Feature request checklist

• There are no issues that match the desired change
• The change is large enough it can't be addressed with a simple Pull Request
• If this is a bug, please file a Bug Report.

Change

The basic premise is to match upstream functionality in kubernetes for CIDR/IP range built-in functions.

Kubernetes has implemented a robust set of CEL functions for handling IP addresses and CIDR ranges (e.g., isIP, cidr, ip, and containment checks). These are currently locked inside k8s.io/apiserver, but they are generally useful for any policy engine dealing with network logic (firewalls, access lists, etc.).

The implementation would introduce opaque types for IP and CIDR to ensure correctness, rather than treating them as raw strings.

Example

Match kubernetes functionality:

cidr('192.168.0.0/24').containsIP(ip('192.168.0.1'))

Alternatives considered

Using matches() for IP validation is error-prone and difficult to maintain (especially for IPv6). We also are using startsWith() in various places, but this makes CEL policies which check IP inclusion in a CIDR range long and repetitive.

Loading a WASM module for basic network logic is overkill and introduces performance overhead for simple checks.

Process

I (@tdesrosi) will being this work.