MultiNetworkPolicy does not allow for empty podSelector

[trozet]

NetworkPolicy allows an empty podSelector:

// NetworkPolicySpec provides the specification of a NetworkPolicy
type NetworkPolicySpec struct {
	// podSelector selects the pods to which this NetworkPolicy object applies.
	// The array of ingress rules is applied to any pods selected by this field.
	// Multiple network policies can select the same set of pods. In this case,
	// the ingress rules for each are combined additively.
	// This field is NOT optional and follows standard label selector semantics.
	// An empty podSelector matches all pods in this namespace.
	PodSelector metav1.LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"`

However, MultiNetworkPolicy does not:

trozet@fedora:~/go/src/github.com/ovn-org/ovn-kubernetes/contrib$ cat /home/trozet/network_policy_port_range_udn.yml
---
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: deny-by-default
  annotations:
    k8s.v1.cni.cncf.io/policy-for: ns1/l3-network
spec:
  podSelector:
#    matchLabels:
#      key: value
  policyTypes:
  - Egress
  egress: 
   - to:
     - ipBlock:
         cidr: 10.244.0.0/16
     ports:
       - protocol: TCP
         port: 15384
         endPort: 65535
       - port: 1337
         endPort: 1338    
trozet@fedora:~/go/src/github.com/ovn-org/ovn-kubernetes/contrib$ oc create -f /home/trozet/network_policy_port_range_udn.yml
The MultiNetworkPolicy "deny-by-default" is invalid: spec.podSelector: Required value

[zeeke]

I don't know why exactly NetworkPolicy accepts that syntax, but the empty selector should be {}, as per k8s documentation:
https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic

and that works fine with MultiNetworkPolicies.

Do you need to support omitting the podSelector? It is not optional and it's stated in the code comment

// This field is NOT optional and follows standard label selector semantics.

[npinaeva]

The reason is the difference between how CRD vs core k8s types are handled, here is the clarification kubernetes/kubernetes#130896
The original idea was to make this selector required, so current MNP is handling this case better, but if we want to reproduce the behaviour closer to the netpol, such fields should probably be represented by the optional fields with the default zero value.
There are a couple more validations on the netpol that are not present on MNP (e.g. that endPort should be >= than port) that you can find here https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/networking/validation/validation.go
Not sure if we want to try and add some CEL to the MNP or say it is implementation's responsibility to run those validation and report errors somehow, considering we don't have status (: