[ANP] ExternalEntity support for agent

[Dyanngg]

This PR is rebased from and replaces #782.
It moves ToAddresses/FromAddresses in CompletedRule and AddressSetByGroup in ruleCache to use GroupMemberSet instead of GroupMmeberPodSet. Thus both Pods and ExternalEntities are expressed as GroupMember when in these fields.
Pods in appliedTo field continue be expressed by existing GroupMemberPod, and migration to GroupMember shall
be done in a subsequent PR.

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

These commands can only be run by members of the vmware-tanzu organization.

[antoninbas]

LGTM, but someone else should review

[suwang48404]

@abhiraut @tnqn @jianjuns can u guys please help review

Thx

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[suwang48404]

Hi @abhiraut @tnqn @jianjuns,

ping ?

[jianjuns]

Question - we still keep AddedPods/RemovedPods, after add AddedGroupMembers/RemovedGroupMembers?

[Dyanngg]

The plan is to deprecate GroupMemberPod and GroupMemberPodSet in the future, so those funcs will be unified.

[jianjuns]

But as of now when controller will send AddedPods/RemovedPod, when AddedGroupMembers/RemovedGroupMembers?

[jianjuns]

Why target cannot be external endpoints?

[Dyanngg]

I believe the reason is that for the externalEntities in the appliedTo, there's nothing to be enforced from the Antrea agent side. The antrea-cloud controller will enforce firewall rules on the cloud provider instead.

[jianjuns]

Ok. I thought we will support agented model together.

[Dyanngg]

would let @suwang48404 comment on that

[jianjuns]

If we do not support agented model for external Nodes, then we need not any code in agent to handle ExternalEndpoints/Nodes (I think you still have such code?)?

[suwang48404]

yes.
use case is that use ANP to control Pods' access to services on cloud (VMs or cloud Native Services). This was part of antrea+ demo.

[jianjuns]

Ok. Then for Antrea perspective, it is more about supporting externalEntity in from/to. Still do not feel it is very useful alone. If am ok to make it the first step, but we should either have a way to validate externalEntity cannot be in appliedTo, or have a featureGate to disable the whole externalEntity support?
Let us talk offline.

[suwang48404]

Hi @jianjuns

@Dyanngg has kindly taking over antrea externalEntity support. If u have any concrete suggestions, he will help out.

Regarding to ur suggestion about " ... either have a way to validate externalEntity cannot be in appliedTo, or ...", if I recall correctly, if user specifies ExternalEntity in appliedTo field of an ANP

1. controller will not forward the AppliedToGroup (contain externalEntity) to agent
2. even if controller (via bug) forward AppliedToGroup( contain externalEntity) to agent, agent ignores externalEntity in AppliedToGroup.

I hope this satisfies ur requirements.

[jianjuns]

I would say it is very confusing to users. We should document we do not support appliedTo and validate it, or disable the externalEntity feature until we really support agent on external Nodes.

[jianjuns]

I was chatting with @abhiraut on this. We also feel namespaced externalEntity does not make much sense from Antrea perspective. But anyway we might start from what we have now, but at least we should add some validation no externalEntity in appliedTo.

[Dyanngg]

Superseded by #1084