Add allowedsourceprefixes ebpf

[turkmenkaan]

Description

This PR adds support for allowedSourcePrefixes annotation to Calico with eBPF mode. This annotation allows the pods to sent out traffic with a source IP other than the pod IP and the annotation is already implemented for non-eBPF Calico modes.

Calico node is the only component that is affected directly by the PR. However, there are changes at the eBPF layer that can affect traffic in the cluster.

The testing consisted of a TCP packet generating script and a UDP proxy with IP_TRANSPARENT option enabled. The testing setup will be detailed below, but the results are common for both manual tests.

TCP Packet Generation
A pod controlled by a DaemonSet running on one of the nodes generates empty TCP packets using Python & Scapy. The source IP is set to 192.192.192.192. The generated packets are sent to an external machine every second. A tcpdump instance is running on the target machine.

UDP Proxy
A simple Python script that acts as a UDP proxy is deployed to the cluster with the updated calico-node image as a DaemonSet. Python script accepts incoming packets and uses IP_TRANSPARENT option to send them to the external machine while preserving the source IP. Once again, tcpdump is running on the target machine to observe incoming packets

Results
In both cases, before adding any annotations to the test pod, the egress pods are getting dropped and the following logs are observed in bpftool prog tracelog

python3-814830  [003] ..s2. 9696281.750213: bpf_trace_printk: calidce118d2ec5-E: Workload RPF check src=192.192.192.192 skb iface=82.
python3-814830  [003] ..s2. 9696281.750215: bpf_trace_printk: Allow source lookup src=192.192.192.192 found=0
python3-814830  [003] ..s2. 9696281.750215: bpf_trace_printk: calidce118d2ec5-E: Workload RPF fail: missing route.

Second line was added temporarily for debugging purposes

Once the following annotation cni.projectcalico.org/allowedSourcePrefixes: '["192.192.192.192/32"]' is added to the test pod, packets start reaching target machine. In addition, the following logs are observed.

python3-1203326 [001] ..s2. 9696468.029264: bpf_trace_printk: calia1d5ef599c0-E: Workload RPF check src=192.192.192.192 skb iface=83.
python3-1203326 [001] ..s2. 9696468.029267: bpf_trace_printk: Allow source lookup src=192.192.192.192 found=1
python3-1203326 [001] ..s2. 9696468.029268: bpf_trace_printk: calia1d5ef599c0-E: Workload RPF bypass: allowing spoofed source

Once the annotation is removed, the initial logs are observed again.

Related issues/PRs

Fixes #11591

Todos

• Tests
• Documentation
• Release note

Release Note

eBPF: implement allowedSourcePrefixes functionality 

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

• docs-pr-required: This change requires a change to the documentation that has not been completed yet.
• docs-completed: This change has all necessary documentation completed.
• docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

• release-note-required: This PR has user-facing changes. Most PRs should have this label.
• release-note-not-required: This PR has no user-facing changes.

Other optional labels:

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
• needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

[CLAassistant]

All committers have signed the CLA.