Remove group validation

Signed-off-by: abhiraut <rauta@vmware.com>
antrea-io · Aug 27, 2021 · aa49d6e · aa49d6e
1 parent 3639226
commit aa49d6e
Show file tree

Hide file tree

Showing 15 changed files with 156 additions and 62 deletions.
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -4779,7 +4779,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -4781,7 +4781,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -4779,7 +4779,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -4828,7 +4828,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -4784,7 +4784,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced

diff --git a/build/yamls/base/controller.yml b/build/yamls/base/controller.yml
@@ -145,7 +145,7 @@ webhooks:
         namespace: "kube-system"
         path: "/validate/group"
     rules:
-      - operations: [ "CREATE", "UPDATE", "DELETE" ]
+      - operations: [ "CREATE", "UPDATE" ]
         apiGroups: [ "crd.antrea.io" ]
         apiVersions: [ "v1alpha3" ]
         resources: [ "groups" ]

diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go
@@ -212,9 +212,7 @@ func (n *NetworkPolicyController) processAppliedToGroupForGroup(namespace, group
 	// Retrieve Group for corresponding entry in the AppliedToGroup.
 	g, err := n.grpLister.Groups(namespace).Get(groupName)
 	if err != nil {
-		// This error should not occur as we validate that a Group must exist before
-		// referencing it in an ANP.
-		klog.Errorf("Group %s not found: %v", g, err)
+		// The Group referred to has not been created yet.
 		return ""
 	}
 	key := internalGroupKeyFunc(g)

diff --git a/pkg/controller/networkpolicy/clustergroup.go b/pkg/controller/networkpolicy/clustergroup.go
@@ -198,8 +198,6 @@ func (c *NetworkPolicyController) processNextInternalGroupWorkItem() bool {
 }
 
 func (c *NetworkPolicyController) syncInternalClusterGroup(grp *antreatypes.Group) error {
-	defer c.triggerCNPUpdates(grp.SourceReference.ToString())
-	defer c.triggerParentGroupSync(grp.SourceReference.ToString())
 	// Retrieve the ClusterGroup corresponding to this key.
 	cg, err := c.cgLister.Get(grp.SourceReference.ToString())
 	if err != nil {

diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go
@@ -129,15 +129,15 @@ func (c *NetworkPolicyController) processRefGroupOrClusterGroup(g, namespace str
 	if namespace != "" {
 		grp, err := c.grpLister.Groups(namespace).Get(g)
 		if err != nil {
-			klog.Errorf("Group %s/%s not found: %v", namespace, g, err)
+			// The Group referred to has not been created yet.
 			return "", nil
 		}
 		key = internalGroupKeyFunc(grp)
 	} else {
 		// Retrieve ClusterGroup for corresponding entry in the rule.
 		cg, err := c.cgLister.Get(g)
 		if err != nil {
-			klog.Errorf("ClusterGroup %s not found: %v", g, err)
+			// The ClusterGroup referred to has not been created yet.
 			return "", nil
 		}
 		key = internalGroupKeyFunc(cg)
@@ -254,18 +254,21 @@ func getNormalizedNameForSelector(sel *antreatypes.GroupSelector) string {
 	return ""
 }
 
-func (n *NetworkPolicyController) syncInternalGroup(key string) error {
+func (c *NetworkPolicyController) syncInternalGroup(key string) error {
+	defer c.triggerANPUpdates(key)
+	defer c.triggerCNPUpdates(key)
+	defer c.triggerParentGroupSync(key)
 	// Retrieve the internal Group corresponding to this key.
-	grpObj, found, _ := n.internalGroupStore.Get(key)
+	grpObj, found, _ := c.internalGroupStore.Get(key)
 	if !found {
 		klog.V(2).Infof("Internal group %s not found.", key)
-		n.groupingInterface.DeleteGroup(clusterGroupType, key)
+		c.groupingInterface.DeleteGroup(clusterGroupType, key)
 		return nil
 	}
 	grp := grpObj.(*antreatypes.Group)
 	if grp.SourceReference.Namespace != "" {
 		// Sync the Group as a Namespaced Group.
-		return n.syncInternalNamespacedGroup(grp)
+		return c.syncInternalNamespacedGroup(grp)
 	}
-	return n.syncInternalClusterGroup(grp)
+	return c.syncInternalClusterGroup(grp)
 }
diff --git a/pkg/controller/networkpolicy/group.go b/pkg/controller/networkpolicy/group.go
@@ -64,10 +64,10 @@ func (n *NetworkPolicyController) updateGroup(oldObj, curObj interface{}) {
 	ipBlocksUpdated := func() bool {
 		oldIPBs, newIPBs := sets.String{}, sets.String{}
 		for _, ipb := range oldGroup.IPBlocks {
-			oldIPBs.Insert(ipNetToCIDRStr(ipb.CIDR))
+			oldIPBs.Insert(ipb.CIDR.String())
 		}
 		for _, ipb := range newGroup.IPBlocks {
-			newIPBs.Insert(ipNetToCIDRStr(ipb.CIDR))
+			newIPBs.Insert(ipb.CIDR.String())
 		}
 		return oldIPBs.Equal(newIPBs)
 	}
@@ -187,17 +187,16 @@ func (n *NetworkPolicyController) syncInternalNamespacedGroup(grp *antreatypes.G
 		klog.Errorf("Failed to update Group %s/%s GroupMembersComputed condition to %s: %v", g.Namespace, g.Name, v1.ConditionTrue, err)
 		return err
 	}
-	n.triggerParentGroupSync(grp)
-	return n.triggerANPUpdates(g)
+	return nil
 }
 
 // triggerANPUpdates triggers processing of Antrea NetworkPolicies associated with the input Group.
-func (n *NetworkPolicyController) triggerANPUpdates(g *crdv1alpha3.Group) error {
+func (n *NetworkPolicyController) triggerANPUpdates(g string) {
 	// If a Group is added/updated, it might have a reference in Antrea NetworkPolicy.
-	anps, err := n.anpInformer.Informer().GetIndexer().ByIndex(GroupIndex, g.Name)
+	anps, err := n.anpInformer.Informer().GetIndexer().ByIndex(GroupIndex, g)
 	if err != nil {
-		klog.Errorf("Error retrieving Antrea NetworkPolicies corresponding to Group %s/%s", g.Namespace, g.Name)
-		return err
+		klog.Errorf("Error retrieving Antrea NetworkPolicies corresponding to Group %s", g)
+		return
 	}
 	for _, obj := range anps {
 		anp := obj.(*crdv1alpha1.NetworkPolicy)
@@ -237,7 +236,7 @@ func (n *NetworkPolicyController) triggerANPUpdates(g *crdv1alpha3.Group) error
 			n.deleteDereferencedAppliedToGroup(atg)
 		}
 	}
-	return nil
+	return
 }
 
 // updateGroupStatus updates the Status subresource for a Group.

diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -289,7 +289,7 @@ func testMutateANPNoRuleName(t *testing.T) {
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}).
 		SetPriority(10.0).
 		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "")
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "")
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
 	anp, err := k8sUtils.CreateOrUpdateANP(anp)
@@ -502,6 +502,51 @@ func testInvalidACNPIngressPeerNamespacesSetWithNSSelector(t *testing.T) {
 	}
 }
 
+func testInvalidANPIngressPeerGroupSetWithPodSelector(t *testing.T) {
+	gA := "gA"
+	namespace := "x"
+	selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}}
+	ruleAppTo := ANPAppliedToSpec{
+		PodSelector: map[string]string{"pod": "b"},
+	}
+	k8sUtils.CreateGroup(namespace, gA, &selectorA, nil, nil)
+	invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy with group and podSelector in NetworkPolicyPeer set")
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(namespace, "anp-ingress-group-podselector-set").
+		SetPriority(1.0)
+	builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, nil,
+		nil, nil, []ANPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, gA, "")
+	anp := builder.Get()
+	log.Debugf("creating ANP %v", anp.Name)
+	if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil {
+		// Above creation of ANP must fail as it is an invalid spec.
+		failOnError(invalidNpErr, t)
+	}
+	failOnError(k8sUtils.CleanGroups(namespace), t)
+}
+
+func testInvalidANPIngressPeerGroupSetWithIPBlock(t *testing.T) {
+	gA := "gA"
+	namespace := "x"
+	selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}}
+	k8sUtils.CreateGroup(namespace, gA, &selectorA, nil, nil)
+	invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy with group and ipBlock in NetworkPolicyPeer set")
+	cidr := "10.0.0.10/32"
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(namespace, "anp-ingress-group-ipblock-set").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ANPAppliedToSpec{{Group: "gA"}})
+	builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, &cidr, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
+		nil, nil, nil, crdv1alpha1.RuleActionAllow, gA, "")
+	anp := builder.Get()
+	log.Debugf("creating ANP %v", anp.Name)
+	if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil {
+		// Above creation of ANP must fail as it is an invalid spec.
+		failOnError(invalidNpErr, t)
+	}
+	failOnError(k8sUtils.CleanGroups(namespace), t)
+}
+
 func testInvalidANPNoPriority(t *testing.T) {
 	invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy without a priority accepted")
 	builder := &AntreaNetworkPolicySpecBuilder{}
@@ -521,9 +566,9 @@ func testInvalidANPRuleNameNotUnique(t *testing.T) {
 	builder = builder.SetName("x", "anp-rule-name-not-unique").
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}).
 		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "not-unique").
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique").
 		AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "not-unique")
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique")
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
 	if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil {
@@ -553,7 +598,7 @@ func testInvalidANPPortRangePortUnset(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, nil, nil, &p8085, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
@@ -570,7 +615,7 @@ func testInvalidANPPortRangeEndPortSmall(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, &p8082, nil, &p8081, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
@@ -656,14 +701,14 @@ func testInvalidTierACNPRefDelete(t *testing.T) {
 
 func testInvalidTierANPRefDelete(t *testing.T) {
 	invalidErr := fmt.Errorf("tier deleted with referenced ANPs")
-	tr, err := k8sUtils.CreateNewTier("tier-anp", 10)
+	tr, err := k8sUtils.CreateNewTier("tier-anp-ref", 11)
 	if err != nil {
 		failOnError(fmt.Errorf("create Tier failed for tier tier-anp: %v", err), t)
 	}
 	builder := &AntreaNetworkPolicySpecBuilder{}
 	builder = builder.SetName("x", "anp-for-tier").
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}).
-		SetTier("tier-anp").
+		SetTier("tier-anp-ref").
 		SetPriority(13.0)
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
@@ -1835,7 +1880,7 @@ func testANPPortRange(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, &p8080, nil, &p8085, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("y/b"), Pod("x/c"), Dropped)
@@ -1865,7 +1910,7 @@ func testANPBasic(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped)
@@ -1916,12 +1961,12 @@ func testANPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
 	if singleRule {
 		builder.SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}, {PodSelector: map[string]string{tempLabel: ""}}})
 		builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionDrop, "")
+			nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "")
 	} else {
 		builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1alpha1.RuleActionDrop, "")
+			nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1alpha1.RuleActionDrop, "", "")
 		builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{tempLabel: ""}}}, crdv1alpha1.RuleActionDrop, "")
+			nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{tempLabel: ""}}}, crdv1alpha1.RuleActionDrop, "", "")
 	}
 
 	reachability := NewReachability(allPods, Connected)
@@ -2067,9 +2112,9 @@ func testAppliedToPerRule(t *testing.T) {
 	anpATGrp1 := ANPAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil}
 	anpATGrp2 := ANPAppliedToSpec{PodSelector: map[string]string{"pod": "b"}, PodSelectorMatchExp: nil}
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, []ANPAppliedToSpec{anpATGrp1}, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, []ANPAppliedToSpec{anpATGrp1}, crdv1alpha1.RuleActionDrop, "", "")
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"},
-		nil, nil, []ANPAppliedToSpec{anpATGrp2}, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, []ANPAppliedToSpec{anpATGrp2}, crdv1alpha1.RuleActionDrop, "", "")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped)
@@ -2685,6 +2730,8 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=ANPTierDoesNotExistDenied", func(t *testing.T) { testInvalidANPTierDoesNotExist(t) })
 		t.Run("Case=ANPPortRangePortUnsetDenied", func(t *testing.T) { testInvalidANPPortRangePortUnset(t) })
 		t.Run("Case=ANPPortRangePortEndPortSmallDenied", func(t *testing.T) { testInvalidANPPortRangeEndPortSmall(t) })
+		t.Run("Case=ANPIngressPeerGroupSetWithIPBlock", func(t *testing.T) { testInvalidANPIngressPeerGroupSetWithIPBlock(t) })
+		t.Run("Case=ANPIngressPeerGroupSetWithPodSelector", func(t *testing.T) { testInvalidANPIngressPeerGroupSetWithPodSelector(t) })
 		t.Run("Case=ACNPInvalidPodSelectorNsSelectorMatchExpressions", func(t *testing.T) { testInvalidACNPPodSelectorNsSelectorMatchExpressions(t) })
 	})
 
@@ -2781,7 +2828,7 @@ func TestAntreaPolicyStatus(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}})
 	anpBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionAllow, "")
+		nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "")
 	anp := anpBuilder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
 	_, err = data.crdClient.CrdV1alpha1().NetworkPolicies(anp.Namespace).Create(context.TODO(), anp, metav1.CreateOptions{})

diff --git a/test/e2e/flowaggregator_test.go b/test/e2e/flowaggregator_test.go
@@ -840,7 +840,7 @@ func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod st
 		SetPriority(2.0).
 		SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": dstPod}}})
 	builder1 = builder1.AddIngress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-		nil, nil, nil, secv1alpha1.RuleActionAllow, testIngressRuleName)
+		nil, nil, nil, secv1alpha1.RuleActionAllow, "", testIngressRuleName)
 	anp1 = builder1.Get()
 	anp1, err1 := k8sUtils.CreateOrUpdateANP(anp1)
 	if err1 != nil {
@@ -853,7 +853,7 @@ func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod st
 		SetPriority(2.0).
 		SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
 	builder2 = builder2.AddEgress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": dstPod}, map[string]string{},
-		nil, nil, nil, secv1alpha1.RuleActionAllow, testEgressRuleName)
+		nil, nil, nil, secv1alpha1.RuleActionAllow, "", testEgressRuleName)
 	anp2 = builder2.Get()
 	anp2, err2 := k8sUtils.CreateOrUpdateANP(anp2)
 	if err2 != nil {
@@ -878,24 +878,24 @@ func deployDenyAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, podRe
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": podReject}}})
 		builder1 = builder1.AddIngress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionReject, testIngressRuleName)
+			nil, nil, nil, secv1alpha1.RuleActionReject, "", testIngressRuleName)
 		builder2 = builder2.SetName(testNamespace, ingressDropANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": podDrop}}})
 		builder2 = builder2.AddIngress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionDrop, testIngressRuleName)
+			nil, nil, nil, secv1alpha1.RuleActionDrop, "", testIngressRuleName)
 	} else {
 		// apply reject and drop egress rule to source pod
 		builder1 = builder1.SetName(testNamespace, egressRejectANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
 		builder1 = builder1.AddEgress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": podReject}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionReject, testEgressRuleName)
+			nil, nil, nil, secv1alpha1.RuleActionReject, "", testEgressRuleName)
 		builder2 = builder2.SetName(testNamespace, egressDropANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
 		builder2 = builder2.AddEgress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": podDrop}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionDrop, testEgressRuleName)
+			nil, nil, nil, secv1alpha1.RuleActionDrop, "", testEgressRuleName)
 	}
 	anp1 = builder1.Get()
 	anp1, err = k8sUtils.CreateOrUpdateANP(anp1)
-Original file line number
+Diff line change
@@ Expand Up / @@ -4779,7 +4779,6 @@ webhooks: @@
         operations:
         - CREATE
         - UPDATE
-        - DELETE
         resources:
         - groups
         scope: Namespaced
@@ Expand Down @@