Skip to content

allowing CIDRs, wildcards and Plural in IP and DNS#846

Closed
matthyx wants to merge 1 commit into
mainfrom
network-wildcards-806
Closed

allowing CIDRs, wildcards and Plural in IP and DNS#846
matthyx wants to merge 1 commit into
mainfrom
network-wildcards-806

Conversation

@matthyx

@matthyx matthyx commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Same-repo mirror of #806 (which is from the k8sstormcenter fork) so the gated Node Agent Component Tests and build-and-push-image (pull_request) workflows run with repo secrets.

Single squashed commit, rebased on main, conflicts resolved.

Overview

network-wildcards: DNS leading/trailing/mid + CIDR + IPAddresses + * sentinel.

CEL networkneighborhood helpers now query projected fields with wildcard/CIDR/DNS-wildcard support and the v0.0.2 spec semantics (port/protocol checks degrade to address-only in v1 when only a CIDR is declared):

  • DNS leading-* (RFC 4592 single-label wildcard)
  • DNS trailing-* (subdomain-prefix wildcard)
  • DNS mid- (interior dynamic segment)
  • IPv4/IPv6 literals and CIDR ranges
  • * any-IP sentinel
  • IPAddresses list (deprecated single-IP field) preserved on the decode path

Enables the "Unexpected Egress Network Traffic" (R0011) rule by default.

Storage dependency

Backed by kubescape/storage #324. go.mod pins the official kubescape/storage v0.0.290 release (drops the temporary fork replace).

Tests

  • 20 declarative fixture YAMLs under tests/resources/network-wildcards/
  • wildcard + fixtures unit tests in pkg/rulemanager/cel/libraries/networkneighborhood/
  • Test_28_UserDefinedNetworkNeighborhood component test
  • Feature documented in docs/features/network-wildcards.md

Supersedes/mirrors #806.

🤖 Generated with Claude Code

network-wildcards: DNS leading/trailing/mid + CIDR + IPAddresses + "*" sentinel.

CEL networkneighborhood helpers now query projected fields with
wildcard/CIDR/DNS-wildcard support and the v0.0.2 spec semantics
(port/protocol checks degrade to address-only in v1 when only a CIDR is
declared):
  - DNS leading-* (RFC 4592 single-label wildcard)
  - DNS trailing-* (subdomain-prefix wildcard)
  - DNS mid-(interior dynamic segment)
  - IPv4/IPv6 literals and CIDR ranges
  - "*" any-IP sentinel
  - IPAddresses list (deprecated single-IP field) preserved on the decode path

Enables the "Unexpected Egress Network Traffic" (R0011) rule by default.

Backed by kubescape/storage #324; go.mod now pins the official
kubescape/storage v0.0.290 release (drops the temporary fork replace).

Tests: 20 declarative fixture YAMLs under tests/resources/network-wildcards/
plus wildcard/fixtures unit tests and Test_28_UserDefinedNetworkNeighborhood
component test. Feature documented in docs/features/network-wildcards.md.

Squashed from PR #806 (kubescape/node-agent).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Duck <70207455+entlein@users.noreply.github.com>
@matthyx matthyx added the ai-assisted Created through Armosec AI tooling (armosec-shared-rules plugin) label Jun 26, 2026
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@matthyx, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 16 minutes and 16 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d0d2069e-62b9-4721-ae21-e3ef76f4039b

📥 Commits

Reviewing files that changed from the base of the PR and between 1e079ee and 7ca0541.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (33)
  • docs/features/network-wildcards.md
  • go.mod
  • pkg/objectcache/containerprofilecache/projection.go
  • pkg/objectcache/containerprofilecache/projection_apply.go
  • pkg/objectcache/v1/mock.go
  • pkg/rulemanager/cel/libraries/networkneighborhood/fixtures_test.go
  • pkg/rulemanager/cel/libraries/networkneighborhood/network.go
  • pkg/rulemanager/cel/libraries/networkneighborhood/wildcard_test.go
  • tests/chart/templates/node-agent/default-rules.yaml
  • tests/component_test.go
  • tests/resources/known-network-neighborhood.yaml
  • tests/resources/network-wildcards/01-literal-ipv4.yaml
  • tests/resources/network-wildcards/02-literal-ipv6.yaml
  • tests/resources/network-wildcards/03-cidr-ipv4.yaml
  • tests/resources/network-wildcards/04-cidr-ipv6.yaml
  • tests/resources/network-wildcards/05-any-ip-sentinel.yaml
  • tests/resources/network-wildcards/06-any-as-cidr.yaml
  • tests/resources/network-wildcards/07-mixed-ip-list.yaml
  • tests/resources/network-wildcards/08-deprecated-ipaddress.yaml
  • tests/resources/network-wildcards/09-dns-literal.yaml
  • tests/resources/network-wildcards/10-dns-leading-wildcard.yaml
  • tests/resources/network-wildcards/11-dns-mid-ellipsis.yaml
  • tests/resources/network-wildcards/12-dns-trailing-star.yaml
  • tests/resources/network-wildcards/13-dns-trailing-dot-normalisation.yaml
  • tests/resources/network-wildcards/14-recursive-star-rejected.yaml
  • tests/resources/network-wildcards/15-egress-and-ingress.yaml
  • tests/resources/network-wildcards/16-egress-none.yaml
  • tests/resources/network-wildcards/17-realistic-stripe-api.yaml
  • tests/resources/network-wildcards/18-cluster-dns-via-mid-ellipsis.yaml
  • tests/resources/network-wildcards/19-port-protocol-with-cidr.yaml
  • tests/resources/network-wildcards/20-multi-container-mixed-wildcards.yaml
  • tests/resources/network-wildcards/README.md
  • tests/resources/nginx-user-defined-deployment.yaml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch network-wildcards-806

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown

Performance Benchmark Results

Node-Agent Resource Usage
Metric BEFORE AFTER Delta
Avg CPU (cores) 0.203 0.198 -2.7%
Peak CPU (cores) 0.214 0.210 -1.9%
Avg Memory (MiB) 327.649 272.736 -16.8%
Peak Memory (MiB) 330.297 277.816 -15.9%
Dedup Effectiveness

No data available.

@matthyx

matthyx commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

we merged #806

@matthyx matthyx closed this Jun 26, 2026
@matthyx matthyx deleted the network-wildcards-806 branch June 26, 2026 15:01
@matthyx matthyx moved this to To Archive in KS PRs tracking Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ai-assisted Created through Armosec AI tooling (armosec-shared-rules plugin)

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

2 participants