Add NetworkPolicy feature to addon VPC-CNI using default allow policy

[wcarlsen]

Describe your changes

Add NetworkPolicy feature to addon VPC-CNI using default allow policy.

We need to undestand and investigate this statement from the docs before going forward:

"The network policy feature uses port 8162 on the node for metrics by default. Also, the feature uses port 8163 for health probes. If you run another application on the nodes or inside pods that needs to use these ports, the app fails to run. From VPC CNI version v1.14.1 or later, you can change these ports."

See docs https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy-configure.html.

Tested using these policies and a deployment and service responding on port 8000 and simple debug pod with curl.

---
# 1) Baseline: deny all ingress and egress for all pods in default ns
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: default
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
# 2) Allow DNS egress so pods can resolve service names (echo.default.svc, etc.)
# Note: Uses namespaceSelector label used by many distros: kubernetes.io/metadata.name: kube-system
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns-egress
  namespace: default
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
---
# 3) Allow ingress to echo ONLY from pods labeled app=curl on TCP/8080
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-to-echo-from-curl
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: echo
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: curl
      ports:
        - protocol: TCP
          port: 8080
---
# 4) Allow egress from curl ONLY to pods labeled app=echo on TCP/8080
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-from-curl-to-echo
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: curl
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: echo
      ports:
        - protocol: TCP
          port: 8080

See results from test here

Issue ticket number and link

Checklist before requesting a review

• I have tested changes in my sandbox
• I have added the needed changes in the test/integration folder to apply my changes in QA. Read the guide on adding environment variables in QA
• I have rebased the code to master (or merged in the latest from master)

Is it a new release?

• Apply a release tag release:(major|minor|patch), following semantic versioning in this guide or norelease if there is no changes to the Terraform code

[DFDS-Snyk]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[wcarlsen]

FYI we dont have any references of ports 8162 and 8163 in hellman pod specs nor services. So this should be good to go.

[wcarlsen]

I've managed to add testing of NetworkPolicy features and hopefully they show case the following:

• AWS VPC CNI plugin is configured with network-policy feature enabled
• AWS VPC CNI plugin uses "standard" mode, so allow by default
• Validate allow by default is true within the same namespace
• Apply deny-all policy that now blocks all, so now before validation will fail
• Open up for pod to pod communication with DNS, Ingress and Egress policy and see that it works again