Simplify workload selectors

[tpapagian]

#4814 added support for spec.hostSelector. The idea was to have by default spec.podSelector: {}, spec.containerSelector: {}, and spec.hostSelector: {}. But this has some unintended side effects that complicate our codebase (i.e. #4889 and #4896).

In order to fix that, we change the defaults of spec.{pod, container, host}Selector from {} to null. The new behaviour is described in the table below:

hostSelector	podSelector	containerSelector	Result
null (default)	null (default)	null (default)	Select all host, pod, and container workloads.
null (default)	null (default)	{...}	Select all containers that match containerSelector across all pods. No host workloads are selected.
null (default)	{...}	null (default)	Select all containers in pods that match podSelector. No host workloads are selected.
null (default)	{...}	{...}	Select all containers that match containerSelector in pods that match podSelector. No host workloads are selected.
{}	null (default)	null (default)	Select all host workloads.
{}	null (default)	{...}	Select all host workloads, plus all containers that match containerSelector across all pods.
{}	{...}	null (default)	Select all host workloads, plus all containers in pods that match podSelector.
{}	{...}	{...}	Select all host workloads, plus all containers that match containerSelector in pods that match podSelector.

This change will also allow us to remove the code introduced in #4889 and be able to check the hostSelector value inside TracingPolicyNamespaced with a kubebuilder XValidation (i.e. #4896 (comment)).

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	f8c6bab
🔍 Latest deploy log	https://app.netlify.com/projects/tetragon/deploys/69f0a07e6fdcae0008c32b7b
😎 Deploy Preview	https://deploy-preview-4917--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[mtardy]

This feel reasonable and would simplify things, we discussed offline maybe merging the table because it's not obvious to me when I read this. Just another comment:

[mtardy]

I think that's indeed better.

So as I understand you do not need to revert 564b89a as well?

Maybe we should highlight that the default null/null/null is a special case with a note or caution?

Should you also not merge #4918 and revert the PR now since you shouldn't be able to get any policy not respecting the validation?

[tpapagian]

So as I understand you do not need to revert 564b89a as well?

Possibly part of that. I will check now. Not everything as this also contains fixes/changes for the policyfilter implementation to support the hostSelector (i.e. an entry in the policy_filter_map with all pod cgroup IDs).

Maybe we should highlight that the default null/null/null is a special case with a note or caution?

Yes, I can do that.

Should you also not merge #4918 and revert the PR now since you shouldn't be able to get any policy not respecting the validation?

I have closed #4918 as it does not make sense to merge it now. I have kept the check in the agent but now it is an error. Just in case somehow we overcome the XValidation check.

[tpapagian]

So as I understand you do not need to revert 564b89a as well?

Possibly part of that. I will check now. Not everything as this also contains fixes/changes for the policyfilter implementation to support the hostSelector (i.e. an entry in the policy_filter_map with all pod cgroup IDs).

Most of that was already done in the first patch. I have added a comment in the first patch description.

Maybe we should highlight that the default null/null/null is a special case with a note or caution?

Yes, I can do that.

Done.