Add service account selector support in ACNP

[GraysonWu]

Fixes #2927.

This PR added serviceAccount field support to ACNP. It uses
Namespace and Name to specify a ServiceAccount and all Pods with this
ServiceAccount will be selected as workloads. It could be used in
egress to, ingress from and appliedTo of both policy and single
rule.
To implement this feature, this PR also added a custom label to
all Pods internally, which looks like:
internal.antrea.io/service-account:[ServiceAccountName]. And when
process ACNP, serviceAccount will be translate to a GroupSelector
with Namespace and PodSelector to select Pods we need.

Signed-off-by: wgrayson wgrayson@vmware.com

[codecov-commenter]

Codecov Report

Merging #3044 (42088ae) into main (15de4cf) will decrease coverage by 5.98%.
The diff coverage is 78.20%.

@@            Coverage Diff             @@
##             main    #3044      +/-   ##
==========================================
- Coverage   60.95%   54.97%   -5.99%     
==========================================
  Files         266      371     +105     
  Lines       26508    50828   +24320     
==========================================
+ Hits        16159    27943   +11784     
- Misses       8597    20480   +11883     
- Partials     1752     2405     +653     

Flag	Coverage Δ
e2e-tests	53.74% <62.82%> (?)
integration-tests	36.28% <ø> (?)
kind-e2e-tests	49.56% <21.81%> (+1.73%)	⬆️
unit-tests	41.67% <76.36%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/controller/networkpolicy/validate.go	73.77% <53.57%> (+32.98%)	⬆️
...g/controller/networkpolicy/clusternetworkpolicy.go	81.03% <87.09%> (+7.64%)	⬆️
pkg/controller/grouping/group_entity_index.go	90.57% <100.00%> (-3.45%)	⬇️
pkg/controller/networkpolicy/crd_utils.go	90.20% <100.00%> (+2.97%)	⬆️
pkg/agent/cniserver/pod_configuration_linux.go	26.31% <0.00%> (-40.36%)	⬇️
pkg/controller/ipam/antrea_ipam_controller.go	48.71% <0.00%> (-31.57%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	61.46% <0.00%> (-29.97%)	⬇️
pkg/controller/egress/controller.go	61.11% <0.00%> (-27.34%)	⬇️
.../registry/networkpolicy/clustergroupmember/rest.go	64.28% <0.00%> (-23.95%)	⬇️
pkg/agent/cniserver/ipam/antrea_ipam.go	55.55% <0.00%> (-23.62%)	⬇️
... and 337 more

[antoninbas]

@tnqn is there any issue with defining an index like this which simply partitions all the objects into 2 different groups?

[jianjuns]

Good to see the API is really simple now!

[tnqn]

In #2755, the reference struct is named ServiceReference:

// ServiceReference represents a reference to a v1.Service.
type ServiceReference struct {
	// Name of the Service
	Name string `json:"name"`
	// Namespace of the Service
	Namespace string `json:"namespace,omitempty"`
}

I feel we should either unify them to NamespacedName or create ServiceAccountReference for this one. Is there any plan?

[GraysonWu]

Good catch. I slightly prefer to unify them to NamespacedName which could be used to refer to other resources. And if we will use verbose API in the future then I guess this generic struct will still be needed.

[GraysonWu]

If unifying them sounds good, do you suggest unifying them in this PR or another one?

[tnqn]

I would suggest another PR.

[tnqn]

LGTM overall

[tnqn]

In #2755, the reference struct is named ServiceReference:

// ServiceReference represents a reference to a v1.Service.
type ServiceReference struct {
	// Name of the Service
	Name string `json:"name"`
	// Namespace of the Service
	Namespace string `json:"namespace,omitempty"`
}

I feel we should either unify them to NamespacedName or create ServiceAccountReference for this one. Is there any plan?

[tnqn]

LGTM. Could you squash the commits and add commit message?

[tnqn]

I would suggest another PR.

[GraysonWu]

LGTM. Could you squash the commits and add commit message?

Thanks. Done.

[GraysonWu]

/test-all

[GraysonWu]

/test-integration

[tnqn]

LGTM