policy: Create derivative policy for EgressDeny rules

[rockc2020]

This PR is to create derivative policy when egressDeny including toGroups rules.

With issue #23829, there is no derivative policy created when egressDeny including toGroups rules.

This fix includes following changes:

• Add check for EgressDeny in method RequiresDerivative()
• Add derivative policy creation for EgressDenyRule in method CreateDerivative()
• Add unit tests for both methods

I also built an image with this change from my local and deployed in my EKS cluster. Then, I created a ccnp:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: egress-global
spec:
  egressDeny:
    - toGroups:
        - aws:
            securityGroupsIds:
              - sg-07283569446d92723
  endpointSelector:
    matchExpressions:
      - key: app
        operator: In
        values:
          - network-multitool

Then, a derivative policy was created successfully:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  labels:
    io.cilium.network.policy.kind: derivative
    io.cilium.network.policy.parent.uuid: 6b2c336b-1608-4611-b63d-21acd36fa75f
  managedFields:
    - apiVersion: cilium.io/v2
      fieldsType: FieldsV1
      fieldsV1:
        f:specs: {}
      manager: Go-http-client
      operation: Update
      time: '2023-02-22T02:07:18Z'
  name: egress-global-togroups-6b2c336b-1608-4611-b63d-21acd36fa75f
  ownerReferences:
    - apiVersion: cilium.io/v2
      kind: CiliumClusterwideNetworkPolicy
      name: egress-global
      uid: 6b2c336b-1608-4611-b63d-21acd36fa75f
  resourceVersion: '6154562'
  uid: 1e102dec-f882-4c08-817f-34b013c78b37
  selfLink: >-
    /apis/cilium.io/v2/ciliumclusterwidenetworkpolicies/egress-global-togroups-6b2c336b-1608-4611-b63d-21acd36fa75f
specs:
  - egressDeny:
      - toCIDRSet:
          - cidr: 10.103.25.222/32
          - cidr: 10.103.71.146/32
          - cidr: 10.103.217.142/32
    endpointSelector:
      matchExpressions:
        - key: any:app
          operator: In
          values:
            - network-multitool
    labels:
      - key: io.cilium.k8s.policy.derived-from
        source: k8s
        value: CiliumClusterwideNetworkPolicy
      - key: io.cilium.k8s.policy.name
        source: k8s
        value: egress-global
      - key: io.cilium.k8s.policy.uid
        source: k8s
        value: 6b2c336b-1608-4611-b63d-21acd36fa75f

Fixes: #23829

policy: Derivative policies (policies for cloud provider-specific identities) for egress deny rules were not being generated, this has now been fixed. 

[maintainer-s-little-helper]

Commit 72c34e85f2c66a6e269662eade4851c00b67acad does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[nathanjsweet]

Thanks for the PR @rockc2020, I'm off tomorrow, but I'll take a thorough look at this on Monday.

[nathanjsweet]

/test

[rockc2020]

hi @nathanjsweet as 1 check failed with my PR https://github.com/cilium/cilium/actions/runs/4238946330/jobs/7379640730. after I had a run on my local, it seems some errors of ERROR:NO_AUTHOR_SIGN_OFF that some commits missing Signed-off-by. I guess that might be because I merged master by clicking the update branch button before. so do I need to just revert that merging commit and using rebase again? or just wait for reviewing and then update?

[nathanjsweet]

checkpatch is complaining about unrelated commits (checking them because the rebase is behind) to this PR.