Support Kubernetes NetworkPolicy

[tnqn]

Describe what you are trying to solve
Make Antrea support Kubernetes NetworkPolicy.

Describe the solution you have in mind
Refer to https://github.com/vmware-tanzu-private/antrea/blob/master/docs/architecture.md#networkpolicy

Describe how your solution impacts user flows
User can create Kubernetes NetworkPolicy and expect they are enforced by Antrea.

Describe the main design/architecture of your solution
Refer to https://github.com/vmware-tanzu-private/antrea/blob/master/docs/architecture.md#networkpolicy

• Add a common ram-based storage interface (f8d6306)
• Implement Antrea Network Policy store (b9df736)
• Implement Antrea APIServer (1e6d6b0)
• Implement antrea-agent side Network Policy controller which watches computed internal Network Policy resources from Antrea Controller API endpoint and conducts Openflow interfaces (Implement agent side Network Policy controller #53, Implement Network Policy rule reconciler #55)
• Implement antrea-controller side Network Policy controller which watches K8s NetworkPolicy, Pod and Namespace resources and compute the internal resources consumed by antrea-agent(Add NetworkPolicy support in Antrea Controller #54, Network Policy Controller sync #82)
• Implement Openflow interfaces that program OVS to enforce NetworkPolicy(Implement network policy using Openflow on agent side #57 )

Test plan

• Test the implementation with Kubernetes e2e Network Policy tests https://github.com/kubernetes/kubernetes/blob/master/test/e2e/network/network_policy.go
• Improve NetworkPolicy controller unit test coverage

Additional context

[tnqn]

Antrea now supports Kubernetes NetworkPolicy except "named port" which we have #122 to track.
The implementation has been validated with Kubernetes NetworkPolicy e2e tests, except the following 4 failures:

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow egress access on one named port [Feature:NetworkPolicy]
/workspace/anago-v1.16.3-beta.0.56+b3cbbae08ec52a/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1421

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow ingress access on one named port [Feature:NetworkPolicy]
/workspace/anago-v1.16.3-beta.0.56+b3cbbae08ec52a/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1421

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow ingress access from namespace on one named port [Feature:NetworkPolicy]
/workspace/anago-v1.16.3-beta.0.56+b3cbbae08ec52a/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1421

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow ingress access from updated pod [Feature:NetworkPolicy]
/workspace/anago-v1.16.3-beta.0.56+b3cbbae08ec52a/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1421

3 of them need "named port" support so it's expected, the other one is an invalid test and no CNI can pass (reported this one to K8s community kubernetes/kubernetes#85908 and proposed a fix kubernetes/kubernetes#85909)