Update Calico to v2.4.1

[tmjd]

network plugin: Update Calico to v2.4.1

One thing that needs to be mentioned is that this update includes a change in the default deny behavior for network policy, Calico has switched this behavior to match the move of Kubernetes NetworkPolicy to v1. You can see the release notes for Calico at https://github.com/projectcalico/calico/releases/tag/v2.4.0 (see the changes under k8s-policy).
I am looking for guidance on how the kube-aws project would like to handle this behavior change or at least know that it is expected that users should understand the changes of the components they are using.

Just to point out how this new behavior works:

• DefaultDeny is enabled for a pod if there is any policy that selects the pod
  • That means the new way to enable DefaultDeny is create a policy that selects all pods (in a namespace)
  • This also means that if DefaultDeny is not desired then all policy needs to be removed that targets a pod.
• The old default deny annotation has no effect with the new Calico version

Release note:

• To maintain existing behavior when upgrading your existing cluster, follow these steps:
  • In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
  • In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic.
  • See Move NetworkPolicy to v1 kubernetes/kubernetes#39164 (comment) for more details

[codecov-io]

Codecov Report

Merging #832 into master will not change coverage.
The diff coverage is 100%.

@@           Coverage Diff           @@
##           master     #832   +/-   ##
=======================================
  Coverage   34.38%   34.38%           
=======================================
  Files          57       57           
  Lines        3743     3743           
=======================================
  Hits         1287     1287           
  Misses       2311     2311           
  Partials      145      145

Impacted Files	Coverage Δ
core/controlplane/config/config.go	59.97% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5780b59...5cdd6bd. Read the comment docs.

[mumoshu]

Just for my education, are there any conventions for deciding what the value should be?
For instance, kops seems to have kops,canal for the value, which looks consistent with this one for kube-aws.

[mumoshu]

@redbaron @camilb @danielfm @c-knowles Are you using calico on your clusters? Anyways, FYI, there are some manual steps required to maintain your network policy behave the same as before while upgrading k8s to v1.7.
The new calico v2.4.1 introduced by this PR seems to correctly implement the semantics of networking/v1 api and therefore the change in k8s v1.7 becomes effective after merging this PR.

[mumoshu]

@tmjd Thank you very much for the contribution with the detailed description 👍

it is expected that users should understand the changes of the components they are using.

Yes, they should. I'm going to add a note about the changes in the release note for the next kube-aws release 👍

[cknowles]

@mumoshu, thanks. Not using it here.

[danielfm]

+1, I enabled it, but I'm not using network policies so far.

[camilb]

Same for me, enabled but with no policy configured yet.