kubernetes-sigs
diff --git a/‎apis/v1alpha1/adminnetworkpolicy_types.go
+1 b/‎apis/v1alpha1/adminnetworkpolicy_types.go
+1
diff --git a/‎apis/v1alpha1/baselineadminnetworkpolicy_types.go
+1 b/‎apis/v1alpha1/baselineadminnetworkpolicy_types.go
+1
diff --git a/‎apis/v1alpha1/externalnetworkset_types.go
+66 b/‎apis/v1alpha1/externalnetworkset_types.go
+66
diff --git a/‎apis/v1alpha1/shared_types.go
+9 b/‎apis/v1alpha1/shared_types.go
+9
diff --git a/‎apis/v1alpha1/zz_generated.deepcopy.go
+83 b/‎apis/v1alpha1/zz_generated.deepcopy.go
+83
diff --git a/‎apis/v1alpha1/zz_generated.register.go
+2 b/‎apis/v1alpha1/zz_generated.register.go
+2
diff --git a/‎config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
+104 b/‎config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
+104
@@ -137,6 +137,7 @@ type AdminNetworkPolicyIngressRule struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.nodes))",message="cluster-ingress traffic controls are unsupported"
+	// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.externalNetworks))",message="cluster-ingress traffic controls are unsupported"
 	From []AdminNetworkPolicyPeer `json:"from"`
 
 	// Ports allows for matching traffic based on port and protocols.
 
@@ -120,6 +120,7 @@ type BaselineAdminNetworkPolicyIngressRule struct {
 	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.nodes))",message="cluster-ingress traffic controls are unsupported"
+	// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.externalNetworks))",message="cluster-ingress traffic controls are unsupported"
 	From []AdminNetworkPolicyPeer `json:"from"`
 
 	// Ports allows for matching traffic based on port and protocols.
 
@@ -0,0 +1,66 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// All fields in this package are required unless Explicitly marked optional
+// +kubebuilder:validation:Required
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:shortName=ens,scope=Cluster
+// +kubebuilder:printcolumn:name="Networks",type=string,JSONPath=".spec.networks"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// ExternalNetworkSet is a cluster level resource that is used to define
+// a set of networks outside the cluster which can be referred to from
+// the AdminNetworkPolicy && BaselineAdminNetworkPolicy APIs as an external peer
+type ExternalNetworkSet struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	// Specification of the desired behavior of ExternalNetworkSet.
+	Spec ExternalNetworkSetSpec `json:"spec"`
+}
+
+// ExternalNetworkSetSpec defines the desired state of ExternalNetworkSet.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type ExternalNetworkSetSpec struct {
+	// Networks is the list of NetworkCIDR (both v4 & v6) that can be used to define
+	// external destinations.
+	// A total of 100 CIDRs will be allowed in each NetworkSet instance.
+	// ANP & BANP APIs may use the .spec.in(e)gress.from(to).externalNetworks selector
+	// to select a set of external networks
+	//
+	// Support: Core
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	Networks []string `json:"networks,omitempty" validate:"omitempty,dive,cidr"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// ExternalNetworkSetList contains a list of ExternalNetworkSet
+type ExternalNetworkSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ExternalNetworkSet `json:"items"`
+}
@@ -148,6 +148,15 @@ type AdminNetworkPolicyPeer struct {
 	//
 	// +optional
 	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+	// ExternalNetworks defines a way to select ExternalNetworkSets
+	// that consist of network CIDRs that live outside the cluster as a peer.
+	// This field follows standard label selector semantics; if present
+	// but empty, it selects all ExternalNetworkSets defined in the cluster.
+	//
+	// Support: Core
+	//
+	// +optional
+	ExternalNetworks *metav1.LabelSelector `json:"externalNetworks,omitempty"`
 }
 
 // NamespacedPeer defines a flexible way to select Namespaces in a cluster.
 
@@ -164,6 +164,57 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: "ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. This field follows
+                              standard label selector semantics; if present but empty,
+                              it selects all ExternalNetworkSets defined in the cluster.
+                              \n Support: Core"
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           namespaces:
                             description: "Namespaces defines a way to select a set
                               of Namespaces. \n Support: Core"
@@ -493,6 +544,57 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: "ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. This field follows
+                              standard label selector semantics; if present but empty,
+                              it selects all ExternalNetworkSets defined in the cluster.
+                              \n Support: Core"
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           namespaces:
                             description: "Namespaces defines a way to select a set
                               of Namespaces. \n Support: Core"
@@ -779,6 +881,8 @@ spec:
                       x-kubernetes-validations:
                       - message: cluster-ingress traffic controls are unsupported
                         rule: self.all(value, !has(value.nodes))
+                      - message: cluster-ingress traffic controls are unsupported
+                        rule: self.all(value, !has(value.externalNetworks))
                     name:
                       description: "Name is an identifier for this rule, that may
                         be no more than 100 characters in length. This field should