Aggregate metadata for ownership chain and use annotations for runtime risks

[piceri]

This PR:

• Add a metadata client to the controller
• Uses aggregateMetadata to get metadata for the pod and all of its supported owners
  • We currently only support ReplicaSets and Deployments
  • Only done for add/update events
• Any annotations for a pod or any of its owners can have a key of github.com/runtime-risks to declare runtime risks

[Copilot]

Pull request overview

This PR adds runtime risk tracking to the deployment tracker by aggregating metadata from pods and their ownership chain (ReplicaSets and Deployments). The implementation reads runtime risk annotations from Kubernetes resources and includes them in deployment records sent to the artifact metadata API.

Changes:

• Added RuntimeRisk type system with validation and support for four risk categories (critical-resource, internet-exposed, lateral-movement, sensitive-data)
• Implemented metadata aggregation that walks the pod ownership chain to collect runtime risk annotations
• Updated RBAC permissions to allow reading ReplicaSet metadata

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
pkg/deploymentrecord/record.go	Added RuntimeRisk type, constants, validation function, and updated DeploymentRecord to include runtime risks
internal/controller/controller.go	Added metadata client, implemented ownership chain traversal with aggregateMetadata, and integrated runtime risk collection into recordContainer
cmd/deployment-tracker/main.go	Created metadata client and passed it to controller initialization
deploy/manifest.yaml	Added RBAC permissions for reading ReplicaSets and updated example cluster name
README.md	Documented runtime risks feature and supported risk values
.gitignore	Added .idea/ directory for JetBrains IDEs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ajbeattie]

LGTM!