Network Policy traffic drop response feature improvements

[antonipp]

This issue keeps track of future improvements for the --policy-deny-response feature implemented in #41406 to return ICMP responses when traffic gets denied by CNPs.

The first iteration of the feature only implemented ICMPv4 responses for egress IPv4 traffic. Next steps:

• ICMPv4 responses for IPv4 ingress traffic
• Don't send ICMPs as response to ICMP error messages
• ICMPv6 responses for IPv6 egress traffic (requires rate-limiting!)
• ICMPv6 responses for IPv6 ingress traffic (requires rate-limiting!)
• Find a way to steer traffic back into the pod when the pod has ingress CNPs. Right now users have to explicitly allow ICMP traffic if they have ingress policies
• Add support for TCP RST responses for TCP traffic
• Add a per-policy flag to allow for more granular behavior tuning

Related issues: #17944, #40228

[julianwiedmann]

Marking this as blocker for now, I think some parts of this really should land together. Otherwise we'll have to take another pass at clarifying docs, and/or marking the feature as experimental.

[julianwiedmann]

One further issue to address is

• Don't send ICMPs as response to ICMP error messages

(pretty sure this is in the ICMP RFC, but I won't dig it up)

[joestringer]

I see that this was nominated for v1.19 release blocker in September, but I cannot see evidence that the issue is progressing. v1.19 feature freeze will come up very soon, so I suggest we evaluate what we think can be achieved by mid December and scope down anything else.