Add K8sNP endPort support

[GraysonWu]

This PR fixes #1638.
Change the process of K8sNP -> InternalNP.
To use endPort in kube-apiserver, add featrue-gates flag.

[codecov-commenter]

Codecov Report

Merging #2190 (f5187aa) into main (cddfccd) will increase coverage by 3.28%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #2190      +/-   ##
==========================================
+ Coverage   61.69%   64.98%   +3.28%     
==========================================
  Files         274      274              
  Lines       20673    20674       +1     
==========================================
+ Hits        12754    13434     +680     
+ Misses       6587     5857     -730     
- Partials     1332     1383      +51     

Flag	Coverage Δ
e2e-tests	56.23% <100.00%> (?)
kind-e2e-tests	52.39% <100.00%> (-0.28%)	⬇️
unit-tests	41.09% <100.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...ntroller/networkpolicy/networkpolicy_controller.go	84.59% <100.00%> (+0.02%)	⬆️
pkg/apiserver/certificate/cacert_controller.go	58.27% <0.00%> (-7.95%)	⬇️
pkg/apiserver/apiserver.go	89.51% <0.00%> (-1.62%)	⬇️
pkg/ovs/openflow/ofctrl_bridge.go	50.36% <0.00%> (+0.36%)	⬆️
pkg/agent/openflow/network_policy.go	76.41% <0.00%> (+0.59%)	⬆️
pkg/agent/cniserver/pod_configuration.go	54.68% <0.00%> (+0.78%)	⬆️
pkg/controller/egress/store/egressgroup.go	1.38% <0.00%> (+1.38%)	⬆️
pkg/ovs/openflow/ofctrl_flow.go	47.36% <0.00%> (+1.75%)	⬆️
pkg/flowaggregator/certificate.go	79.27% <0.00%> (+2.70%)	⬆️
pkg/agent/openflow/cookie/allocator.go	67.74% <0.00%> (+3.22%)	⬆️
... and 38 more

[antoninbas]

LGTM, I'll defer to @Dyanngg for final approval

[antoninbas]

you are enabling EndPort in the Vagrant testbed, which is fine by me, but there is no e2e test for EndPort yet?

[Dyanngg]

I believe @GraysonWu mentioned that he is looking into adding the feature gate in antrea/ci/jenkins/ and antrea/ci/kind/, maybe you could share a bit more info on that front? Also, some amount of documentation on how the feature gate can be enabled for the k8s-apiserver will be very useful.

[GraysonWu]

Just added e2e test and enabled endport feature gate in Kind.
About Jenkins, I asked zhecheng for more information. Let's see his reply if they support 1.21.

[GraysonWu]

As @lzhecheng said, the testbed hasn't upgraded to 1.21. He will add that feature gate while upgrading.

[Dyanngg]

We might also want to fix the DCO https://github.com/antrea-io/antrea/pull/2190/checks?check_run_id=2623926970

[antoninbas]

LGTM

[tnqn]

How the test works if the testbed doesn't support 1.21 yet?

[Dyanngg]

Same question, maybe we can add some mechanism to check if the feature gate is enabled? Didn't find a clean way but a simple look into the api server process seems to do the trick https://stackoverflow.com/questions/50441452/check-if-the-feature-gate-is-enabled-disabled-in-kubernetes

ps aux | grep apiserver | grep feature-gates
root       15458  7.8 19.7 1449248 402504 ?      Ssl  May23 185:47 kube-apiserver --advertise-address=192.168.77.100  .............. --etcd-servers=https://127.0.0.1:2379 --feature-gates=NetworkPolicyEndPort=true...........

[GraysonWu]

Good point. Addressed.

[tnqn]

the function sounds generic but will work for features that are not enabled by default. If a newer K8s version enables it by default, it will skip a feature by mistake. It may not be a real problem in CI if we test few K8s versions only. But we should add a comment to explain its limitation.

Or for this particular case, you could create a Policy with endport set, check if the created policy still has it. If not, the feature is not enabled and the test can skip.

[GraysonWu]

Sounds good. Addressed your last suggestion.

[GraysonWu]

/test-e2e

[tnqn]

LGTM

[tnqn]

/test-all

[GraysonWu]

/test-all

[GraysonWu]

/test-all

[GraysonWu]

/test-conformance

[tnqn]

/test-conformance
/test-networkpolicy

[tnqn]

/test-networkpolicy