E2E test for MC ACNP copy-span

[Dyanngg]

PR is based on #3424 and #3363. Only the last commit is relevant to this PR.

[Dyanngg]

/test-multicluster-e2e

[codecov-commenter]

Codecov Report

Merging #3435 (33af3b3) into main (2dcc257) will decrease coverage by 11.42%.
The diff coverage is n/a.

❗ Current head 33af3b3 differs from pull request most recent head 0011cb8. Consider uploading reports for the commit 0011cb8 to get more accurate results

@@             Coverage Diff             @@
##             main    #3435       +/-   ##
===========================================
- Coverage   65.51%   54.08%   -11.43%     
===========================================
  Files         277      247       -30     
  Lines       27500    35027     +7527     
===========================================
+ Hits        18016    18945      +929     
- Misses       7567    14295     +6728     
+ Partials     1917     1787      -130     

Flag	Coverage Δ
e2e-tests	54.08% <ø> (?)
kind-e2e-tests	?
unit-tests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/controller/egress/controller.go	0.00% <0.00%> (-88.45%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	4.58% <0.00%> (-86.85%)	⬇️
pkg/controller/ipam/validate.go	0.00% <0.00%> (-82.26%)	⬇️
pkg/agent/util/iptables/lock.go	0.00% <0.00%> (-81.82%)	⬇️
pkg/controller/ipam/antrea_ipam_controller.go	0.00% <0.00%> (-80.29%)	⬇️
pkg/agent/cniserver/ipam/antrea_ipam_controller.go	0.00% <0.00%> (-80.00%)	⬇️
pkg/controller/externalippool/validate.go	0.00% <0.00%> (-76.20%)	⬇️
pkg/agent/cniserver/ipam/antrea_ipam.go	3.62% <0.00%> (-76.17%)	⬇️
pkg/cni/client.go	0.00% <0.00%> (-75.52%)	⬇️
.../registry/networkpolicy/clustergroupmember/rest.go	11.11% <0.00%> (-73.21%)	⬇️
... and 267 more

[Dyanngg]

/test-multicluster-e2e

[Dyanngg]

/test-multicluster-e2e

[Dyanngg]

/test-multicluster-e2e

[Dyanngg]

Multi-cluster e2e already passing for the copy-span feature.

[Dyanngg]

/test-all

[luolanzone]

LGTM overall, two nits:

[Dyanngg]

Rebased and resolved merge conflicts /test-all /test-multicluster-e2e

[Dyanngg]

Rebased and resolved merge conflicts /test-all /test-multicluster-e2e

[Dyanngg]

/test-multicluster-e2e

[luolanzone]

not introduced in this PR, but I see all callers of reachability.PrintSummary() are using (true, true, true), maybe we can remove all three parameters. do you think if this can be enhanced in #3286 by enhao?

[Dyanngg]

Sure. /cc @enhaocui for awareness.

[tnqn]

LGTM, one question

[tnqn]

Why it must allow kube-dns to access the test Pods?

[Dyanngg]

It does not need to allow kube-dns for the test to pass. I am merely trying to align the yaml with https://github.com/antrea-io/antrea/blob/main/docs/antrea-network-policy.md#acnp-for-strict-namespace-isolation

[tnqn]

But I didn't see this in that doc. And the rule should only make sense if it's egress rule, no reason to allow kube-dns accessing all Pods.

[Dyanngg]

But I didn't see this in that doc.

Sorry I was meant to say in here #3512. I've created a PR to update the sample yamls of Antrea-native policies.

And the rule should only make sense if it's egress rule, no reason to allow kube-dns accessing all Pods.

I was thinking in the lines of the DNS return packets need to be allowed. But I guess your point is that does not warrant an ingress rule since there's going to be some bypass flow. In that case let me just remove this section from ingress then.

[tnqn]

Yes, the policy is stateful, DNS return packets will be allowed if the requests are allowed regardless of the existence of this rule. The rule will only apply to packets in request direction.

[Dyanngg]

/test-all /test-multicluster-e2e

[tnqn]

@Dyanngg could you rebase the PR and check if #3435 (comment) makes sense?

[luolanzone]

/test-all /test-multicluster-e2e

[Dyanngg]

/test-all /test-multicluster-e2e