feat(cel): add ValidatingPolicy for aws-node IRSA + tests

[syedazeez337]

Summary
Convert legacy aws/require-aws-node-irsa to a CEL ValidatingPolicy under aws-cel/require-aws-node-irsa, with kyverno test fixtures.

What changed

• Added: aws-cel/require-aws-node-irsa/policy.yaml (CEL ValidatingPolicy)

• Added tests:

  • aws-cel/require-aws-node-irsa/tests/pass (uses non-aws-node SA → pass)
  • aws-cel/require-aws-node-irsa/tests/fail (uses aws-node SA → fail)

• No changes to the legacy sample.

Why
Part of the ongoing migration of sample policies to CEL-based types for better performance, native K8s alignment, and clearer testability.

Behavior (parity with legacy)

• Target: DaemonSet kube-system/aws-node only.
• Fails when spec.template.spec.serviceAccountName == "aws-node".
• Mirrors legacy action: validationActions: Audit (equivalent to validationFailureAction: Audit).

Spec details

• matchConstraints.resourceRules: apps/v1, daemonsets, CREATE|UPDATE
• matchConditions: name/namespace pinning (kube-system + aws-node)
• validations[0].expression: object.spec.template.spec.serviceAccountName != "aws-node"

How I tested

# from repo root: sources/policies
kyverno test aws-cel/require-aws-node-irsa/tests/pass
kyverno test aws-cel/require-aws-node-irsa/tests/fail
# both suites: "1 tests passed and 0 tests failed"

Notes

• This keeps the same user-facing intent as the legacy policy (stop using the shared aws-node SA; use IRSA-specific SA).
• Happy to adjust if maintainers prefer to require an explicit non-aws-node SA (vs. simply “not equal to aws-node”).

[syedazeez337]

[fjogeleit]

The current test structure is failing our expected structure. @syedazeez337 can you please take a look?

[syedazeez337]

Hi @fjogeleit
Apologies for this long delay. I have updated with this new change. Let me know.