feat: add runtime cache node scanner

[MaxRink]

Summary

• add containers.runtimeCache API/CRD fields and generated deepcopy/CRD output
• add a runtime-cache scanner DaemonSet, inventory ConfigMap, runtime delegate validation, and status condition handling
• keep runtime-cache scanning no-pull and separate from registry scanning; the scanner does not mount registry credential material
• add Helm/kustomize RBAC and service account resources for read-only node/pod discovery
• add tests for validation, inventory options, DaemonSet shape, RBAC secret isolation, stable tolerations, and OOM condition handling

Review fixes

• resolve runtime-cache OOM memory-limit reporting by container name instead of status/spec slice index
• report OOM status across all runtime-cache DaemonSet pods instead of only the newest pod
• add regression coverage for older OOM pods being hidden by newer healthy pods
• restrict runtime-cache delegates to containerd for this draft, matching the current MQL runtime-image implementation; other enum values fail closed as reserved future support
• align raw kustomize RBAC with the default mondoo-operator-runtime-cache-scanning service account
• render runtime-cache inventory and delegate templates into /tmp before cnspec serve, and point --inventory-file at the rendered file so no {{ getenv ... }} template reaches cnspec
• resolve the render-helper image through the shared container image resolver so registry mirrors and private image settings apply
• update DaemonSet reconciliation field copying so init-container changes are applied to existing runtime-cache DaemonSets
• reject runtime delegate host path and container mount path collisions after path cleaning
• honor the configured runtime-cache allowPull value in delegate config while keeping the default no-pull behavior
• document the current fail-closed delegate policy in validation
• trim trailing dashes before adding scanner-set hash suffixes

Validation

• git diff --check
• go test ./controllers/container_image/runtime_cache -run 'Test(ValidateRuntimeCache|ValidateRuntimeCacheScannerSets|DelegateConfig|DaemonSetRuntimeCacheShape|DaemonSetRuntimeDelegatesMountExactSockets|ScannerSetNameOrHashTrimsDashBeforeHash)'
• go test ./pkg/utils/mondoo -run 'TestContainerImageResolverSuite/Test(ContainerImageUsesRegistryMirror|BusyBoxImageUsesRegistryMirror|ApplyImageRegistry)'
• go test ./controllers/container_image/runtime_cache -run 'Test(DelegateConfig|InventoryRuntimeCacheOptions|DaemonSetRuntimeCacheShape|DaemonSetRuntimeCacheLatestImageOmitsUnsupportedTimerFlag|DeploymentHandlerReconcileConfiguredLatestOmitsTimerForResolvedDigest|DeploymentHandlerReconcileUsesResolvedRenderImage|DeploymentHandlerReconcileScannerSets)'
• go test ./controllers/container_image/runtime_cache ./controllers/container_image ./pkg/utils/k8s ./pkg/utils/mondoo ./controllers/status
• go build -o /tmp/mondoo-operator-runtime-cache ./cmd/mondoo-operator/main.go
• make lint/actions
• make lint
• kubectl --context kind-mondoo-rt-kind apply -k config/crd
• kubectl --context kind-mondoo-rt-kind apply --server-side --dry-run=server -k config/rbac
• kubectl --context kind-mondoo-rt-kind apply --server-side --dry-run=server -f config/samples/k8s_v1alpha2_mondooauditconfig.yaml
• kubectl --context kind-mondoo-rt-kind apply --server-side --dry-run=server -f config/samples/k8s_v1alpha2_mondoooperatorconfig.yaml
• targeted kind-mondoo-rt-kind server-side dry-run for runtime-cache delegates and scannerSets

Full go test ./... still requires integration credentials/kubeconfig (MONDOO_ORG_MRN and Kubernetes client config) and is not runnable locally without that environment.

[github-actions]

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit 5ea2cb5. ± Comparison against base commit 70733ca.

♻️ This comment has been updated with latest results.

[mondoo-code-review]

New runtime cache node scanner DaemonSet for scanning container images from node caches without registry pulls

[mondoo-code-review]

New runtime cache node scanner DaemonSet adds node-local image scanning without registry pulls.

[mondoo-code-review]

Well-structured runtime cache node scanner with good security posture and test coverage; no critical issues found.