fix(ipset): reset ipset handler before use

At the very end of a NPC full sync we call ipset.Save() during the ipset
cleanup stage. This causes all of the current IPv4 and IPv6 sets that
are defined on the system (ours or not) to enter into the handler's
state.

Since `ipset restore` is not implicitly destructive (e.g. it doesn't
remove sets that aren't defined like iptables-restore does) we don't
really need this previous state, and in some ways it may come back to
cause bugs if the state isn't purged.

So this is a fail safe to clean them out to ensure that they don't end
up building up cruft. It also makes the restores go faster as
kube-router is only defining it's own rules rather than defining all
rules.

pkg/controllers/netpol/network_policy_controller.go

@@ -226,6 +226,22 @@ func (npc *NetworkPolicyController) fullPolicySync() {
 	npc.mu.Lock()
 	defer npc.mu.Unlock()
 
+	for ipFamily := range npc.ipSetHandlers {
+		// Ensure that we start with clean handlers that don't contain previous save data
+		var err error
+		//nolint:exhaustive // we don't need a default condition here because we control this ourselves
+		switch ipFamily {
+		case v1core.IPv4Protocol:
+			npc.ipSetHandlers[ipFamily], err = utils.NewIPSet(false)
+		case v1core.IPv6Protocol:
+			npc.ipSetHandlers[ipFamily], err = utils.NewIPSet(true)
+		}
+		if err != nil {
+			klog.Errorf("failed to create ipset handler: %v", err)
+			return
+		}
+	}
+
 	healthcheck.SendHeartBeat(npc.healthChan, "NPC")
 	start := time.Now()
 	syncVersion := strconv.FormatInt(start.UnixNano(), syncVersionBase)