feat(netpol): authorize l3 protocols

[SkalaNetworks]

Pull Request

• Make sure you have followed Kube-OVN Code Style.

What type of this PR

Examples of user facing changes:

• Features
• Bug fixes
• Docs
• Tests

Which issue(s) this PR fixes

Fixes #(issue-number)

[SkalaNetworks]

I'll wait for #5741 to be merged to factorize the code

I'll also add a global switch to enable this or to keep the default behaviour. And also an annotation on NetworkPolicies to act as a toggle.

[coveralls]

Pull Request Test Coverage Report for Build 18551492763

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 57 of 94 (60.64%) changed or added relevant lines in 3 files are covered.
• 2 unchanged lines in 1 file lost coverage.
• Overall coverage increased (+0.06%) to 21.149%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/controller/config.go	0	2	0.0%
pkg/ovs/ovn-nb-acl.go	57	64	89.06%
pkg/controller/network_policy.go	0	28	0.0%

Files with Coverage Reduction	New Missed Lines	%
pkg/ovs/ovn-nb-bfd.go	2	61.61%

Totals
Change from base Build 18518503263:	0.06%
Covered Lines:	10731
Relevant Lines:	50740

---

💛 - Coveralls

[SkalaNetworks]

@oilbeater new PR to address the discussion we had on Slack

There's now a global controller switch and an annotation on network policies to configure the enforcement of network policies.

When the enforcement is "standard", everything works just like it always has: only what is in the policy is allowed, the rest is blocked (including ICMP)

When the enforcement is "lax", some protocols are excluded from being blocked. Those protocols are considered somewhat essential in a traditional network (especially one that has VMs in it): ARP/NDP (through ICMPv6)/ICMP/DHCP.

That setting is especially useful when using VMs through Kubevirt, as they may rely on DHCP to get their MTU/IP/DNS and more from Kubevirt or Kube-OVN. ICMP is unnecessary in the standard Kubernetes networking model, but very important for VMs to do PMTU discovery.