This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
This is a Go-based Kubernetes validating/mutating webhooks framework for OpenShift Dedicated (OSD) and Red Hat OpenShift Service on AWS (ROSA) managed clusters. It implements 20+ webhooks that enforce security policies and operational constraints on managed clusters.
# Development
make test # Run tests and webhook validation
make build # Build binary
make build-image # Build container image
make build-package-image # Build PKO package for HyperShift
# Resource Generation
make syncset # Generate SelectorSyncSet YAML for Classic clusters
make package # Generate Package Operator resources for HyperShift
make docs # Generate webhook documentation
make generate # Update namespace lists from ConfigMaps
# Local Testing
make test-webhook WEBHOOK=namespace # Test specific webhook
go test ./pkg/webhooks/namespace/... # Run webhook unit tests- Interface-Based: All webhooks implement the
Webhookinterface inpkg/webhooks/register.go - Factory Pattern: Webhooks register via
init()functions inadd_*files - Centralized Dispatcher: Single HTTP server routes requests to webhooks based on URI paths
- Plugin System: Each webhook is a self-contained module in
pkg/webhooks/*/
- OSD/ROSA Classic: Deployed as DaemonSet via SelectorSyncSet to master nodes
- ROSA HyperShift: Deployed via Package Operator (PKO) to hosted control plane
- Main Application (
cmd/main.go): HTTP server with TLS, metrics, and webhook routing - Dispatcher (
pkg/dispatcher/): Thread-safe request routing and response handling - Individual Webhooks (
pkg/webhooks/*/): Modular webhook implementations - Configuration (
pkg/config/): Namespace protection lists and build-time config
- Create webhook directory:
pkg/webhooks/mywebhook/ - Implement the
Webhookinterface with required methods:Validate(): Core webhook logicAuthorized(): Authorization checksGetURI(): Unique webhook pathRules(): AdmissionRules for K8s
- Create registration file:
pkg/webhooks/add_mywebhook.go - Add to Makefile webhook lists if needed
- Update documentation with
make docs
- Unit Tests: Use
pkg/testutilsfor HTTP integration testing - Authorization Testing: Test all user categories (cluster-admin, SRE, regular users)
- Local Testing: Follow README.md guide for testing on live clusters
- Webhook Validation:
make testvalidates URI uniqueness and basic functionality
- Cluster Admins:
kube:admin,system:admin,backplane-cluster-admin - SRE Groups:
system:serviceaccounts:openshift-backplane-srep - Privileged ServiceAccounts: System service accounts with regex matching
- Layered Product Admins: Special access for
redhat-.*namespaces - Regular Users: Most restrictive validation
- 120+ Protected Namespaces: Auto-generated from OpenShift ConfigMaps
- Pattern Matching:
^redhat-.*,^openshift-.*,^kube-.*patterns - Label Protection: Categories of immutable/removable protected labels
Build system generates Kubernetes resources dynamically:
- SelectorSyncSet: For Classic OSD/ROSA deployments
- Package Operator: For HyperShift deployments
- Webhook Inclusion: Control via
REGISTRY_*Makefile variables - Namespace Lists: Auto-generated from cluster ConfigMaps
- Tekton Pipelines: 4 configurations for PR/push scenarios in
tekton/ - App-Interface: Automated deployment via GitLab app-interface
- Multi-arch Builds: Linux/AMD64 with UBI9 base images
- Registry: Quay.io with git hash tagging
pkg/webhooks/register.go: Core webhook interface and registrationpkg/config/namespaces.go: Protected namespace definitionsbuild/resources.go: Dynamic resource generation logiccmd/main.go: Main application entry pointpkg/dispatcher/: Request routing and response handlingMakefile: All build, test, and generation commands