Add --resource-names flag to customize monitored resources

[0xiso]

Summary

This PR adds the --resource-names flag to allow operators to selectively monitor specific Kubernetes resource types. This addresses issue #1388.

Background

This PR is an updated version of #1687, which has become outdated and requires rebasing. This PR provides the same functionality with an updated implementation.

Changes

Core Implementation

• New flag: --resource-names with default value covering all resource types (pods, replicasets, deployments, statefulsets, daemonsets, jobs, cronjobs)
• Dynamic types map: Constructs the resource types map based on specified resources at startup
• Validation: Validates resource names and logs warnings for invalid entries
• Fail-fast: Terminates if no valid resources are specified
• Warning message: Displays warning when using custom resource names to alert users about potential UX issues

Testing

• E2E test: test/e2e_test_resource_names_flag.sh validates selective monitoring
• Kustomize example: test/kustomize-resource-names/ demonstrates configuration
• CI workflow: .github/workflows/kind-cluster-resource-names.yaml for automated testing

Behavior

Default (unchanged)

./webhook
# Monitors: pods, replicasets, deployments, statefulsets, daemonsets, jobs, cronjobs

Custom resources

./webhook --resource-names=replicasets,daemonsets
# Monitors only: replicasets, daemonsets
# WARNING: Displays warning about potential UX issues

Warning Rationale

When parent resources (e.g., Deployments, ReplicaSets) are not monitored, users will not receive policy violation feedback when creating them, even though the Pods they create may violate policies. This can lead to poor user experience.

Testing

Run the E2E test:

./test/e2e_test_resource_names_flag.sh

Deploy with specific resources:

kubectl apply -k test/kustomize-resource-names/

Backward Compatibility

✅ Default behavior unchanged - all resources monitored by default
✅ Existing deployments continue to work without modification
✅ No breaking changes

CI Note

The CI failure in ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.32.x, repository) appears to be unrelated to this PR:

• The same test has also failed on the main branch (#17047096031)
• 11 out of 12 matrix jobs passed in this PR
• This PR does not modify TrustRoot reconciliation logic

Related Issues and PRs

• Resolves Verify only pods #1388
• Closes Control the policy controller monitoring resources from chart, enhanc… #1687 (supersedes with updated implementation)

[codecov]

Codecov Report

❌ Patch coverage is 0% with 53 lines in your changes missing coverage. Please review.
✅ Project coverage is 29.78%. Comparing base (ea54b96) to head (7141bdc).
⚠️ Report is 44 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/webhook/main.go	0.00%	53 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1919       +/-   ##
===========================================
- Coverage   42.78%   29.78%   -13.01%     
===========================================
  Files         121      122        +1     
  Lines        8994     7374     -1620     
===========================================
- Hits         3848     2196     -1652     
- Misses       4791     4945      +154     
+ Partials      355      233      -122     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.