Add comments about ratcheting for IPs

Author: thockin

pkg/apis/core/validation/validation.go

@@ -9187,6 +9187,9 @@ func isRestartableInitContainer(initContainer *core.Container) bool {
 // handles setting strictValidation correctly. This is only for fields that use legacy IP
 // address validation; use validation.IsValidIP for new fields.
 func IsValidIPForLegacyField(fldPath *field.Path, value string, validOldIPs []string) field.ErrorList {
+	// TODO: once the StrictIPCIDRValidation gate is locked to on, this
+	// function can go away and callers can do their own ratchet check, then
+	// call validate.IP().
 	return validation.IsValidIPForLegacyField(fldPath, value, utilfeature.DefaultFeatureGate.Enabled(features.StrictIPCIDRValidation), validOldIPs)
 }
 

staging/src/k8s.io/apimachinery/pkg/util/validation/ip.go

@@ -82,6 +82,9 @@ func parseIP(fldPath *field.Path, value string, strictValidation bool) (net.IP,
 // historically validated in this way, and strictValidation should be true unless the
 // StrictIPCIDRValidation feature gate is disabled. Use IsValidIP for parsing new fields.
 func IsValidIPForLegacyField(fldPath *field.Path, value string, strictValidation bool, validOldIPs []string) field.ErrorList {
+	// TODO: once the StrictIPCIDRValidation gate is locked to on, this can
+	// simply check the old value (or make callers do it) and call
+	// validate.IP().
 	if slices.Contains(validOldIPs, value) {
 		return nil
 	}