feat: configure scanner pod scheduling

[MaxRink]

Summary

• add spec.scanner.scheduling, spec.containers.scheduling, and spec.nodes.scheduling with Kubernetes nodeSelector and tolerations
• apply scanner scheduling to Kubernetes resource scan CronJobs, external cluster scan CronJobs, and the resource watcher Deployment
• apply container scheduling to container image scan CronJobs
• apply node scanner tolerations to CronJob and DaemonSet styles, and node selectors to DaemonSet style where pods are not pinned by nodeName
• update CRD/deepcopy output, samples, docs, and focused tests

Notes

• I checked for existing open upstream PRs/issues for node selector/toleration scanner support and did not find a duplicate.
• This intentionally keeps pod scheduling separate from scan target selection; node label-based target selection is handled separately by feat: select nodes for scanning by label #1519.

Tests

• make generate manifests
• go test ./api/v1alpha2 ./pkg/utils/k8s ./controllers/k8s_scan ./controllers/container_image ./controllers/resource_watcher ./controllers/nodes
• go test ./controllers/... ./pkg/utils/k8s ./api/v1alpha2 -count=1
• git -c core.fsmonitor=false diff --check

[MaxRink]

I have read the Mondoo CLA Document and I hereby sign the CLA

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[github-actions]

Thank you for your submission. We really appreciate it. Before we can accept your contribution, we ask that you sign the Mondoo Contributor License Agreement. You can sign the CLA by adding a new comment to this pull request and pasting exactly the following text.

---

I have read the Mondoo CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[mondoo-code-review]

Adds configurable nodeSelector and tolerations for all scanner pod types, allowing users to control pod placement.

[MaxRink]

I have read the Mondoo CLA Document and I hereby sign the CLA

[MaxRink]

/review

[MaxRink]

recheck

[github-actions]

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit 44b9a8e. ± Comparison against base commit 70733ca.

♻️ This comment has been updated with latest results.

[mondoo-code-review]

Adds nodeSelector and tolerations scheduling controls for all scanner pod types with correct CronJob/DaemonSet handling.

[mondoo-code-review]

Adds nodeSelector and tolerations scheduling controls for all scanner pod types (nodes, containers, k8s resources).

Additional findings (file/line not in diff):

• 🔵 config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml:396 — The endpoint field additions to AKS/EKS/GKE workload identity configs appear unrelated to scanner scheduling. Consider splitting them into a separate PR to keep the changeset focused and reviewable.

[mondoo-code-review]

CI-only change downgrades spell-check action; previous shallow-copy suggestion for Toleration pointers remains unaddressed.

[mondoo-code-review]

Adds scheduling controls (nodeSelector, tolerations) for scanner pods across all workload types.

[mondoo-code-review]

Removes unused spell-check comment job and its outputs; no functional or security issues.

[mondoo-code-review]

CI maintenance: spell-check action bump and link-check config update with no functional impact on the operator.

[mondoo-code-review]

CI-only change to acknowledge a security advisory for the spell-check action; no functional impact.

[mondoo-code-review]

Spelling dictionary updated to allow scheduling-related terms — no functional or security impact.

[mondoo-code-review]

Scanner pod scheduling controls (nodeSelector, tolerations) are correctly wired across all scanner types with no bugs found.

[mondoo-code-review]

Removes unused 403 status code from link-check config — no user-facing impact.