Host CCNP policies rejected on master

[pchaigno]

#11607 broke host policies on master. They are now all rejected with:

$ kubectl describe ccnp | tail -n9
Status:
  Nodes:
    k8s1:
      Error:         Invalid CiliumNetworkPolicy spec: rule cannot have NodeSelector
      Last Updated:  2020-08-10T12:52:51Z
    k8s2:
      Error:         Invalid CiliumNetworkPolicy spec: rule cannot have NodeSelector
      Last Updated:  2020-08-10T12:52:48Z
Events:              <none>

This error is printed because CiliumNetworkPolicy.Parse() has some new checks to prevent using NodeSelector in CNPs. It assumes CiliumClusterwideNetworkPolicy.Parse() will be called in the case of CCNPs with NodeSelectors. However, the k8s watcher for CCNPs calls addCiliumNetworkPolicyV2 which takes a types.SlimCNP and therefore calls CiliumNetworkPolicy.Parse().

I took a stab at a fix, but couldn't figure out an easy way to fix this (with my limited Golang skills). Of course, I could implement a counterpart to addCiliumNetworkPolicyV2 for CCNPs (e.g., addCiliumClusterwideNetworkPolicyV2) but that's likely to result in a bit more code duplication. I'm opening this to discuss better solutions (happy to implement addCiliumClusterwideNetworkPolicyV2 is that's the best solution we have).

EDIT: I found this while rebasing #12621, which will ensure we don't get any more regressions on this code.

/cc @aanm @christarazi

[christarazi]

Nice catch, I thought I had caught them all.

It sounds like we're running into the limitations of sharing the same Golang type for CNP and CCNP. However, we may be able to check the Kind field of the CRD that was applied (crd.TypeMeta.Kind), as a quick fix which should contain CiliumNetworkPolicy or CiliumClusterwideNetworkPolicy.

The long-term solution is to split out these types into their own, which is on my list to do next.

Edit: Another alternative I just thought of:

You could manually construct a CCNP object (essentially a conversion) when we detect it . We shouldn't be messing with the objects in the watcher code, but this may be OK for a bit to unblock you, and while we work on the long-term solution.