Improve Antrea-native Policy CRD schema verification

[wenqiq]

Add namespaceSelector/podSelector validations in all CRD schema.

The incorrect input of labelSelector fields that have known schema should be rejected;

In the following example, we want to create ClusterNetworkPolicy resource:

spec.appliedTo.namespaceSelector must be matchLabels or matchExpressions,
actually in the existing version the spelling mistake ‘matchLables’ can not be checked out.
Save the CustomResourceDefinition to resourcedefinition.yaml:

cat acnp_demo.yaml

apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
  name: blacklist
spec:
    priority: 5
    tier: securityops
    appliedTo:
      - namespaceSelector:
          matchLables:
            env: dummy
    ingress:
      - action: Drop

We created it succeeded without any error.

After fixed the issue, we will get the following error message as expected:

kubectl create -f acnp_demo.yaml
error: error validating "acnp_demo.yaml": error validating data: ValidationError(ClusterNetworkPolicy.spec.appliedTo[0].namespaceSelector): unknown field "matchLables" in io.antrea.crd.v1alpha1.ClusterNetworkPolicy.spec.appliedTo.namespaceSelector; if you choose to ignore these errors, turn validation off with --validate=false

In addition, all of namespaceSelector/podSelector parameters verification in CRD schema will be improved.

Fix #2090

[codecov-commenter]

Codecov Report

Merging #2125 (2a50612) into main (d258bbc) will increase coverage by 19.83%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main    #2125       +/-   ##
===========================================
+ Coverage   41.41%   61.25%   +19.83%     
===========================================
  Files         131      269      +138     
  Lines       16502    20453     +3951     
===========================================
+ Hits         6834    12528     +5694     
+ Misses       9084     6631     -2453     
- Partials      584     1294      +710     

Flag	Coverage Δ
kind-e2e-tests	52.09% <ø> (?)
unit-tests	41.40% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/apiserver/handlers/webhook/mutation_labels.go	24.71% <0.00%> (ø)
...ntroller/crdmirroring/crdhandler/externalentity.go	16.27% <0.00%> (ø)
...lientset/versioned/typed/ops/v1alpha1/traceflow.go	24.09% <0.00%> (ø)
...tset/versioned/typed/core/v1alpha2/clustergroup.go	24.09% <0.00%> (ø)
pkg/agent/apiserver/handlers/errors.go	0.00% <0.00%> (ø)
pkg/ovs/ovsctl/interface.go	0.00% <0.00%> (ø)
pkg/agent/interfacestore/interface_cache.go	81.37% <0.00%> (ø)
pkg/signals/signals.go	100.00% <0.00%> (ø)
...gacyclient/listers/core/v1alpha2/externalentity.go	6.25% <0.00%> (ø)
pkg/ipfix/ipfix_process.go	100.00% <0.00%> (ø)
... and 225 more

[tnqn]

Could you remove the ending ";" and issue ID from the commit title?

[tnqn]

Is the PR ready for review? I see commented code

[wenqiq]

Is the PR ready for review? I see commented code

yes, wait for code review

[tnqn]

LGTM overall, maybe @Dyanngg can take a look too.

[tnqn]

Could you add it to TestGroupValidateAntreaNativePolicies? it seems not different from cases in that group.
And maybe remove testInvalidCGPPodSelectorNsSelectorMatchExpressions as it uses same verification as policies (normally it's fine to have a separate test for ClusterGroup but we are working on reducing e2e runtime #2014 so let's avoid adding it unless it can cover something new)

[wenqiq]

Done in a new commit

[tnqn]

LGTM

[tnqn]

/test-all

[tnqn]

All e2e tests failed on antrea networkpolicy case, which seems related to this change. @wenqiq could you take a look at the failures?

[wenqiq]

All e2e tests failed on antrea networkpolicy case, which seems related to this change. @wenqiq could you take a look at the failures?

well, I will check, It sames the e2e tests fails even with the upstream/main branch as I test yesterday.

[tnqn]

We run e2e tests on VMs and Kind clusters, all tests related to Antrea policy failed on all platforms, and only they failed. This indicated it's related to the PR.

[tnqn]

I guess you need to set "x-kubernetes-preserve-unknown-fields: true" for matchLabels, otherwise all keys are pruned so the e2e tests failed. Glad to see it's caught by the tests.
https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#controlling-pruning

[wenqiq]

Thanks for advice，obviously，some resource can not created as expected in e2e test cases cause the fails, but I have verified those crds in my local kind cluster; I tried reviewing the e2e test cases to find sth, however I did not find an efficient method to implement the e2e test in my local dev env.

https://github.com/vmware-tanzu/antrea/runs/2463089906?check_suite_focus=true
It sames work, thks so much.

[wenqiq]

e2e test back to normal, pls review the latest changes, thanks a lot @tnqn
https://github.com/vmware-tanzu/antrea/actions/runs/794762925

[tnqn]

Thanks, LGTM

[tnqn]

/test-all

[tnqn]

/test-windows-e2e

[Dyanngg]

nit: this should be a local ignore?

[wenqiq]

github/gitignore/Go.gitignore doesn't add vendor/ to its .gitignore file.

# Dependency directories (remove the comment below to include it)
# vendor/

gitignore.io/api/go does add vendor/ to its .gitignore.

# Dependency directories (remove the comment below to include it)
# vendor/

### Go Patch ###
/vendor/
/Godeps/

[tnqn]

@wenqiq Normally it would be better to add this via a separate PR if it is controversial so this PR can proceed faster.

Anyway Antrea doesn't include vendor directory in the repo so at least it's harmless to add it here for the convenience of vendor mode developers. @Dyanngg Do you have strong opinion to remove it from this PR? If not, I'm going to merge it as is.

[Dyanngg]

I don't have a strong opinion for this. Merged.

[Dyanngg]

/test-networkpolicy