CiliumCIDRGroup

Note

Beta Feature: CiliumCIDRGroup is currently in beta. We welcome your feedback and encourage you to report any issues by filing a GitHub issue.

For the list of outstanding tasks and known issues, please refer to GitHub issue 24801.

CiliumCIDRGroup (CCG) is a feature that allows administrators to reference a group of CIDR blocks in a CiliumNetworkPolicy. Unlike Endpoint CRD resources, which are managed by the Cilium agent, CiliumCIDRGroup resources are intended to be managed directly by administrators. It is particularly useful for enforcing policies on groups of external CIDR blocks.

The following is an example of a CiliumCIDRGroup object:

apiVersion: cilium.io/v2alpha1
kind: CiliumCIDRGroup
metadata:
  name: vpn
spec:
  externalCIDRs:
    - "10.48.0.0/24"
    - "10.16.0.0/24"

The vpn CCG can be referenced in a CiliumNetworkPolicy by using the fromCIDRSet directive:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: from-vpn-example
spec:
  endpointSelector: {}
  ingress:
  - fromCIDRSet:
    - cidrGroupRef: vpn

In this example, the fromCIDRSet directive in the CNP references the vpn group defined in the CiliumCIDRGroup. This allows the CNP to apply ingress rules based on the CIDRs grouped under the vpn name.