Implement DomainNames Egress Peer in ANP API

[tssurya]

1. We would love kube-network-policies to implement https://network-policy-api.sigs.k8s.io/npeps/npep-133-fqdn-egress-selector/
2. This API NPEP merged last week AND we will soon have the API merged and we don't yet have any implementations
3. So its also hard to write conformance tests without a testing driver backend

API Details:

• https://network-policy-api.sigs.k8s.io/npeps/npep-133-fqdn-egress-selector/#api -> It is an egress only peer that is a list of domain names
• https://network-policy-api.sigs.k8s.io/npeps/npep-133-fqdn-egress-selector/#goals -> only supports "allow action" since implementing deny with domain names cannot be enforced correctly

So implementing it here will help us make it part of our upstream CI tests.

[tssurya]

@rahulkjoshi : The API PR will follow soon right?

[vaskozl]

Got a few questions about the NPEP:

If a policy is applied after a lookup is already performed and cached by the client, is the implementor required to allow the traffic based on the past query?

Cilium's implementation forces you to specify matchPattern: "*" which explicitly caches all dns on port 53, or otherwise blocks DNS queries if matched with toFQDN (unlike the NPEP requirement) which ensures that an old lookup is not used.

The other thing that's not super clear is what DNS traffic is expected to be detected:

• Should DNS lookups on ports other than 53 be supported?
• Should other traffic on the dns port flow unhindered?