stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/zastava/zastava-admission-webhook.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

35 lines
2.8 KiB
Markdown
Raw Blame History

# Zastava Admission Webhook
## Module
Zastava
## Status
IMPLEMENTED
## Description
Full admission webhook with policy-based container admission control, facet validation, image digest resolution, and admission review parsing.
## Implementation Details
- **AdmissionEndpoint**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionEndpoint.cs` -- webhook endpoint handling admission review requests
- **AdmissionReviewParser**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewParser.cs` -- parses Kubernetes AdmissionReview payloads
- **AdmissionReviewModels**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewModels.cs` -- admission review request/response models
- **AdmissionResponseBuilder**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionResponseBuilder.cs` -- builds allow/deny responses with status and audit annotations
- **AdmissionRequestContext**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionRequestContext.cs` -- contextual data for admission evaluation
- **FacetAdmissionValidator**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/FacetAdmissionValidator.cs` -- facet-based validation rules
- **ImageDigestResolver**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/ImageDigestResolver.cs` -- resolves image tags to digests
- **RuntimeAdmissionPolicyService**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimeAdmissionPolicyService.cs` -- evaluates runtime admission policies
- **RuntimePolicyCache**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimePolicyCache.cs` -- caches policy decisions
- **Certificate management**: `src/Zastava/StellaOps.Zastava.Webhook/Certificates/` -- `IWebhookCertificateProvider`, `SecretFileCertificateSource`, `CsrCertificateSource`, `WebhookCertificateHealthCheck`
- **StartupValidationHostedService**: `src/Zastava/StellaOps.Zastava.Webhook/Hosting/StartupValidationHostedService.cs` -- validates webhook configuration on startup
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/` -- `AdmissionResponseBuilderTests.cs`, `AdmissionReviewParserTests.cs`, `FacetAdmissionValidatorTests.cs`, `RuntimeAdmissionPolicyServiceTests.cs`; `Certificates/` -- `SecretFileCertificateSourceTests.cs`, `WebhookCertificateProviderTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify webhook accepts and parses Kubernetes AdmissionReview requests
- [ ] Test image digest resolution converts tags to sha256 digests before evaluation
- [ ] Verify facet-based admission rules allow/deny containers based on policy
- [ ] Test runtime admission policy service evaluates verdicts from backend
- [ ] Verify admission response includes audit annotations for allowed/denied decisions
- [ ] Test certificate management handles TLS renewal and health checks
- [ ] Verify policy cache reduces latency for repeated admission evaluations
Reference in New Issue View Git Blame Copy Permalink