stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/zastava/zastava-admission-webhook.md

2.8 KiB
Raw Blame History

Zastava Admission Webhook

Module

Zastava

Status

IMPLEMENTED

Description

Full admission webhook with policy-based container admission control, facet validation, image digest resolution, and admission review parsing.

Implementation Details

  • AdmissionEndpoint: src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionEndpoint.cs -- webhook endpoint handling admission review requests
  • AdmissionReviewParser: src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewParser.cs -- parses Kubernetes AdmissionReview payloads
  • AdmissionReviewModels: src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewModels.cs -- admission review request/response models
  • AdmissionResponseBuilder: src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionResponseBuilder.cs -- builds allow/deny responses with status and audit annotations
  • AdmissionRequestContext: src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionRequestContext.cs -- contextual data for admission evaluation
  • FacetAdmissionValidator: src/Zastava/StellaOps.Zastava.Webhook/Admission/FacetAdmissionValidator.cs -- facet-based validation rules
  • ImageDigestResolver: src/Zastava/StellaOps.Zastava.Webhook/Admission/ImageDigestResolver.cs -- resolves image tags to digests
  • RuntimeAdmissionPolicyService: src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimeAdmissionPolicyService.cs -- evaluates runtime admission policies
  • RuntimePolicyCache: src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimePolicyCache.cs -- caches policy decisions
  • Certificate management: src/Zastava/StellaOps.Zastava.Webhook/Certificates/ -- IWebhookCertificateProvider, SecretFileCertificateSource, CsrCertificateSource, WebhookCertificateHealthCheck
  • StartupValidationHostedService: src/Zastava/StellaOps.Zastava.Webhook/Hosting/StartupValidationHostedService.cs -- validates webhook configuration on startup
  • Tests: src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/ -- AdmissionResponseBuilderTests.cs, AdmissionReviewParserTests.cs, FacetAdmissionValidatorTests.cs, RuntimeAdmissionPolicyServiceTests.cs; Certificates/ -- SecretFileCertificateSourceTests.cs, WebhookCertificateProviderTests.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify webhook accepts and parses Kubernetes AdmissionReview requests
  • Test image digest resolution converts tags to sha256 digests before evaluation
  • Verify facet-based admission rules allow/deny containers based on policy
  • Test runtime admission policy service evaluates verdicts from backend
  • Verify admission response includes audit annotations for allowed/denied decisions
  • Test certificate management handles TLS renewal and health checks
  • Verify policy cache reduces latency for repeated admission evaluations