Add ACNP copy span for multi-cluster

[Dyanngg]

With this change, Antrea Multi-cluster admins can specify certain ClusterNetworkPolicies to be replicated
across the entire ClusterSet. This is especially useful for ClusterSet admins who want all clusters in the
ClusterSet to be applied with a consistent security posture (for example, all namespaces in all clusters can
only communicate with Pods in their own namespaces).

To achieve such ACNP copy-span, admins can, in the acting leader cluster of a Multi-cluster deployment,
create a ResourceExport of kind AntreaClusterNetworkPolicy which contains the ClusterNetworkPolicy spec
they wish to be replicated. The ResourceExport should be created in the Namespace which implements the
Common Area of the ClusterSet. In future releases, some additional tooling may become available to
automate the creation of such ResourceExport and make ACNP replication across clusters easier.

apiVersion: multicluster.crd.antrea.io/v1alpha1
kind: ResourceExport
metadata:
  name: strict-namespace-isolation-for-test-clusterset
  namespace: antrea-mcs-ns          # Namespace that implements Common Area of test-clusterset
spec:
  kind: AntreaClusterNetworkPolicy  
  name: strict-namespace-isolation  # In each importing cluster, an ACNP of name antrea-mc-strict-namespace-isolation will be created with the spec below
  clusternetworkpolicy:
    priority: 1
    tier: securityops
    appliedTo:
      - namespaceSelector: {}       # Selects all Namespaces in the member cluster
    ingress:
      - action: Pass
        from:
        - namespaces:
            match: Self            # Skip drop rule for traffic from Pods in the same Namespace
        - podSelector:
            matchLabels:
              k8s-app: kube-dns    # Skip drop rule for traffic from the core-dns components
      - action: Drop
        from:
        - namespaceSelector: {}    # Drop from Pods from all other Namespaces

The above sample spec will create an ACNP in each member cluster which implements strict namespace
isolation for that cluster.

[codecov-commenter]

Codecov Report

Merging #3363 (2982920) into main (f7e980e) will decrease coverage by 10.57%.
The diff coverage is 64.24%.

@@             Coverage Diff             @@
##             main    #3363       +/-   ##
===========================================
- Coverage   65.56%   54.99%   -10.58%     
===========================================
  Files         268      375      +107     
  Lines       26909    51719    +24810     
===========================================
+ Hits        17643    28443    +10800     
- Misses       7354    20793    +13439     
- Partials     1912     2483      +571     

Flag	Coverage Δ
e2e-tests	53.48% <ø> (?)
integration-tests	35.83% <ø> (?)
kind-e2e-tests	55.55% <ø> (-0.22%)	⬇️
unit-tests	42.84% <64.24%> (+0.15%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...ticluster/commonarea/remote_common_area_manager.go	56.16% <ø> (ø)
...trollers/multicluster/resourceexport_controller.go	69.39% <61.36%> (-0.53%)	⬇️
...uster/controllers/multicluster/stale_controller.go	51.69% <62.06%> (+2.21%)	⬆️
...uster/commonarea/acnp_resourceimport_controller.go	65.26% <65.26%> (ø)
...lticluster/commonarea/resourceimport_controller.go	70.24% <66.66%> (+1.76%)	⬆️
...icluster/cmd/multicluster-controller/controller.go	6.15% <100.00%> (+1.46%)	⬆️
multicluster/controllers/multicluster/test_data.go	100.00% <100.00%> (ø)
pkg/agent/cniserver/pod_configuration_linux.go	26.31% <0.00%> (-40.36%)	⬇️
pkg/controller/ipam/antrea_ipam_controller.go	48.71% <0.00%> (-31.57%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	61.46% <0.00%> (-29.97%)	⬇️
... and 344 more

[luolanzone]

@Dyanngg the unit test and DCO check are failed, you may take a look at them first.

[Dyanngg]

@Dyanngg the unit test and DCO check are failed, you may take a look at them first.

Fixed

[luolanzone]

/test-multicluster-e2e

[luolanzone]

@Dyanngg you probably need to rebase the codes,there is a github build error from build-ubi, I noticed there was a change revert for ubi related change.

[luolanzone]

/test-multicluster-e2e

[luolanzone]

LGTM overall, two minor comments.

[jianjuns]

LGTM

[Dyanngg]

/test-all E2E test for this feature is passing according to #3435

[luolanzone]

LGTM overall, one nit

[luolanzone]

I noticed there are a few duplicate code in test framework, can we share them somewhere? maybe address it in a separate PR.

[Dyanngg]

Sure

[luolanzone]

@jianjuns do you have any new comment? @tnqn Could you help to take a look at this PR? it's a core feature from MC in v1.6.0. a few other e2e PRs are based on this, thanks!

[jianjuns]

No further comment from me.

[tnqn]

Not starting from this PR, the json field name is not following the convention, which should be "clusterNetworkPolicy".

[Dyanngg]

Let's address json field names in a separate PR then.

[tnqn]

this could be the podName?

[Dyanngg]

Yes, see my TODO on L41

[tnqn]

does leader need any cnp permission?

[Dyanngg]

No it does not. However this rbac manifest is generated and the only place I've added cnp permissions is in resourceimport_controller.go:
//+kubebuilder:rbac:groups=crd.antrea.io,resources=clusternetworkpolicies,verbs=get;list;watch;create;update;patch;delete
Not sure how to strip this permission from leader cluster specifically. @luolanzone any ideas?

[luolanzone]

When we split them into member and leader manifests, we didn't separate these accesses setting in fine-grained way, I think we may need a follow up PR to fix these access right. I will create an issue for this first.
@tnqn do you think it's OK to fix this kind of issue in a new PR?

[tnqn]

Yes, but please address it in release 1.6. We had such issues before and should ensure all components only get permissions they require.

[tnqn]

LGTM

[tnqn]

Yes, but please address it in release 1.6. We had such issues before and should ensure all components only get permissions they require.

[luolanzone]

sure, @tnqn I have made the PR #3491, I think we need to merge this first, then I will rebase my PR and update the role added by ACNP copy-span. thanks.

[tnqn]

/test-all
/test-multicluster-e2e

[tnqn]

/skip-conformance

[tnqn]

/skip-conformance

[tnqn]

/skip-conformance

[tnqn]

/skip-conformance

[tnqn]

/test-conformance

[tnqn]

Conformance succeeded but failed on cleanup