Add functions to watch and retrieve kubernetes namespaces and
network policies.

The patch also includes unit tests to cover the newly added functions.

Signed-off-by: Salvatore Orlando <salv.orlando@gmail.com>

Add methods to ovn_k8s.modes.overlay.OvnNB for implementing
kubernetes network policies as ovn ACLs. These methods include:

- whitelisting pod traffic for non-isolated namespaces
- creating ACL match rules from policies' ingress spec
- applying ACL rules for polices to a given pod in isolated
  namespace (including a default drop-all rule)
- removing ACL rules for a given pod
- managing OVN address sets for K8S policies ingress rules
- adding/removing pods' IP addresses from address sets

Unit test coverage is provided for methods added as a part of
this patch.

Signed-off-by: Salvatore Orlando <salv.orlando@gmail.com>

In order to handle kubernetes network policies, both namespaces
and network policies must be monitored. As policies are always
namespaces, a distinct policy watcher thread is spawn for each
namespace.

This is achieved using a "policy processor". The namespace event
is sent to the policy processor, which starts the policy watcher
thread. The same policy processor will also handle (not in this
patch) translation of k8s network policies into OVN ACLs.

Also, the pod watcher now checks for changes in pod labels:
updates, additions, and deletions.
When a change is detected, generate a policy event so that:
1 - network policies' from clauses can be recalculated
2 - the appropriate network policies can be applied to the pod
    according to pod selectors

Signed-off-by: Salvatore Orlando <salv.orlando@gmail.com>

In this way event processors will not have to look into event metatada
to gain more insigths into what originated the events, but can just
look at the event class.

This enables watchers to set whatever makes sense into event metadata
without having to worry about assumptions about what data event processors
will find in metadata.

Signed-off-by: Salvatore Orlando <salv.orlando@gmail.com>

Add logic for processing network policy objects.
This includes:
- ensuring traffic is whitelisted for pods in non-isolated namespaces
- ensuring a default 'drop' ACL is added for each pod in an isolated
  namespace
- translating kubernetes network policies into a pseudo-acls
  representation of OVN match rules
- Determining which policies apply to a pod and translating pseud-acls
  into actual ACLs upon pod creation
- Removing all ACLs for a pod upon pod deletion
- Creating and maintaining OVN address sets for the IP addresses of pods
  that match the from clause of network policies rules
- monitoring transitions in the namespace isolation property and reacting
  accordingly

Also, the pod watcher will keep track of pod-IP mappings. As the pod IP
address is removed before the pod DELETED events, when this event occurs
neither pod data nor their cached version will contain a pod IP. The pod
IP is required to update the address set for the network policy upon pod
deletion.

As a part of this patch, the signature for the create_logical_port and
delete_logical_port methods in the ovn_k8s.modes.overlay.OvnNB class
has been changed to accept pod data (and pod ip for the delete method)
rather than an event.

Signed-off-by: Salvatore Orlando <salv.orlando@gmail.com>

Add a markdown document discussing the kubernetes network policy
integration with OVN ACLs which also includes some implementation
details, and some example policies which can be used to test
the feature.

Signed-off-by: Salvatore Orlando <salv.orlando@gmail.com>