ingress: Correct FromGroups rule Parsing

Currently fromGroups, which was added in #30708,
is correctly represented in the YAML but not being converted to a rule.
This commit fixes that by:
- Reporting that a rule requires derivation when an ingress component
  does, and making sure to clear ingress rules when creating that
  derivative.
- Adding FromGroups to parseToCiliumIngressCommonRule logic
- During validation make sure that fromGroups is not combined with other
  L3 rules.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>

pkg/k8s/apis/cilium.io/utils/utils.go

@@ -140,6 +140,11 @@ func parseToCiliumIngressCommonRule(namespace string, es api.EndpointSelector, i
 		copy(retRule.FromEntities, ing.FromEntities)
 	}
 
+	if ing.FromGroups != nil {
+		retRule.FromGroups = make([]api.Groups, len(ing.FromGroups))
+		copy(retRule.FromGroups, ing.FromGroups)
+	}
+
 	return retRule
 }
 

pkg/policy/api/rule.go

@@ -252,6 +252,16 @@ func (r *Rule) RequiresDerivative() bool {
 			return true
 		}
 	}
+	for _, rule := range r.Ingress {
+		if rule.RequiresDerivative() {
+			return true
+		}
+	}
+	for _, rule := range r.IngressDeny {
+		if rule.RequiresDerivative() {
+			return true
+		}
+	}
 	return false
 }
 
@@ -261,6 +271,8 @@ func (r *Rule) CreateDerivative(ctx context.Context) (*Rule, error) {
 	newRule := r.DeepCopy()
 	newRule.Egress = []EgressRule{}
 	newRule.EgressDeny = []EgressDenyRule{}
+	newRule.Ingress = []IngressRule{}
+	newRule.IngressDeny = []IngressDenyRule{}
 
 	for _, egressRule := range r.Egress {
 		derivativeEgressRule, err := egressRule.CreateDerivative(ctx)

pkg/policy/api/rule_validation.go

@@ -101,6 +101,7 @@ func (i *IngressRule) sanitize() error {
 		"FromCIDRSet":   len(i.FromCIDRSet),
 		"FromEntities":  len(i.FromEntities),
 		"FromNodes":     len(i.FromNodes),
+		"FromGroups":    len(i.FromGroups),
 	}
 	l7Members := countL7Rules(i.ToPorts)
 	l7IngressSupport := map[string]bool{