{"id":"api-governance-spans-stability-and-admission","text":"OpenShift API governance operates across two dimensions: a tiered stability model (Level 1 through Level 4) defines compatibility guarantees and deprecation timelines, while the webhook admission system (TLS-required, 13s hard timeout, CEL match conditions) enforces runtime policy — together they govern both the evolution and the enforcement of the API surface.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["api-stability-tiered-guarantee-model","webhook-admission-enforcement-model"],"outlist":[],"label":"depth-2 — API governance has both a temporal dimension (stability tiers) and a runtime dimension (admission enforcement)"}],"dependents":["api-governance-enforces-stability-and-immutability"],"metadata":{},"explanation":{"steps":[{"node":"api-governance-spans-stability-and-admission","truth_value":"IN","reason":"SL justification valid","antecedents":["api-stability-tiered-guarantee-model","webhook-admission-enforcement-model"],"label":"depth-2 — API governance has both a temporal dimension (stability tiers) and a runtime dimension (admission enforcement)"},{"node":"api-stability-tiered-guarantee-model","truth_value":"IN","reason":"SL justification valid","antecedents":["compatibility-level-1-stable-12-months","compatibility-level-definitions","consoleplugin-compat-level-1","image-content-source-policy-v1alpha1-level4","api-tier3-default-for-unassigned-groups"],"label":"API consumers can assess migration risk by checking compatibility level"},{"node":"compatibility-level-1-stable-12-months","truth_value":"IN","reason":"premise"},{"node":"compatibility-level-definitions","truth_value":"IN","reason":"premise"},{"node":"consoleplugin-compat-level-1","truth_value":"IN","reason":"premise"},{"node":"image-content-source-policy-v1alpha1-level4","truth_value":"IN","reason":"premise"},{"node":"api-tier3-default-for-unassigned-groups","truth_value":"IN","reason":"premise"},{"node":"webhook-admission-enforcement-model","truth_value":"IN","reason":"SL justification valid","antecedents":["webhook-communication-requires-tls","webhook-max-timeout-13-seconds","webhook-never-invoked-on-own-kind","webhook-required-fields"],"label":"These four constraints collectively define the safety envelope for admission webhooks — TLS for integrity, timeout cap for availability, self-exclusion for stability, required fields for correctness"},{"node":"webhook-communication-requires-tls","truth_value":"IN","reason":"premise"},{"node":"webhook-max-timeout-13-seconds","truth_value":"IN","reason":"premise"},{"node":"webhook-never-invoked-on-own-kind","truth_value":"IN","reason":"premise"},{"node":"webhook-required-fields","truth_value":"IN","reason":"premise"}]}}