From 2099c87c600d22bcffa9b2bd45896fbefcc61b25 Mon Sep 17 00:00:00 2001
From: Art Berger <art.berger@solo.io>
Date: Wed, 3 Jun 2026 17:16:52 +0000
Subject: [PATCH] pkg_1: replace startsWith() with cidr().containsIP() in
 network-authz examples

Use canonical CEL cidr().containsIP() pattern for IP range matching instead
of string prefix matching (startsWith()) in both 'Allow only private network
ranges' and 'Layered L4+L7 controls' examples. Updates latest and main copies.

Signed-off-by: Art Berger <art.berger@solo.io>
---
 .../standalone/latest/configuration/security/network-authz.md | 4 ++--
 .../standalone/main/configuration/security/network-authz.md   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/docs/standalone/latest/configuration/security/network-authz.md b/content/docs/standalone/latest/configuration/security/network-authz.md
index 7549bb2bc..48fc630f5 100644
--- a/content/docs/standalone/latest/configuration/security/network-authz.md
+++ b/content/docs/standalone/latest/configuration/security/network-authz.md
@@ -67,7 +67,7 @@ The following CEL variables are available in network authorization rules:
 frontendPolicies:
   networkAuthorization:
     rules:
-    - allow: 'source.address.startsWith("10.") || source.address.startsWith("172.16.") || source.address.startsWith("192.168.")'
+    - allow: 'cidr("10.0.0.0/8").containsIP(source.address) || cidr("172.16.0.0/12").containsIP(source.address) || cidr("192.168.0.0/16").containsIP(source.address)'
 ```
 
 ### Require mTLS client identity
@@ -87,7 +87,7 @@ Combine network authorization with HTTP authorization for defense in depth.
 frontendPolicies:
   networkAuthorization:
     rules:
-    - allow: 'source.address.startsWith("10.")'
+    - allow: 'cidr("10.0.0.0/8").containsIP(source.address)'
 
 binds:
 - port: 3000
diff --git a/content/docs/standalone/main/configuration/security/network-authz.md b/content/docs/standalone/main/configuration/security/network-authz.md
index 7549bb2bc..48fc630f5 100644
--- a/content/docs/standalone/main/configuration/security/network-authz.md
+++ b/content/docs/standalone/main/configuration/security/network-authz.md
@@ -67,7 +67,7 @@ The following CEL variables are available in network authorization rules:
 frontendPolicies:
   networkAuthorization:
     rules:
-    - allow: 'source.address.startsWith("10.") || source.address.startsWith("172.16.") || source.address.startsWith("192.168.")'
+    - allow: 'cidr("10.0.0.0/8").containsIP(source.address) || cidr("172.16.0.0/12").containsIP(source.address) || cidr("192.168.0.0/16").containsIP(source.address)'
 ```
 
 ### Require mTLS client identity
@@ -87,7 +87,7 @@ Combine network authorization with HTTP authorization for defense in depth.
 frontendPolicies:
   networkAuthorization:
     rules:
-    - allow: 'source.address.startsWith("10.")'
+    - allow: 'cidr("10.0.0.0/8").containsIP(source.address)'
 
 binds:
 - port: 3000