exception CIDR can be bigger than the main CIDR and still pass validation

[tsotne95]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.19.1 and lower than v1.20.0

What happened?

I assume validation should reject it.

How can we reproduce the issue?

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: broken-except
spec:
  endpointSelector:
    matchLabels:
      app: test
  egress:
    - toCIDRSet:
        - cidr: "10.0.0.0/24"
          except:
            - "10.0.0.0/16"

I was checking different policies and somehow this policy passes the validation.

Cilium Version

I was testing it on 1.19

Kernel Version

6.16.12-1rodete2-amd64

Kubernetes Version

v1.32.2

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[tsotne95]

ok I found the validation code:

// Note: this also checks that the allow CIDR prefix and the exception
		// CIDR prefixes are part of the same address family.
		if !prefix.Contains(except.Addr()) {
			return fmt.Errorf("allow CIDR prefix %s does not contain "+
				"exclude CIDR prefix %s", c.Cidr, p)
		}

The prefix length is not considered.

[tsotne95]

As it's quick to fix, I'll make PR soon