[FEATURE_REQUEST] Enable metadata checks against the pod template in a deployment

[Dionmm]

Description of the problem/feature request Currently checks scoped to "DeploymentLike" objects only check the deployment's metadata and not the pod spec defined within it. I would like to scope checks specifically to the pod template defined within the deployment.

Description of the existing behavior vs. expected behavior Consider the following manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: dion-deploy
  name: dion-deploy
spec:
  selector:
    matchLabels:
      app: dion-deploy
  template:
    metadata:
      labels:
        app: dion-deploy
      annotations:
        vault.hashicorp.com/agent-requests-cpu: 10m

With a custom "required-annotation" check for the presence of the vault.hashicorp.com/agent-requests-cpu annotation this currently will fail. (object: <no namespace>/dion-deploy apps/v1, Kind=Deployment) no annotation matching "vault.hashicorp.com/agent-requests-cpu=<any>" found (...

Expected behaviour is that this will pass because the annotation has been specified in the pod template.

Additional context We are using Vault which spins up a sidecar container using the supplied annotations for that pod and we want to require a few annotations as to ensure the config is correct. These can't be added in the deployment metadata, it has to be added into the pod template metadata as the configuration can be different per pod.

[viswajithiii]

Thanks @Dionmm! This makes sense and we can add this functionailty.