Add Egress CRD types

[jianjuns]

Add types for egress policy CRDs, including Egress for the egress
policy definition, and a common AppliedTo struct for defining the scope
to which a policy is applied.

Issue: #667

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[codecov-io]

Codecov Report

Merging #1433 (082bbef) into main (e93ed12) will increase coverage by 1.20%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1433      +/-   ##
==========================================
+ Coverage   61.92%   63.13%   +1.20%     
==========================================
  Files         262      262              
  Lines       19473    19473              
==========================================
+ Hits        12059    12294     +235     
+ Misses       6167     5915     -252     
- Partials     1247     1264      +17     

Flag	Coverage Δ
e2e-tests	25.40% <ø> (?)
kind-e2e-tests	53.34% <ø> (-0.05%)	⬇️
unit-tests	41.85% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/ipfix/ipfix_process.go	81.81% <0.00%> (-18.19%)	⬇️
pkg/agent/cniserver/pod_configuration.go	53.90% <0.00%> (-3.52%)	⬇️
pkg/controller/traceflow/controller.go	69.48% <0.00%> (-2.60%)	⬇️
pkg/agent/openflow/client.go	64.16% <0.00%> (+0.50%)	⬆️
pkg/agent/flowexporter/exporter/exporter.go	70.83% <0.00%> (+0.69%)	⬆️
...ntroller/networkpolicy/networkpolicy_controller.go	71.10% <0.00%> (+0.97%)	⬆️
pkg/agent/agent.go	48.92% <0.00%> (+1.19%)	⬆️
pkg/ovs/openflow/ofctrl_builder.go	57.89% <0.00%> (+1.31%)	⬆️
pkg/agent/flowexporter/connections/connections.go	81.67% <0.00%> (+1.52%)	⬆️
pkg/ovs/ovsconfig/ovs_client.go	51.73% <0.00%> (+1.62%)	⬆️
... and 13 more

[abhiraut]

is this going to be a Namespaced scope CRD?

[jianjuns]

I plan to start from cluster scoped.

[jianjuns]

@tnqn : please let me know what you think about my new version?

[tnqn]

I guess your command didn't finish successfully, there are 130 files are affected because of the year update.

[tnqn]

Not related to this PR, I'm wondering if we could add a Namespace field to the EntitySelector which means selecting Pods in this namespace, just like how NetworkPolicyPeer in K8s NetworkPolicy works. Is this easier to use compared with "antrea.io/metadata.name" or "kubernetes.io/metadata.name" label?

[jianjuns]

I think Abishek and Yang proposed the label way, because upstream NetworkPolicy decide to go that direction. @Dyanngg: please comment.

[Dyanngg]

Thanks for bringing it up. In the upstream proposal, we're replacing the NamespaceSelector field with a new Namespaces field, which look like the following

type Namespaces struct {
	Self       bool
	Selector   *metav1.LabelSelector
	Except     []*metav1.LabelSelector
}

Namespaces.Selector will essentially replace NamespaceSelector. And user can easily write a Namespace isolation policy by setting Namespaces.Self=true. We are still on the fence about whether the Except field is necessary so I wouldn't put that in to start with (although there are quite some usecases which can be greatly simplified by except, like deny all traffic except from kube-system).
Link to the KEP: kubernetes/enhancements#2522

[tnqn]

should this be non pointer? It doesn't have a proper mean if it's nil, right?

[jianjuns]

In NetworkPolicy AppliedTo can be nil today, which means applied to all I think. Should we keep the behavior?

[jianjuns]

Thought over and now also feel empty AppliedTo probably makes more sense. Do you think so?

[jianjuns]

@Dyanngg, @tnqn, @antoninbas : do you see any reason to make it a slice? Today Antrea NetworkPolicy uses a slice of NetworkPolicyPeer so can be multiple Selectors too.

[jianjuns]

I meant I am thinking about:

type AppliedTo struct {
        PodSelector *metav1.LabelSelector
        NamespaceSelector *metav1.LabelSelector
        Groups []string
}

[jianjuns]

Changed to a single selector (pair) per inputs from Abhishek and Yang.

[jianjuns]

I guess your command didn't finish successfully, there are 130 files are affected because of the year update.

Yes, noticed it, but there is no error returned by "make codegen".

I found out it is due to a previous failed run, which I commited to local. Fixed it.

[tnqn]

@jianjuns I tested this patch with controller code and it basically works. The only thing missing is the CRD manifest, do you plan to add it in this PR? or I could do it with another PR.

[tnqn]

This is not consistent with Antrea NetworkPolicy where only a Group is allowed. It looks like multiple group will be supported by a nested group #1920.

[jianjuns]

Yes. I think we should support multiple groups finally, but if we want to change NetworkPolicy together, I can switch to a single group for now.
@Dyanngg : thoughts?

[Dyanngg]

I think last time we discussed, the cardinality issue is not here in particular: the issue is that currently Antrea-native policies support multiple appliedTos, while @jianjuns suggests we only use a single core/v1alpha2.appliedTo for Antrea-native policies if we decide to share the appliedTo. So in upgrade case, there could be extra namespaceSelector and podSelector in the appliedTo list today that can not fit in the new spec. If we want to do some hacks (i.e. translating 1 old ACNP to multiple new ACNPs once appliedTo is unified), then I don't really have a preference here. If not, then maybe a list for Groups here would help, as we only need to put the groups mentioned in the old list of appliedTos in the slice there?

[tnqn]

do you plan to change to crd group after the renaming is done?

[jianjuns]

Yes.

[jianjuns]

@jianjuns I tested this patch with controller code and it basically works. The only thing missing is the CRD manifest, do you plan to add it in this PR? or I could do it with another PR.

If we generate YAML then the CRDs are visible to users. I think we can publish YAML after the feature is complete. What you think?

[tnqn]

// +genclient:nonNamespaced
@jianjuns the tag is needed to generate proper Lister, otherwise it will require a namespace to get an Egress.

[jianjuns]

Fixed it.

[tnqn]

LGTM

[tnqn]

/test-all

[tnqn]

LGTM

[tnqn]

/test-all

[jianjuns]

/test-e2e