseConfig API — squash per your "merge first / or squash together" note)
• feat(cel): was_path_opened* CEL helpers in applicationprofile library #811 (was_path_opened* CEL helpers — NEW)

Tier 2 (execs):

• allowing wildcards in exec args storage#322 (CompareExecArgs)
• profile-compaction: CollapseConfig CRD + projection overlay + user-maged lifecycle storage#325 (CollapseConfig CRD + processors)
• allowing wildcards in exec args #805 (resolveExecPath + 3-arg parse)
• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args #807 (R0040 args consumer)
• feat(projection): add ExecsByPath composite-key surface to ProjectedContainerProfile #812 (ExecsByPath composite-key surface — NEW)

Tier 3 (network):

• allowing CIDRs, wildcards and Plural in IP and DNS storage#324 (networkmatch package)
• allowing CIDRs, wildcards and Plural in IP and DNS #806 (network wildcards CEL)

Tier 4 (tamper/sign):

• profile-compaction: CollapseConfig CRD + projection overlay + user-ma… #808 (projection overlay + tamper + non-blocking fanout + NN resource)
• sign and detect tampering #809 (cosign sign/verify + tamper detection)

Umbrellas:

• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  storage#326
• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  #810

Please confirm atomicity per your earlier advisory and flag any remaining cross-PR coupling we missed.

[coderabbitai]

@entlein, triggering a fresh review of PR #806 (Tier 3 – network wildcards CEL) now.

On your atomicity question for the full SBOB set: the tier structure you've described looks well-scoped. A few cross-PR coupling observations specific to this PR's position:

Tier 3 coupling checks (PR #806 + storage#324)

• PR #806 (CEL helpers) has a direct dependency on storage#324 (networkmatch package). If storage#324 is not yet merged when #806 lands, the CEL helpers that call into networkmatch will be broken at runtime. Make sure storage#324 is merged (or at minimum vendored/updated in node-agent's go.mod) before #806 is merged.
• No observable upward coupling into Tier 4 from the network layer is expected unless the projection overlay in #808 references network-match results — worth double-checking in #808.

Tier 4 coupling risk

• PR #808 (projection overlay + tamper + NN resource) sits above Tier 3. If its projection overlay reads from fields produced by the Tier 3 CEL helpers, #808 must not merge before #806 + storage#324 are in.

General atomicity verdict
The split looks correct per your dependency map. The merge order constraint is:

storage#323 → storage#324 → node-agent#806
storage#322, `#325` → node-agent#805, `#807`, `#812`
(above) → node-agent#808, `#809`
umbrellas last: storage#326, node-agent#810

No cross-tier coupling jumps are apparent from the tier descriptions alone. The re-review will surface any remaining intra-PR issues in #806.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[matthyx]

Blocking: this introduces github.com/kubescape/storage/pkg/registry/file/networkmatch, but this branch still pins github.com/kubescape/storage v0.0.258, and that version does not ship this package. go test ./pkg/rulemanager/cel/libraries/networkneighborhood/... currently fails immediately with no required module provides package github.com/kubescape/storage/pkg/registry/file/networkmatch.

Can we either bump github.com/kubescape/storage in this PR or add a temporary replace to the sister storage branch so the PR builds in this repo as-is?

[matthyx]

Requesting changes for one blocking issue: this PR imports github.com/kubescape/storage/pkg/registry/file/networkmatch, but the repo still pins github.com/kubescape/storage v0.0.258, which does not contain that package. As a result, go test ./pkg/rulemanager/cel/libraries/networkneighborhood/... fails before the new tests can run.

I left the inline comment on the import; once the storage dependency is wired to a version/replace that includes networkmatch, I’m happy to re-review.