Support Kubernetes NetworkPolicy

[tnqn]

Describe what you are trying to solve Make Antrea support Kubernetes NetworkPolicy.

Describe the solution you have in mind Refer to https://github.com/vmware-tanzu-private/antrea/blob/master/docs/architecture.md#networkpolicy

Describe how your solution impacts user flows User can create Kubernetes NetworkPolicy and expect they are enforced by Antrea.

Describe the main design/architecture of your solution Refer to https://github.com/vmware-tanzu-private/antrea/blob/master/docs/architecture.md#networkpolicy

• [x] Add a common ram-based storage interface (https://github.com/vmware-tanzu-private/antrea/commit/f8d63067372facfa3faecd971a0e753c9ace7112)
• [x] Implement Antrea Network Policy store (https://github.com/vmware-tanzu-private/antrea/commit/b9df736b766e77a88a7faded6bc6843911383973)
• [x] Implement Antrea APIServer (https://github.com/vmware-tanzu-private/antrea/commit/1e6d6b03f88c22e177e0ca57bc470c3ac1d4f0f1)
• [x] Implement antrea-agent side Network Policy controller which watches computed internal Network Policy resources from Antrea Controller API endpoint and conducts Openflow interfaces (#53, #55)
• [x] Implement antrea-controller side Network Policy controller which watches K8s NetworkPolicy, Pod and Namespace resources and compute the internal resources consumed by antrea-agent(#54, #82)
• [x] Implement Openflow interfaces that program OVS to enforce NetworkPolicy(#57 )

Test plan

• [x] Test the implementation with Kubernetes e2e Network Policy tests https://github.com/kubernetes/kubernetes/blob/master/test/e2e/network/network_policy.go
• [x] Improve NetworkPolicy controller unit test coverage

Additional context

[tnqn]

Antrea now supports Kubernetes NetworkPolicy except "named port" which we have #122 to track. The implementation has been validated with Kubernetes NetworkPolicy e2e tests, except the following 4 failures:

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow egress access on one named port [Feature:NetworkPolicy]
/workspace/anago-v1.16.3-beta.0.56+b3cbbae08ec52a/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1421

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow ingress access on one named port [Feature:NetworkPolicy]
/workspace/anago-v1.16.3-beta.0.56+b3cbbae08ec52a/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1421

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow ingress access from namespace on one named port [Feature:NetworkPolicy]
/workspace/anago-v1.16.3-beta.0.56+b3cbbae08ec52a/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1421

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow ingress access from updated pod [Feature:NetworkPolicy]
/workspace/anago-v1.16.3-beta.0.56+b3cbbae08ec52a/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1421

3 of them need "named port" support so it's expected, the other one is an invalid test and no CNI can pass (reported this one to K8s community kubernetes/kubernetes#85908 and proposed a fix kubernetes/kubernetes#85909)