ROX-33188: Wire Sensor label providers for label-based policy scoping

[AlexVulaj]

Description

Wire Sensor's in-memory stores as label providers for policy evaluation, enabling full label-based policy scoping (cluster + namespace labels) in both runtime detection and admission control.

Policies with cluster_label and namespace_label scopes now work in Sensor's runtime detection and admission control.

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

Manual testing incoming after image builds.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[sourcery-ai]

Hey - I've left some high level feedback:

• Both namespace label lookup methods (NamespaceStore.LookupNamespaceLabelsByID and namespaceStore.LookupNamespaceLabelsByID) return the underlying label map directly; consider returning a cloned map to avoid accidental mutation of shared state by callers.
• In settingsToConfigMap, you always marshal/compress cluster labels even when the map is nil or empty; consider skipping ClusterLabelsGZDataKey in that case to reduce configmap size and align with the len(data) == 0 fast-path in decompressAndUnmarshalClusterLabels.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Both namespace label lookup methods (`NamespaceStore.LookupNamespaceLabelsByID` and `namespaceStore.LookupNamespaceLabelsByID`) return the underlying label map directly; consider returning a cloned map to avoid accidental mutation of shared state by callers.
- In `settingsToConfigMap`, you always marshal/compress cluster labels even when the map is nil or empty; consider skipping `ClusterLabelsGZDataKey` in that case to reduce configmap size and align with the `len(data) == 0` fast-path in `decompressAndUnmarshalClusterLabels`.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[rhacs-bot]

Images are ready for the commit at a4ec678.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-285-ga4ec678cad.

[codecov]

Codecov Report

❌ Patch coverage is 58.66667% with 31 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.63%. Comparing base (bc6e612) to head (a4ec678).
⚠️ Report is 3 commits behind head on master.

Files with missing lines	Patch %	Lines
sensor/admission-control/manager/manager_impl.go	0.00%	14 Missing ⚠️
...ommon/admissioncontroller/settings_manager_impl.go	0.00%	6 Missing ⚠️
...rnetes/admissioncontroller/config_map_persister.go	40.00%	4 Missing and 2 partials ⚠️
sensor/common/detector/detector.go	0.00%	2 Missing ⚠️
...or/kubernetes/listener/resources/store_provider.go	0.00%	2 Missing ⚠️
...r/kubernetes/listener/resources/namespace_store.go	92.30%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #19359      +/-   ##
==========================================
- Coverage   49.68%   49.63%   -0.05%     
==========================================
  Files        2695     2702       +7     
  Lines      202847   203272     +425     
==========================================
+ Hits       100777   100902     +125     
- Misses      94550    94847     +297     
- Partials     7520     7523       +3     

Flag	Coverage Δ
go-unit-tests	49.63% <58.66%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.