diff --git a/kuryr_kubernetes/controller/drivers/network_policy.py b/kuryr_kubernetes/controller/drivers/network_policy.py
index d7f12858a..af77dd0c8 100644
--- a/kuryr_kubernetes/controller/drivers/network_policy.py
+++ b/kuryr_kubernetes/controller/drivers/network_policy.py
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import netaddr
 from oslo_log import log as logging
 
 from neutronclient.common import exceptions as n_exc
@@ -352,6 +353,23 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
             allow_all, selectors, allowed_cidrs = self._parse_selectors(
                 rule_block, rule_direction, policy_namespace)
 
+            ipblock_list = []
+
+            if rule_direction in rule_block:
+                ipblock_list = [ipblock.get('ipBlock') for ipblock in
+                                rule_block[rule_direction] if 'ipBlock'
+                                in ipblock]
+
+            for ipblock in ipblock_list:
+                if ipblock.get('except'):
+                    for cidr_except in ipblock.get('except'):
+                        cidr_list = netaddr.cidr_exclude(
+                            ipblock.get('cidr'), cidr_except)
+                        cidr_list = [{'cidr': str(cidr)} for cidr in cidr_list]
+                        allowed_cidrs.extend(cidr_list)
+                else:
+                    allowed_cidrs.append(ipblock)
+
             if 'ports' in rule_block:
                 for port in rule_block['ports']:
                     if allowed_cidrs or allow_all or selectors:
diff --git a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
index 9a3078c9f..03a9fdcfe 100644
--- a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
+++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
@@ -381,6 +381,27 @@ class TestNetworkPolicyDriver(test_base.TestCase):
         m_create.assert_called()
         m_get_ns_cidr.assert_not_called()
 
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
+                       '_get_namespaces_cidr')
+    @mock.patch('kuryr_kubernetes.controller.drivers.utils.'
+                'create_security_group_rule_body')
+    def test_parse_network_policy_rules_with_ipblock(self, m_create,
+                                                     m_get_ns_cidr):
+        policy = self._policy.copy()
+        policy['spec']['ingress'] = [{'from':
+                                      [{'ipBlock':
+                                        {'cidr': '172.17.0.0/16',
+                                         'except': ['172.17.1.0/24']}}],
+                                      'ports': [{'port': 6379,
+                                                 'protocol': 'TCP'}]}]
+        policy['spec']['egress'] = [{'ports': [{'port': 5978, 'protocol':
+                                                'TCP'}],
+                                     'to': [{'ipBlock':
+                                             {'cidr': '10.0.0.0/24'}}]}]
+        self._driver.parse_network_policy_rules(policy, self._sg_id)
+        m_create.assert_called()
+        m_get_ns_cidr.assert_not_called()
+
     @mock.patch.object(network_policy.NetworkPolicyDriver,
                        '_get_namespaces_cidr')
     @mock.patch('kuryr_kubernetes.controller.drivers.utils.'
diff --git a/requirements.txt b/requirements.txt
index 070e827a5..8107f4544 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,6 +8,7 @@ kuryr-lib>=0.5.0 # Apache-2.0
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 requests>=2.14.2 # Apache-2.0
 eventlet!=0.18.3,!=0.20.1,!=0.21.0,>=0.18.2 # MIT
+netaddr>=0.7.19 # BSD
 openstacksdk>=0.13.0  # Apache-2.0
 oslo.cache>=1.26.0 # Apache-2.0
 oslo.config>=5.2.0 # Apache-2.0