feat: add network inventory scanner options

[MaxRink]

Summary

• add spec.kubernetesResources.networkInventory API/CRD fields for HBN, MultiNetworkPolicy, CIDR classifications, and optional flow evidence endpoints
• render deterministic kubernetesNetworkInventory inventory options for local and external Kubernetes scans
• add discovery targets for network posture resources used by the normalized MQL model
• add tests for defaults, optional source disabling, CIDR validation, flow endpoint validation, external clusters, and discovery targets
• document implementation status and the current RBAC caveat

Review fixes

• enabling a concrete observed-flow backend now enables the parent observed-flow collection config
• add a regression test for backend-enabled/top-level-unset flow configuration
• document and test the valid parent-only observed-flow configuration where no backend source is enabled yet
• allow RFC 1123 service labels, including service names that start with a digit
• validate namespace and service endpoint names in Go and at CRD admission time
• validate explicitly configured flow endpoint names even when that endpoint is disabled
• document that maxRecords: 0 means omitted/defaulted in rendered inventory config
• validate lookback and timeout duration strings in the CRD with CEL rules
• use slices.Clone for CIDR and HBN API-group slice copies

Validation

• git diff --check
• make manifests
• rg -n "namespace:|pattern: \\^\\[a-z0-9\\]" config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml charts/mondoo-operator/files/crds/k8s.mondoo.com_mondooauditconfigs.yaml
• go test ./controllers/k8s_scan -run 'TestInventoryNetworkInventory(ObservedFlows|ObservedFlowBackendEnablesParent|ObservedFlowsParentOnly|AllowsRFC1123ServiceNames|RejectsInvalidFlowEndpoint|RejectsInvalidObservedFlowConfig)|TestDiscoveryTargetsNetworkInventoryForcesClusterTarget|TestDeploymentHandlerSuite/TestReconcile_NetworkInventory'
• go test ./controllers/k8s_scan
• go test ./api/...
• go test ./controllers/k8s_scan ./api/...
• go test ./controllers/k8s_scan ./api/v1alpha2
• go test $(go list ./... | grep -v '/tests/integration')
• helm lint charts/mondoo-operator
• helm template hbn-network-review charts/mondoo-operator >/tmp/mondoo-operator-hbn-network-review.yaml
• go run sigs.k8s.io/kustomize/kustomize/v4@v4.5.7 build config/default >/tmp/mondoo-operator-hbn-network-kustomize.yaml
• make lint/actions
• make lint

Full go test ./... still requires integration credentials/kubeconfig (MONDOO_ORG_MRN and Kubernetes client config) and is not runnable locally without that environment.

[github-actions]

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit 88aec3f. ± Comparison against base commit 70733ca.

♻️ This comment has been updated with latest results.

[mondoo-code-review]

Adds network inventory scanner configuration with proper validation, defaults, and test coverage.

[mondoo-code-review]

New network inventory scanner configuration feature adds CRD fields, validation, and inventory rendering for extended Kubernetes network posture scanning.

Additional findings (file/line not in diff):

• 🔵 controllers/k8s_scan/network_inventory.go:905 — The namespace field on FlowEndpointSpec lacks a CRD-level validation pattern, unlike serviceName which has pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$. While Go-side validation catches this when enable: true, adding a matching pattern to namespace in the CRD would give users earlier feedback. Consider adding pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ to the namespace field in the API types via a +kubebuilder:validation:Pattern marker.

[mondoo-code-review]

New network inventory scanner configuration may accept invalid namespace values through the CRD without validation.

[mondoo-code-review]

New network inventory scanner options add CRD fields, validation, and inventory rendering with good test coverage.