Validation of group as a stand-alone selector is not comprehensive

[GraysonWu]

Describe the bug
Within an ingress or egress rule, group cannot be used with any other selectors. But we only checked if group is used with podSelector, namespaceSelector, and IPBlock. So if users use group with other selectors such as fqdn, the policy will have unexpected behavior.

https://github.com/antrea-io/antrea/blob/main/pkg/apis/crd/v1alpha1/types.go#L425-L429
https://github.com/antrea-io/antrea/blob/main/pkg/controller/networkpolicy/validate.go#L473

To Reproduce
Create an Antrea-native network policy like below:

apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
  name: acnp-test
spec:
    priority: 5
    tier: SecurityOps
    appliedTo:
      - podSelector:
          matchLabels:
            app: client
    egress:
      - action: Drop
        to:
          - group: group-a
            fqdn: google.com

Pods with label app: client still can access google.com.

[GraysonWu]

I'm thinking if we could use open API to control the relation between those fields instead of using validating webhook?

[GraysonWu]

Didn't find a good way to solve it via API design. Mainly blocked by this rule.

Open a PR solving it by making our validating webhook more comprehensive.