Fix ClusterSet scoped policy rule not compatible with namespaces field

[Dyanngg]

Fixes #4563

Antrea-native policies support the use of namespaces field in ingress/egress
rules to create per-namespace policy rules, which is useful for creating Namespace
level isolation. This field did not work with MultiCluster NetworkPolicy. This PR adds
the support so that cross-cluster Namespace isolation can be achieved.

In addition, this PR also adds a commit to assign unique podCIDR for member clusters
of the e2e test MCS deployment, which is the pre-req for Pod-to-Pod connectivity.
This enables the new testcase for cross-cluster Namespace isolation to be run correctly.

Signed-off-by: Dyanngg dingyang@vmware.com

[Dyanngg]

/test-multicluster-e2e

[codecov]

Codecov Report

Merging #4571 (cde4090) into main (aafea18) will increase coverage by 1.18%.
The diff coverage is 68.63%.

❗ Current head cde4090 differs from pull request most recent head 50e9f21. Consider uploading reports for the commit 50e9f21 to get more accurate results

@@            Coverage Diff             @@
##             main    #4571      +/-   ##
==========================================
+ Coverage   68.65%   69.84%   +1.18%     
==========================================
  Files         402      415      +13     
  Lines       59570    58692     -878     
==========================================
+ Hits        40900    40995      +95     
+ Misses      15847    14912     -935     
+ Partials     2823     2785      -38     

Flag	Coverage Δ		*Carryforward flag
e2e-tests	40.51% <57.88%> (+2.13%)	⬆️
integration-tests	34.48% <66.66%> (+0.07%)	⬆️	Carriedforward from be83891
kind-e2e-tests	47.69% <68.68%> (+8.13%)	⬆️	Carriedforward from be83891
unit-tests	59.83% <81.27%> (+0.03%)	⬆️	Carriedforward from be83891

*This pull request uses carry forward flags. Click here to find out more.

Impacted Files	Coverage Δ
cmd/antrea-agent/agent.go	0.00% <0.00%> (ø)
pkg/agent/cniserver/ipam/ipam_delegator.go	68.18% <ø> (ø)
pkg/agent/cniserver/ipam/ipam_service.go	83.87% <ø> (ø)
pkg/agent/cniserver/pod_configuration_linux.go	100.00% <ø> (ø)
pkg/agent/cniserver/pod_configuration_windows.go	75.00% <ø> (ø)
pkg/agent/cniserver/server_linux.go	100.00% <ø> (ø)
pkg/agent/cniserver/server_windows.go	85.18% <ø> (ø)
pkg/agent/cniserver/sriov.go	31.37% <ø> (ø)
pkg/agent/secondarynetwork/ipam/ipam_delegator.go	3.70% <ø> (ø)
pkg/agent/secondarynetwork/podwatch/controller.go	75.76% <ø> (+0.34%)	⬆️
... and 102 more

[Dyanngg]

/test-multicluster-e2e

[Dyanngg]

/skip-all /test-multicluster-e2e

[Dyanngg]

/test-all /test-multicluster-e2e

[Dyanngg]

/test-all /test-multicluster-e2e

[Dyanngg]

/test-all /test-multicluster-e2e /test-windows-e2e

[Dyanngg]

/test-multicluster-e2e

[Dyanngg]

/test-multicluster-e2e

[Dyanngg]

/test-all /test-windows-e2e

[Dyanngg]

/test-all /test-multicluster-e2e /test-windows-e2e

[tnqn]

LGTM overall, some minor comments

[Dyanngg]

/test-all /test-multicluster-e2e /test-windows-e2e

[Dyanngg]

/test-all /test-multicluster-e2e /test-windows-e2e

[Dyanngg]

/test-multicluster-e2e

[Dyanngg]

/test-all /test-multicluster-e2e /test-windows-e2e

[tnqn]

Suggested change

	return &matchAllPeer, nil, sets.NewString()
	return &matchAllPeer, nil, nil

no need to allocate a new map

[Dyanngg]

I was doing this to avoid nil checks from the caller side. Changed.

[tnqn]

nil map or nil slice is not writable but readable, so there was no difference from caller's perspective regardless whether it returns empty or nil map but returning nil map can save an allocation. But the additional nil check added in the latest code could avoid another self-copy, which is better from performance's perspective.

[Dyanngg]

/test-all /test-multicluster-e2e

[tnqn]

LGTM

[tnqn]

/test-all /test-multicluster-e2e