Include domainnames in validation against namedPorts for ANP

tssurya · tssurya · commit f79713387c2f · 2025-06-24T11:00:26.000+02:00
Signed-off-by: Surya Seetharaman &lt;suryaseetharaman.9@gmail.com&gt;
diff --git a/apis/v1alpha1/adminnetworkpolicy_types.go b/apis/v1alpha1/adminnetworkpolicy_types.go
@@ -150,7 +150,7 @@ type AdminNetworkPolicyIngressRule struct {
 // set of traffic originating from pods selected by a AdminNetworkPolicy's
 // Subject field.
 // <network-policy-api:experimental:validation>
-// +kubebuilder:validation:XValidation:rule="!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) && has(self.ports) && self.ports.exists(port, has(port.namedPort)))",message="networks/nodes peer cannot be set with namedPorts since there are no namedPorts for networks/nodes"
+// +kubebuilder:validation:XValidation:rule="!(self.to.exists(peer, has(peer.networks) || has(peer.nodes) || has(peer.domainNames)) && has(self.ports) && self.ports.exists(port, has(port.namedPort)))",message="networks/nodes/domainNames peer cannot be set with namedPorts since there are no namedPorts for networks/nodes/domainNames"
 type AdminNetworkPolicyEgressRule struct {
 	// Name is an identifier for this rule, that may be no more than 100 characters
 	// in length. This field should be used by the implementation to help
diff --git a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
@@ -468,10 +468,11 @@ spec:
                   - to
                   type: object
                   x-kubernetes-validations:
-                  - message: networks/nodes peer cannot be set with namedPorts since
-                      there are no namedPorts for networks/nodes
-                    rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes))
-                      && has(self.ports) && self.ports.exists(port, has(port.namedPort)))'
+                  - message: networks/nodes/domainNames peer cannot be set with namedPorts
+                      since there are no namedPorts for networks/nodes/domainNames
+                    rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)
+                      || has(peer.domainNames)) && has(self.ports) && self.ports.exists(port,
+                      has(port.namedPort)))'
                 maxItems: 100
                 type: array
               ingress:
