Extend functionality of NETWORK_POLICY_ENFORCING_MODE strict mode to support default policies

[TechnoTaff]

What would you like to be added: We are a large enterprise customer with 200+ EKS clusters. We are currently using Calico Policy Engine to enforce Network Policy, alongside VPC-CNI. We rely on the Calico API's GlobalNetworkPolicy in order to:

1. Block all traffic in new Namespaces
2. Allow least-privilege access for DNS resolution

Currently we do this with GlobalNetworkPolicy:

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: default-allow-dns
spec:
  egress:
  - action: Allow
    destination:
      namespaceSelector: projectcalico.org/name in {"kube-system"}
      ports:
      - 53
    protocol: UDP
  ingress:
  - action: Allow
    destination:
      namespaceSelector: projectcalico.org/name in {"kube-system"}
      ports:
      - 53
    protocol: UDP
  types:
  - Ingress
  - Egress

Currently there is seemingly no way to provide this functionality in VPC-CNI Network Policy Agent. We would like to see NETWORK_POLICY_ENFORCING_MODE strict mode enforced to allow default policies on all Namespaces or at a cluster-level.

Why is this needed: We, and possibly other EKS customers, cannot adopt VPC-CNI NetPol until this is implemented.

[jayanthvn]

We are evaluating this support for Admin/Global policies in response to this request - https://github.com/aws/containers-roadmap/issues/2243

Similar req - https://github.com/aws/aws-network-policy-agent/issues/237

[jayanthvn]

Closing this in favor of existing issue