ToServices support

[GraysonWu]

This PR adds ToServices feature, which allows users to apply an ACNP/ANP on a Service.
Use this PR to replace PR #2538 with the new approach brought up in PR #2538.
The new approach will use groupID assigned to the Service by AntreaProxy to match traffic, which means that ToServices can only be used when AntreaProxy is enabled and this Service must have at least one clusterIP.
Also, this implementation use groupID to match traffic, thus the policies will not be enforced when appliedTo workloads connect to Service Endpoints directly. In order to enforce policies on directly Endpoints traffic, one fallback is using ClusterGroup with ServiceReference added in PR #1797.

1. Add ToServices field in ACNP and ANP.
2. In ServiceLBTable, load OVS groupID to reg7.
3. Use OVS groupID of Service to do the conj match in the egress table.
4. Add a channel between proxier and networkpolicy controller for Service groupID update events.

Signed-off-by: wgrayson wgrayson@vmware.com

[codecov-commenter]

Codecov Report

Merging #2755 (59205cf) into main (8336f7a) will increase coverage by 0.05%.
The diff coverage is 80.58%.

@@            Coverage Diff             @@
##             main    #2755      +/-   ##
==========================================
+ Coverage   61.59%   61.64%   +0.05%     
==========================================
  Files         283      283              
  Lines       23644    23729      +85     
==========================================
+ Hits        14563    14628      +65     
- Misses       7512     7524      +12     
- Partials     1569     1577       +8     

Flag	Coverage Δ
kind-e2e-tests	49.29% <62.13%> (+0.03%)	⬆️
unit-tests	40.88% <50.63%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/types/networkpolicy.go	83.33% <ø> (ø)
pkg/apis/controlplane/types.go	0.00% <ø> (ø)
pkg/controller/networkpolicy/validate.go	21.19% <0.00%> (-0.33%)	⬇️
pkg/agent/proxy/proxier.go	60.20% <40.00%> (ø)
pkg/agent/controller/networkpolicy/cache.go	86.54% <76.92%> (-0.44%)	⬇️
pkg/agent/controller/networkpolicy/reconciler.go	76.98% <76.92%> (-0.31%)	⬇️
pkg/agent/openflow/network_policy.go	83.19% <80.00%> (-0.03%)	⬇️
pkg/agent/proxy/types/groupcounter.go	94.33% <91.66%> (+4.33%)	⬆️
...ntroller/networkpolicy/networkpolicy_controller.go	71.25% <100.00%> (ø)
pkg/agent/openflow/pipeline.go	78.33% <100.00%> (+0.06%)	⬆️
... and 13 more

[antoninbas]

The commit message / PR description should mention the "caveat" of this approach: the policies will not be enforced when appliedTo workloads connect to Service Endpoints directly.

[GraysonWu]

Updated the commit message and the PR description.

[abhiraut]

maybe add the requirements of these? Name is required. Namespace is required for ACNP usage

[GraysonWu]

ACNP and ANP both use this struct. I'm not sure how to do "Namespace is required for ACNP usage". But I have this requirement set in crds.yml.

[tnqn]

The commit message format wouldn't look nice in many git tools. Could you follow the above link to improve it? More specifically, please wrap the body at 72 characters.

[tnqn]

Code LGTM. I suggest to remove the part that talks about the old approach from the commit message as it's never merged to main branch and could confuse people to think the PR is updating the implementation of a feature that was implemented in another way. The commit message could just focus on what this PR does.

[GraysonWu]

@tnqn Good suggestion. Commit message changed.

[tnqn]

LGTM

[tnqn]

/test-all

[tnqn]

e2e failed:

E1020 14:14:40.818524 16403 antreapolicy_test.go:101] ClusterNetworkPolicy.crd.antrea.io "test-log-acnp-deny" is invalid: spec.egress.toServices: Invalid value: "null": spec.egress.toServices in body must be of type array: "null"

[GraysonWu]

@tnqn The reason for those failures is that before k8s v1.20 null values for fields that don't specify the nullable flag won't be pruned. So if we use ToServices with a null value that is not of type array, it will be a problem. Starting from k8s v1.20, those fields will be pruned. Details: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#defaulting-and-nullable

So I pushed a commit making ToServices field omitempty. In this case, we can prune ToServices with a null value during struct->json process.

We didn't meet this issue on to/from field before while to/from is not omitempty, because in our e2e test framework we set 'to/from' to an empty array instead of a null value. Maybe we should also consider making to/from omitempty in the future.

Thanks for @antoninbas 's help during the investigation.

[GraysonWu]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[GraysonWu]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[GraysonWu]

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

[tnqn]

LGTM

[GraysonWu]

/test-ipv6-e2e
/test-ipv6-only-e2e