added change timestamp in PE and CPE annotation

[viveksb007]

What type of PR is this?
feature

Which issue does this PR fix:

What does this PR do / Why do we need it:
Adds a networking.k8s.aws/last-change-trigger-time annotation to PolicyEndpoint and ClusterPolicyEndpoint resources. This annotation is set whenever NPC creates or updates these resources, recording the timestamp in RFC3339Nano format.

This enables the Network Policy Agent (NPA) to compute end-to-end policy programming latency by comparing when the controller made changes versus when they were applied. The pattern mirrors kube-proxy's endpoints.kubernetes.io/last-change-trigger-time annotation on EndpointSlice.

If an issue # is not available please add steps to reproduce and the controller logs:

Testing done on this change:

tested by deployment.

apiVersion: networking.k8s.aws/v1alpha1
kind: PolicyEndpoint
metadata:
  annotations:
    networking.k8s.aws/last-change-trigger-time: "2026-02-19T23:51:44.942777624Z"
  creationTimestamp: "2026-02-19T23:16:34Z"
  generateName: kwok-scale-test-policy-91-
  generation: 30
  name: kwok-scale-test-policy-91-hwj5w
  namespace: scale-test

Automation added to e2e:

Will this PR introduce any new dependencies?:

Will this break upgrades or downgrades. Has updating a running cluster been tested?:

Does this PR introduce any user-facing change?:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[Copilot]

Pull request overview

This PR adds timestamp tracking to PolicyEndpoint and ClusterPolicyEndpoint resources to enable end-to-end policy programming latency measurement. The implementation follows the kube-proxy pattern for EndpointSlice annotations.

Changes:

• Introduces a networking.k8s.aws/last-change-trigger-time annotation that records when NPC creates or updates policy endpoint resources
• Refactors loop iterations from value-based to index-based to properly handle resource modifications
• Applies timestamp annotation consistently across NetworkPolicy, ApplicationNetworkPolicy, and ClusterNetworkPolicy reconciliation flows

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Pavani-Panakanti]

This is still not end to end metric right. We will be missing any time between when cx applied the NP to NPC got the reconcile right ? -> api server to NPC watch delivery and NPC queue wait time. Do we already have these or any plans to add them

[Pavani-Panakanti]

Overall PR looks good to me. Will wait for co pilot comments to be addressed

[viveksb007]

This is still not end to end metric right. We will be missing any time between when cx applied the NP to NPC got the reconcile right ? -> api server to NPC watch delivery and NPC queue wait time. Do we already have these or any plans to add them

its not true E2E, rather covering latencies from NPC to NPA. For NPC, we can look at its WQ and controller-runtime metrics to get additional signals. NP multi dimension makes it tricky to calculate true E2E but this is a good starting point to measure Cx experience latencies, we can explore further if we can inject timestamps coming from the trigger like Svc, Pods, Ns, etc to measure true E2E.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jaydeokar]

lgtm