#11607 broke host policies on master. They are now all rejected with:

$ kubectl describe ccnp | tail -n9
Status:
  Nodes:
    k8s1:
      Error:         Invalid CiliumNetworkPolicy spec: rule cannot have NodeSelector
      Last Updated:  2020-08-10T12:52:51Z
    k8s2:
      Error:         Invalid CiliumNetworkPolicy spec: rule cannot have NodeSelector
      Last Updated:  2020-08-10T12:52:48Z
Events:              <none>

This error is printed because CiliumNetworkPolicy.Parse() has some new checks to prevent using NodeSelector in CNPs. It assumes CiliumClusterwideNetworkPolicy.Parse() will be called in the case of CCNPs with NodeSelectors. However, the k8s watcher for CCNPs calls addCiliumNetworkPolicyV2 which takes a types.SlimCNP and therefore calls CiliumNetworkPolicy.Parse().

I took a stab at a fix, but couldn't figure out an easy way to fix this (with my limited Golang skills). Of course, I could implement a counterpart to addCiliumNetworkPolicyV2 for CCNPs (e.g., addCiliumClusterwideNetworkPolicyV2) but that's likely to result in a bit more code duplication. I'm opening this to discuss better solutions (happy to implement addCiliumClusterwideNetworkPolicyV2 is that's the best solution we have).

EDIT: I found this while rebasing #12621, which will ensure we don't get any more regressions on this code.

/cc @aanm @christarazi