# Zastava Admission Webhook

## Module
Zastava

## Status
IMPLEMENTED

## Description
Full admission webhook with policy-based container admission control, facet validation, image digest resolution, and admission review parsing.

## Implementation Details
- **AdmissionEndpoint**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionEndpoint.cs` -- webhook endpoint handling admission review requests
- **AdmissionReviewParser**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewParser.cs` -- parses Kubernetes AdmissionReview payloads
- **AdmissionReviewModels**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewModels.cs` -- admission review request/response models
- **AdmissionResponseBuilder**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionResponseBuilder.cs` -- builds allow/deny responses with status and audit annotations
- **AdmissionRequestContext**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionRequestContext.cs` -- contextual data for admission evaluation
- **FacetAdmissionValidator**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/FacetAdmissionValidator.cs` -- facet-based validation rules
- **ImageDigestResolver**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/ImageDigestResolver.cs` -- resolves image tags to digests
- **RuntimeAdmissionPolicyService**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimeAdmissionPolicyService.cs` -- evaluates runtime admission policies
- **RuntimePolicyCache**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimePolicyCache.cs` -- caches policy decisions
- **Certificate management**: `src/Zastava/StellaOps.Zastava.Webhook/Certificates/` -- `IWebhookCertificateProvider`, `SecretFileCertificateSource`, `CsrCertificateSource`, `WebhookCertificateHealthCheck`
- **StartupValidationHostedService**: `src/Zastava/StellaOps.Zastava.Webhook/Hosting/StartupValidationHostedService.cs` -- validates webhook configuration on startup
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/` -- `AdmissionResponseBuilderTests.cs`, `AdmissionReviewParserTests.cs`, `FacetAdmissionValidatorTests.cs`, `RuntimeAdmissionPolicyServiceTests.cs`; `Certificates/` -- `SecretFileCertificateSourceTests.cs`, `WebhookCertificateProviderTests.cs`
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Verify webhook accepts and parses Kubernetes AdmissionReview requests
- [ ] Test image digest resolution converts tags to sha256 digests before evaluation
- [ ] Verify facet-based admission rules allow/deny containers based on policy
- [ ] Test runtime admission policy service evaluates verdicts from backend
- [ ] Verify admission response includes audit annotations for allowed/denied decisions
- [ ] Test certificate management handles TLS renewal and health checks
- [ ] Verify policy cache reduces latency for repeated admission evaluations