Add addressgroup peer for in-cluster stretched NetworkPolicy enforcement

[Dyanngg]

This PR is to fix stretched networkpolicy enforcement on Pod
to MC Service traffic when the MC Service endpoint resides in
the same cluster of the client. Under current datapath design,
the packet will loose tunnel information which contains the
client's label identity, thus bypassing stretched policy
enforcement. For more details on this issue, refer to #4431

As a result, stretched NetworkPolicy enforcement need to be
divided into two parts: for in-cluster access, the Antrea Controller
will create an addressgroup matching the clusterSet-scoped
selector, just like cluster-scoped selectors. For cross-cluster
policy enforcement, label identity will be used to match
selected peers.

Signed-off-by: Dyanngg dingyang@vmware.com

[codecov]

Codecov Report

Merging #4432 (a872430) into main (2f2d4d2) will decrease coverage by 0.97%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #4432      +/-   ##
==========================================
- Coverage   67.70%   66.73%   -0.98%     
==========================================
  Files         402      402              
  Lines       57253    57254       +1     
==========================================
- Hits        38764    38209     -555     
- Misses      15818    16395     +577     
+ Partials     2671     2650      -21     

Flag	Coverage Δ
integration-tests	34.57% <ø> (-0.08%)	⬇️
kind-e2e-tests	45.77% <0.00%> (-1.29%)	⬇️
unit-tests	56.43% <100.00%> (-0.03%)	⬇️

Impacted Files	Coverage Δ
pkg/apis/controlplane/types.go	100.00% <ø> (ø)
pkg/controller/networkpolicy/crd_utils.go	93.57% <100.00%> (+0.02%)	⬆️
pkg/ipfix/ipfix_intermediate.go	0.00% <0.00%> (-90.91%)	⬇️
pkg/ipfix/ipfix_collector.go	0.00% <0.00%> (-83.34%)	⬇️
pkg/flowaggregator/certificate.go	0.00% <0.00%> (-75.53%)	⬇️
pkg/flowaggregator/exporter/utils.go	0.00% <0.00%> (-72.73%)	⬇️
pkg/flowaggregator/apiserver/apiserver.go	4.61% <0.00%> (-58.47%)	⬇️
pkg/ipfix/ipfix_process.go	31.25% <0.00%> (-50.00%)	⬇️
pkg/ipfix/ipfix_registry.go	66.66% <0.00%> (-33.34%)	⬇️
pkg/flowaggregator/flowaggregator.go	36.62% <0.00%> (-31.80%)	⬇️
... and 45 more

[luolanzone]

Does it mean it will create AddressGroup anyway no matter it's ClusterSet scope or not?
I am wondering how we can verify that the stretchedNetworkPolicy being spitted into two parts of NP correctly? Shall we mention this on the document?

[Dyanngg]

Does it mean it will create AddressGroup anyway no matter it's ClusterSet scope or not?

If there are any pod/nsSelectors, yes it will create AddressGroups because an AddressGroup will need to be created no matter the scope of these selectors.

I am wondering how we can verify that the stretchedNetworkPolicy being spitted into two parts of NP correctly?

E2E testcases should verify this.

[luolanzone]

@Dyanngg Does this depend on @GraysonWu 's agent PR 3914? or it can merged independently?
@tnqn @jianjuns could you take a look at this small PR? thanks.

[Dyanngg]

@Dyanngg Does this depend on @GraysonWu 's agent PR 3914? or it can merged independently? @tnqn @jianjuns could you take a look at this small PR? thanks.

I think it can be merged independently.

[tnqn]

LGTM

[tnqn]

/skip-all