kubernetes-sigs
diff --git a/‎apis/v1alpha1/adminnetworkpolicy_types.go
+94 b/‎apis/v1alpha1/adminnetworkpolicy_types.go
+94
diff --git a/‎apis/v1alpha1/baselineadminnetworkpolicy_types.go
+56-2 b/‎apis/v1alpha1/baselineadminnetworkpolicy_types.go
+56-2
diff --git a/‎apis/v1alpha1/shared_types.go
-54 b/‎apis/v1alpha1/shared_types.go
-54
diff --git a/‎apis/v1alpha1/zz_generated.deepcopy.go
+41-1 b/‎apis/v1alpha1/zz_generated.deepcopy.go
+41-1
diff --git a/‎config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
+47 b/‎config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
+47
diff --git a/‎config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
+2-2 b/‎config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
+2-2
diff --git a/‎config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
+2-2 b/‎config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
+2-2
@@ -219,6 +219,100 @@ type AdminNetworkPolicyEgressRule struct {
 // +kubebuilder:validation:Enum={"Allow", "Deny", "Pass"}
 type AdminNetworkPolicyRuleAction string
 
+// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+// Exactly one of the selector pointers must be set for a given peer. If a
+// consumer observes none of its fields are set, they must assume an unknown
+// option has been specified and fail closed.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type AdminNetworkPolicyEgressPeer struct {
+	// Namespaces defines a way to select all pods within a set of Namespaces.
+	// Note that host-networked pods are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
+	// Pods defines a way to select a set of pods in
+	// a set of namespaces. Note that host-networked pods
+	// are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Pods *NamespacedPod `json:"pods,omitempty"`
+	// Nodes defines a way to select a set of nodes in
+	// the cluster. This field follows standard label selector
+	// semantics; if present but empty, it selects all Nodes.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+	// Networks defines a way to select peers via CIDR blocks.
+	// This is intended for representing entities that live outside the cluster,
+	// which can't be selected by pods, namespaces and nodes peers, but note
+	// that cluster-internal traffic will be checked against the rule as
+	// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
+	// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
+	// add a rule that Passes all pod traffic before the Networks rule.
+	//
+	// Each item in Networks should be provided in the CIDR format and should be
+	// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
+	//
+	// Networks can have upto 25 CIDRs specified.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=25
+	Networks []CIDR `json:"networks,omitempty"`
+
+	// DomainNames provides a way to specify domain names as peers.
+	//
+	// DomainNames is only supported for ALLOW rules. In order to control
+	// access, DomainNames ALLOW rules should be used with a lower priority
+	// egress deny -- this allows the admin to maintain an explicit "allowlist"
+	// of reachable domains.
+	//
+	// DomainNames can have up to 25 domain names specified in one rule.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=25
+	DomainNames []DomainName `json:"domainNames,omitempty"`
+}
+
+// DomainName describes one or more domain names to be used as a peer.
+//
+// DomainName can be an exact match, or use the wildcard specifier '*' to match
+// one or more labels.
+//
+// '*', the wildcard specifier, matches one or more entire labels. It does not
+// support partial matches. '*' may only be specified as a prefix.
+//
+// Examples:
+//   - `kubernetes.io` matches only `kubernetes.io`.
+//     It does not match "www.kubernetes.io", "blog.kubernetes.io",
+//     "my-kubernetes.io", or "wikipedia.org".
+//   - `blog.kubernetes.io` matches only "blog.kubernetes.io".
+//     It does not match "www.kubernetes.io" or "kubernetes.io".
+//   - `*.kubernetes.io` matches subdomains of kubernetes.io.
+//     "www.kubernetes.io", "blog.kubernetes.io", and
+//     "latest.blog.kubernetes.io" match, however "kubernetes.io", and
+//     "wikipedia.org" do not.
+//
+// +kubebuilder:validation:Pattern=`^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$`
+type DomainName string
+
 const (
 	// AdminNetworkPolicyRuleActionAllow indicates that matching traffic will be
 	// allowed regardless of NetworkPolicy and BaselineAdminNetworkPolicy
 
@@ -167,15 +167,15 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`
 
 	// To is the list of destinations whose traffic this rule applies to.
-	// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
+	// If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	//
 	// Support: Core
 	//
-	To []AdminNetworkPolicyEgressPeer `json:"to"`
+	To []BaselineAdminNetworkPolicyEgressPeer `json:"to"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of destination ports for the outgoing egress traffic.
@@ -194,6 +194,60 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 // +kubebuilder:validation:Enum={"Allow", "Deny"}
 type BaselineAdminNetworkPolicyRuleAction string
 
+// BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+// Exactly one of the selector pointers must be set for a given peer. If a
+// consumer observes none of its fields are set, they must assume an unknown
+// option has been specified and fail closed.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type BaselineAdminNetworkPolicyEgressPeer struct {
+	// Namespaces defines a way to select all pods within a set of Namespaces.
+	// Note that host-networked pods are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
+	// Pods defines a way to select a set of pods in
+	// a set of namespaces. Note that host-networked pods
+	// are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Pods *NamespacedPod `json:"pods,omitempty"`
+	// Nodes defines a way to select a set of nodes in
+	// the cluster. This field follows standard label selector
+	// semantics; if present but empty, it selects all Nodes.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+	// Networks defines a way to select peers via CIDR blocks.
+	// This is intended for representing entities that live outside the cluster,
+	// which can't be selected by pods, namespaces and nodes peers, but note
+	// that cluster-internal traffic will be checked against the rule as
+	// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
+	// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
+	// add a rule that Passes all pod traffic before the Networks rule.
+	//
+	// Each item in Networks should be provided in the CIDR format and should be
+	// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
+	//
+	// Networks can have upto 25 CIDRs specified.
+	//
+	// Support: Extended
+	//
+	// <network-policy-api:experimental>
+	// +optional
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=25
+	Networks []CIDR `json:"networks,omitempty"`
+}
+
 const (
 	// BaselineAdminNetworkPolicyRuleActionDeny enables admins to deny traffic.
 	BaselineAdminNetworkPolicyRuleActionDeny BaselineAdminNetworkPolicyRuleAction = "Deny"
 
@@ -144,60 +144,6 @@ type AdminNetworkPolicyIngressPeer struct {
 	Pods *NamespacedPod `json:"pods,omitempty"`
 }
 
-// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
-// Exactly one of the selector pointers must be set for a given peer. If a
-// consumer observes none of its fields are set, they must assume an unknown
-// option has been specified and fail closed.
-// +kubebuilder:validation:MaxProperties=1
-// +kubebuilder:validation:MinProperties=1
-type AdminNetworkPolicyEgressPeer struct {
-	// Namespaces defines a way to select all pods within a set of Namespaces.
-	// Note that host-networked pods are not included in this type of peer.
-	//
-	// Support: Core
-	//
-	// +optional
-	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
-	// Pods defines a way to select a set of pods in
-	// a set of namespaces. Note that host-networked pods
-	// are not included in this type of peer.
-	//
-	// Support: Core
-	//
-	// +optional
-	Pods *NamespacedPod `json:"pods,omitempty"`
-	// Nodes defines a way to select a set of nodes in
-	// the cluster. This field follows standard label selector
-	// semantics; if present but empty, it selects all Nodes.
-	//
-	// Support: Extended
-	//
-	// <network-policy-api:experimental>
-	// +optional
-	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
-	// Networks defines a way to select peers via CIDR blocks.
-	// This is intended for representing entities that live outside the cluster,
-	// which can't be selected by pods, namespaces and nodes peers, but note
-	// that cluster-internal traffic will be checked against the rule as
-	// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
-	// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
-	// add a rule that Passes all pod traffic before the Networks rule.
-	//
-	// Each item in Networks should be provided in the CIDR format and should be
-	// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
-	//
-	// Networks can have upto 25 CIDRs specified.
-	//
-	// Support: Extended
-	//
-	// <network-policy-api:experimental>
-	// +optional
-	// +listType=set
-	// +kubebuilder:validation:MinItems=1
-	// +kubebuilder:validation:MaxItems=25
-	Networks []CIDR `json:"networks,omitempty"`
-}
-
 // CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
 // This string must be validated by implementations using net.ParseCIDR
 // TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
 
@@ -219,6 +219,53 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          domainNames:
+                            description: |-
+                              DomainNames provides a way to specify domain names as peers.
+
+
+                              DomainNames is only supported for ALLOW rules. In order to control
+                              access, DomainNames ALLOW rules should be used with a lower priority
+                              egress deny -- this allows the admin to maintain an explicit "allowlist"
+                              of reachable domains.
+
+
+                              DomainNames can have up to 25 domain names specified in one rule.
+
+
+                              Support: Extended
+
+
+                              <network-policy-api:experimental>
+                            items:
+                              description: |-
+                                DomainName describes one or more domain names to be used as a peer.
+
+
+                                DomainName can be an exact match, or use the wildcard specifier '*' to match
+                                one or more labels.
+
+
+                                '*', the wildcard specifier, matches one or more entire labels. It does not
+                                support partial matches. '*' may only be specified as a prefix.
+
+
+                                Examples:
+                                  - `kubernetes.io` matches only `kubernetes.io`.
+                                    It does not match "www.kubernetes.io", "blog.kubernetes.io",
+                                    "my-kubernetes.io", or "wikipedia.org".
+                                  - `blog.kubernetes.io` matches only "blog.kubernetes.io".
+                                    It does not match "www.kubernetes.io" or "kubernetes.io".
+                                  - `*.kubernetes.io` matches subdomains of kubernetes.io.
+                                    "www.kubernetes.io", "blog.kubernetes.io", and
+                                    "latest.blog.kubernetes.io" match, however "kubernetes.io", and
+                                    "wikipedia.org" do not.
+                              pattern: ^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$
+                              type: string
+                            maxItems: 25
+                            minItems: 1
+                            type: array
+                            x-kubernetes-list-type: set
                           namespaces:
                             description: |-
                               Namespaces defines a way to select all pods within a set of Namespaces.
 
@@ -194,15 +194,15 @@ spec:
                     to:
                       description: |-
                         To is the list of destinations whose traffic this rule applies to.
-                        If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
+                        If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing
                         traffic then the specified action is applied.
                         This field must be defined and contain at least one item.
 
 
                         Support: Core
                       items:
                         description: |-
-                          AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+                          BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
                           Exactly one of the selector pointers must be set for a given peer. If a
                           consumer observes none of its fields are set, they must assume an unknown
                           option has been specified and fail closed.
 
@@ -184,15 +184,15 @@ spec:
                     to:
                       description: |-
                         To is the list of destinations whose traffic this rule applies to.
-                        If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
+                        If any BaselineAdminNetworkPolicyEgressPeer matches the destination of outgoing
                         traffic then the specified action is applied.
                         This field must be defined and contain at least one item.
 
 
                         Support: Core
                       items:
                         description: |-
-                          AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+                          BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
                           Exactly one of the selector pointers must be set for a given peer. If a
                           consumer observes none of its fields are set, they must assume an unknown
                           option has been specified and fail closed.