Added matchExpression and additional policy to np generator

[Elias-elastisys]

Warning

This is a public repository, ensure not to disclose:

• personal data beyond what is necessary for interacting with this pull request, nor
• business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

• kind/feature
• kind/improvement
• kind/deprecation
• kind/documentation
• kind/clean-up
• kind/bug
• kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

• kind/admin-change
• kind/dev-change
• kind/security
• [kind/adr](set-me)

What does this PR do / why do we need this PR?

Adds some necessary changes to be used by the other PRs refactoring all old netpols into the generator.

• Part of Refactor network policies #1348

Information to reviewers

Checklist

• Proper commit message prefix on all commits
• Change checks:
  • The change is transparent
  • The change is disruptive
  • The change requires no migration steps
  • The change requires migration steps
  • The change updates CRDs
  • The change updates the config and the schema
• Documentation checks:
  • The public documentation required no updates
  • The public documentation required an update - [link to change](set-me)
• Metrics checks:
  • The metrics are still exposed and present in Grafana after the change
  • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
  • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
• Logs checks:
  • The logs do not show any errors after the change
• PodSecurityPolicy checks:
  • Any changed Pod is covered by Kubernetes Pod Security Standards
  • Any changed Pod is covered by Gatekeeper Pod Security Policies
  • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
• NetworkPolicy checks:
  • Any changed Pod is covered by Network Policies
  • The change does not cause any dropped packets in the NetworkPolicy Dashboard
• Audit checks:
  • The change does not cause any unnecessary Kubernetes audit events
  • The change requires changes to Kubernetes audit policy
• Falco checks:
  • The change does not cause any alerts to be generated by Falco
• Bug checks:
  • The bug fix is covered by regression tests

[simonklb]

What is the reason for the additional? Looks like it goes against the whole idea of generating netpols. 😄

[Elias-elastisys]

What is the reason for the additional? Looks like it goes against the whole idea of generating netpols. 😄

Purely for backwards capability. Since the option existed, I assumed it was used somewhere. I agree it would be nice to avoid if possible.

[aarnq]

Nit, could you sort expressions before labels?

[aarnq]

Another nit:

Suggested change

	# kind: NetworkPolicy
	# apiVersion: networking.k8s.io/v1
	# apiVersion: networking.k8s.io/v1
	# kind: NetworkPolicy

[aarnq]

Suggested change

[aarnq]

Suggested change

	{{- if .Values.additional }}
	{{- .Values.additional }}
	{{- end }}
	{{- with .Values.additional }}
	{{- . }}
	{{- end }}

Simplification

[aarnq]

What is the reason for the additional? Looks like it goes against the whole idea of generating netpols. 😄

Purely for backwards capability. Since the option existed, I assumed it was used somewhere. I agree it would be nice to avoid if possible.

I do think it is fine to include to not cause breakage, as we do use it as a means to add some netpols, though I would be happy to see us migrate to the "new" style for all including existing ips and ports options. 😄