save checkpoint
This commit is contained in:
master
34
docs/features/checked/zastava/zastava-admission-webhook.md
Normal file
34
docs/features/checked/zastava/zastava-admission-webhook.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# Zastava Admission Webhook
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Full admission webhook with policy-based container admission control, facet validation, image digest resolution, and admission review parsing.
|
||||
|
||||
## Implementation Details
|
||||
- **AdmissionEndpoint**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionEndpoint.cs` -- webhook endpoint handling admission review requests
|
||||
- **AdmissionReviewParser**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewParser.cs` -- parses Kubernetes AdmissionReview payloads
|
||||
- **AdmissionReviewModels**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewModels.cs` -- admission review request/response models
|
||||
- **AdmissionResponseBuilder**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionResponseBuilder.cs` -- builds allow/deny responses with status and audit annotations
|
||||
- **AdmissionRequestContext**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionRequestContext.cs` -- contextual data for admission evaluation
|
||||
- **FacetAdmissionValidator**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/FacetAdmissionValidator.cs` -- facet-based validation rules
|
||||
- **ImageDigestResolver**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/ImageDigestResolver.cs` -- resolves image tags to digests
|
||||
- **RuntimeAdmissionPolicyService**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimeAdmissionPolicyService.cs` -- evaluates runtime admission policies
|
||||
- **RuntimePolicyCache**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimePolicyCache.cs` -- caches policy decisions
|
||||
- **Certificate management**: `src/Zastava/StellaOps.Zastava.Webhook/Certificates/` -- `IWebhookCertificateProvider`, `SecretFileCertificateSource`, `CsrCertificateSource`, `WebhookCertificateHealthCheck`
|
||||
- **StartupValidationHostedService**: `src/Zastava/StellaOps.Zastava.Webhook/Hosting/StartupValidationHostedService.cs` -- validates webhook configuration on startup
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/` -- `AdmissionResponseBuilderTests.cs`, `AdmissionReviewParserTests.cs`, `FacetAdmissionValidatorTests.cs`, `RuntimeAdmissionPolicyServiceTests.cs`; `Certificates/` -- `SecretFileCertificateSourceTests.cs`, `WebhookCertificateProviderTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify webhook accepts and parses Kubernetes AdmissionReview requests
|
||||
- [ ] Test image digest resolution converts tags to sha256 digests before evaluation
|
||||
- [ ] Verify facet-based admission rules allow/deny containers based on policy
|
||||
- [ ] Test runtime admission policy service evaluates verdicts from backend
|
||||
- [ ] Verify admission response includes audit annotations for allowed/denied decisions
|
||||
- [ ] Test certificate management handles TLS renewal and health checks
|
||||
- [ ] Verify policy cache reduces latency for repeated admission evaluations
|
||||
Reference in New Issue
Block a user