Is your enhancement request related to a problem? Please describe.

Use case by @joestringer

As a cluster administrator I want to to ensure that pods can reach commonly-used databases under my control but outside Kubernetes. Many but not all applications in my environment rely on these databases. I want to delegate writing network policy for this traffic to namespace owners.
Example: As a cluster administrator I define a CIDR group that defines a set of RDS instances that is used across multiple apps. The owners of namespaceA and namespaceB can then define policies that allow traffic to this group of RDS instances, and they reference the instances by CIDR group. As a cluster administrator I can migrate the database infrastructure and update the CIDR group independently of the namespace owners. The applications in namespaceC do not use this infrastructure, so the cluster administrator and the owners of namespaceC do not need to think about network policy for apps in namespaceC.

#144 (comment)

@networkop also mentions

Another use case could be a cluster controller that watches external resources (e.g. via cloud API or BGP) and updates the CIDR object with the changes. In this case, the controller only needs enough RBAC rules to update CIDR object and would not need touch the ANP itself

Describe the solution you'd like
Have CIDR peers as an external object (in addition to the default inlined one #144 is proposing?) Makes it more extendable.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
See #144 (comment) for details