tool: validator script for Azure NPM to Cilium migration (#3372)

* npm to cilium validator script

testing not done

update

added new check still debugging service check

fixed logic on services with allow all ingress polcies

added checks for allow all ingress policies

added checks for services with allow all policys with empty and label selectors

* added a check for services with target ports

* update for lint errors with repeat imports and using slice of pointers for service and policy maps

* made a function to reuse for Ingress and egress ports

* added some unit tests except for service check and made print statements log in order to test

* updated engress policy check with egress allow all policy and added a helper to test functions

* changed file path

* added namedport checks and added port to ingress check

* responded to service comments

* added a check for ingress deny all and updated port check function to be a nested loop

* updated to return lists and use pointers but still broken for services

* added pointers to service check functions

* fixed pointer logic and added unit tests for the checks except service

* fixed all linter errors

* updated difference function with comment to use a set

* fixed linter problems induced by previous commit

* added complete UTs for GetEndportNetworkPolicies, GetCIDRNetworkPolicies, and GetEgressPolicies

* added baseline service tests and updated logic for unsafe and noselector services with the edgecase of deny all + service no selector in mind

* added more service uts for nodeport and organized scenarios

* updated migration check to be less than 200 characters per line (lint failed)

* updated getExternalTrafficPolicyClusterServices to be less than 200 characters and updated servicesAtRisk to riskSerivces

* removed unused parameter and added edge case scenarios to UTs

* simplified logic

* updated port detection when policy just has a protocol and to flag all egress policies except allow all

* resolved nit: pointer to slice is also a pointer to pointer comment

* responded to comments return false when either port or target port is 0 and print x if there are no selecotr services

* added readme, go mod, go sum, and comments saying why target port will never be undefined

* updated readme

* updated functions using pointers for arrays

* nit changes

* updated with match expressions edgecase

* added uts where target port matches to protocol and port is 0

* added Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and there are multiple namespaces

* add check for ip no port policies on loadbalancer and fixes label and port logic according to pr comments + UTs to verify

* updated table to use tablewriter

* updated to parse cidr to check for load balancer ip

* removed no selector services from getUnsafeExternalTrafficPolicyClusterServices

* removed noselector services array

* added service selectors to the appended list instead to simplify logic

* Revert "added service selectors to the appended list instead to simplify logic"

This reverts commit 246965d.

* moved checkPolicyMatchServiceLabels check to the top since every block uses it and removed excplicit check for ports

* updated the load balancer health probe ip logic

* added unit tests and logic if nodeport ensure there is no from rules

* removed health probe ip check for loadbalancer services

* added named port check

* nit comment

* reduced output verbosity

* print total number of policies per namespace

* added service and pod count and created a table

* improved formatting

* typo

* updated table format and started to add npm telemetry

* updated verbose flag name and reorganized and removed unused functions

* updated readme

* fixed table formatting

* added ai id and formated tables to be printed after telemetry is sent

* ran tidy

* reduced noise from telemetry runs

* added a const and prefix to metrics

* updated imageVersion per comment

tools/azure-npm-to-cilium-validator/README.md

@@ -0,0 +1,55 @@
+# Azure NPM to Cilium Validator
+
+This tool validates the migration from Azure NPM to Cilium. It will provide information on if you can safely proceed with a manual update from Azure NPM to Cilium. It will verify the following checks to determine if the cluster is safe to migrate.
+
+- NetworkPolicy with endPort
+- NetworkPolicy with ipBlock
+- NetworkPolicy with named Ports
+- NetworkPolicy with Egress Policies (not Allow All)
+- Disruption for some Services (LoadBalancer or NodePort) with externalTrafficPolicy=Cluster
+
+## Prerequisites
+
+- Go 1.16 or later
+- A Kubernetes cluster with Azure NPM installed
+
+## Installation
+
+Clone the repository and navigate to the tool directory:
+
+```bash
+git clone https://github.com/Azure/azure-container-networking.git
+cd azure-container-networking/tools/azure-npm-to-cilium-validator
+```
+
+## Setting Up Dependencies
+
+Initialize the Go module and download dependencies:
+
+```bash
+go mod tidy && go mod vendor
+```
+
+## Running the Tool
+
+Run the following command with the path to your kube config file with the cluster you want to validate.
+
+```bash
+go run azure-npm-to-cilium-validator.go --kubeconfig ~/.kube/config
+```
+
+This will execute the validator and print the migration summary. You can use the `--detailed-migration-summary` flag to get more information on flagged network policies and services as well as total number of network policies, services, and pods on the cluster targeted.
+
+```bash
+go run azure-npm-to-cilium-validator.go --kubeconfig ~/.kube/config --detailed-migration-summary
+```
+
+## Running Tests
+
+To run the tests for the Azure NPM to Cilium Validator, use the following command in the azure-npm-to-cilium-validator directory:
+
+```bash
+go test .
+```
+
+This will execute all the test files in azure-npm-to-cilium-validator_test.go and provide a summary of the test results.