policy/api: Support unmanaged entity in policies

[pchaigno]

0a9685e introduced the reserved:unmanaged identity, but did not introduce the associated entity. This commit fixes it and allows the following in policies:

- fromEntity:
  - unmanaged

The goal is to allow policies to work even before all pods are restarted and managed by Cilium. In particular, this can be an issue with host policies since the host is more likely than pods to need to talk with unmanaged pods (e.g., on GKE right after deploying Cilium).

Fixes: #5898

[pchaigno]

test-me-please

[coveralls]

Coverage increased (+0.02%) to 36.957% when pulling b7c5884 on pr/pchaigno/unmanaged-entity into 4814e1c on master.

[joestringer]

I'm fine with the change, but it's one more thing for users to sort through. Is there a use case you have in mind where you want to allow unmanaged but allowing cluster is too broad? Otherwise cluster should be sufficient.

[pchaigno]

Is there a use case you have in mind where you want to allow unmanaged but allowing cluster is too broad? Otherwise cluster should be sufficient.

I currently do frequent tests on GKE with an ingress+egress host policy that only allows the strict minimum. Whenever I forget to restart pods after deploying Cilium (pretty much every single time...), the cluster breaks in all sorts of ways. Having the unmanaged entity allows me to whitelist communications to/from unmanaged pods until they are restarted.

I'm unsure if we can expect users to run into the same scenario, but it's certainly handy to have unmanaged if they ever do. cluster would whitelist a lot more than the policy intends in this case.

it's one more thing for users to sort through

I didn't really consider that TBH. This pull request doesn't introduce any new concept; users already have to know about unmanaged pods. I'm just allowing to match on these in policies and making our entities consistent in the process: AFAICS, all our other reserved labels have corresponding entities.