UPSTREAM: 130450: Fix implementation of ContainsCIDR to allow non-equal addresses

Author: JoelSpeed

staging/src/k8s.io/apiserver/pkg/cel/library/cidr.go

@@ -223,8 +223,7 @@ func cidrContainsCIDR(arg ref.Val, other ref.Val) ref.Val {
 		return types.MaybeNoSuchOverloadErr(other)
 	}
 
-	equalMasked := cidr.Prefix.Masked() == netip.PrefixFrom(containsCIDR.Prefix.Addr(), cidr.Prefix.Bits())
-	return types.Bool(equalMasked && cidr.Prefix.Bits() <= containsCIDR.Prefix.Bits())
+	return types.Bool(cidr.Overlaps(containsCIDR.Prefix) && cidr.Prefix.Bits() <= containsCIDR.Prefix.Bits())
 }
 
 func prefixLength(arg ref.Val) ref.Val {

staging/src/k8s.io/apiserver/pkg/cel/library/cidr_test.go

@@ -151,11 +151,21 @@ func TestCIDR(t *testing.T) {
 			expr:         `cidr("192.168.0.0/24").containsCIDR(cidr("192.168.0.0/25"))`,
 			expectResult: trueVal,
 		},
+		{
+			name:         "contains CIDR ipv4 (CIDR) (/32)",
+			expr:         `cidr("192.168.0.0/24").containsCIDR(cidr("192.168.0.1/32"))`,
+			expectResult: trueVal,
+		},
 		{
 			name:         "does not contain IP ipv4 (CIDR)",
 			expr:         `cidr("192.168.0.0/24").containsCIDR(cidr("192.168.0.0/23"))`,
 			expectResult: falseVal,
 		},
+		{
+			name:         "does not contain IP ipv4 (CIDR) (/32)",
+			expr:         `cidr("192.168.0.0/24").containsCIDR(cidr("192.169.0.1/32"))`,
+			expectResult: falseVal,
+		},
 		{
 			name:         "contains CIDR ipv4 (string)",
 			expr:         `cidr("192.168.0.0/24").containsCIDR("192.168.0.0/25")`,