I have a patch that will fix the problem of sdn pods failing to start back up due to the invalid egressCIDR value. In OCP4.x since we use watchers and informers plus kubebuilder validation in the API unlike in OCP3.11, unfortunately we will not outrightly invalidate the incorrect value. Instead it gets silently ignored by emitting a warning in the logs. But the patch I've posted will ensure that the incorrect egressCIDR field is wiped clean if its invalid. This way the user can know if an incorrect value was specified because doing oc get hostsubnet will still not have the egressCIDR values set.
I have an update on the logic. Based on the reviews I received on the patch: because of the way the sdn interacts with the api (that is the source of truth), sdn cannot modify fields in the api. In general sdn does not undo the user's changes in the api, even when they're wrong. So I won't be able to clear the fields, they would get logged as invalid values on the pod logs, so user should be able to pick this up from the logs if something goes wrong.
However the sdn pods failing to start because of the invalid values is just wrong. This will be fixed in the patch since it shouldn't fail to come up due to invalid user-maintained values. Will try to get this backported to 4.5 and 4.4 as well, since we don't want to bring down the cluster.