Introduce NetworkPolicy support to osh workload

[LorenzoBianconi]

Introduce NetworkPolicy (NP) entity according to network-policy.md. In particular the traffic is blocked by default adding each Pod to the DefaultDeny PortGroup and each NP will create 2 port groups for ingress and egress traffic specifying which traffic is allowed for the pods belonging to the same NetworkPolicy

[dceara]

@LorenzoBianconi when running with:

    "name_space_size": 2,
    "network_policy_size": 2,
    "create_acls": true

This generates the following NB config:

$ ovn-nbctl list port_group
_uuid               : 2568706c-8499-4d77-8cd2-d3364c92dfe5
acls                : [45b4473e-61da-4634-8843-d0eebf4226d1, 506d08f5-dedc-436f-9116-a5a5000a5721, bc887d16-003e-49ff-9888-5307abab37b3, c5b46790-7bb7-476c-ab97-69bc2eb6727a]
external_ids        : {}
name                : networkPolicy0
ports               : [4a410a5f-2e00-4576-af33-26e3bbcaf233]

_uuid               : 5cef0dfd-a26d-42fa-bed1-673ce79a3024
acls                : [32429399-ae77-4b51-8179-8f09397173f8, 7ada52f8-7fb9-4f92-845a-b68cf6f84a02]
external_ids        : {}
name                : portGroupMultiDefDeny
ports               : [624d4358-c7e8-4f5c-8201-881b39a172fe]

_uuid               : 2b5382e5-06c9-4660-b04d-3f80301a97af
acls                : [0428de8d-f4c5-4378-a57c-ee3941007770, e198bb40-ded8-404c-abb0-00167944d0c1]
external_ids        : {}
name                : mcastPortGroup_nameSpace1
ports               : [624d4358-c7e8-4f5c-8201-881b39a172fe]

_uuid               : 20308185-5499-4c89-9cfc-2399b874c0d1
acls                : [04664f48-2953-4327-aad6-56f0cfda20cf, 36479673-fc77-4af9-836e-816a95e8fc3b, 6980cf7d-b288-496e-80ff-f7f578634dde, 76404bbe-a5e9-44de-ac9b-7b50ce314bda]
external_ids        : {}
name                : networkPolicy1
ports               : [624d4358-c7e8-4f5c-8201-881b39a172fe]

_uuid               : a3698ada-ac01-4bc9-a199-96e5d88ddb59
acls                : [44749e5b-ce84-4f02-9931-ae6f1e897dce, a5553649-55e3-4411-98d4-e8b0fd96ca96, d7a78bda-49e8-40d8-9113-c5d1353574a7, f00eb761-99ae-432f-afaa-ff196bf2ebb2]
external_ids        : {}
name                : portGroupDefDeny
ports               : [624d4358-c7e8-4f5c-8201-881b39a172fe]

_uuid               : b5ce99bb-910a-42b9-b0d6-3b2fdfd3076b
acls                : [e119b314-a62d-4416-8bcd-d80ab14922a4, ed169b0d-b1f5-49cf-a3df-2e242d0c50aa]
external_ids        : {}
name                : mcastPortGroup_nameSpace0
ports               : [4a410a5f-2e00-4576-af33-26e3bbcaf233]

Shouldn't port group portGroupDefDeny and portGroupMultiDefDeny contain all 4 ports instead of just one?
Also if I understand correctly the requirements, port groups networkPolicy0 and networkPolicy1 should both contain 2 ports. Same for mcastPortGroup_nameSpace0 and mcastPortGroup_nameSpace1.

What do you think?

[dceara]

I think this should be "match" : "%(direction)s == %(lport)s && ip4.mcast".

[hzhou8]

For the network policy related port-groups and ACLs, it seems to me better to be created as configuration (in JSON format) instead of adding to the code implementation. In the code we can add the support to apply whatever port-groups and ACLs that is configured, so that it is easier to test scalability of different port-group/ACL configurations. For example, we can compare the scalability of creating one port-group for all default policies with creating different groups for ingress/egress policies, without changing the code. What do you think?

[dceara]

@LorenzoBianconi I have a few more minor comments.

@hzhou8 Regarding your comment, do we do a rework of the port_group/address_set/acl scenarios as a follow up to this PR?

[dceara]

@hzhou8 I opened issue #197 to track your suggestion about making network policies more generic. Until we get that implemented I'll merge this PR for now.

Thanks,
Dumitru