{"id":"webhook-admission-enforcement-model","text":"Webhook admission in OpenShift follows a constrained enforcement model: all webhook communication requires TLS, timeouts are hard-capped at 13 seconds (non-configurable), webhooks are never invoked on their own kind (preventing infinite loops), and each webhook must declare four required fields — creating a bounded, self-protecting admission pipeline.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["webhook-communication-requires-tls","webhook-max-timeout-13-seconds","webhook-never-invoked-on-own-kind","webhook-required-fields"],"outlist":[],"label":"These four constraints collectively define the safety envelope for admission webhooks — TLS for integrity, timeout cap for availability, self-exclusion for stability, required fields for correctness"}],"dependents":["api-governance-spans-stability-and-admission","security-enforced-at-install-runtime-and-api-boundary"],"metadata":{},"explanation":{"steps":[{"node":"webhook-admission-enforcement-model","truth_value":"IN","reason":"SL justification valid","antecedents":["webhook-communication-requires-tls","webhook-max-timeout-13-seconds","webhook-never-invoked-on-own-kind","webhook-required-fields"],"label":"These four constraints collectively define the safety envelope for admission webhooks — TLS for integrity, timeout cap for availability, self-exclusion for stability, required fields for correctness"},{"node":"webhook-communication-requires-tls","truth_value":"IN","reason":"premise"},{"node":"webhook-max-timeout-13-seconds","truth_value":"IN","reason":"premise"},{"node":"webhook-never-invoked-on-own-kind","truth_value":"IN","reason":"premise"},{"node":"webhook-required-fields","truth_value":"IN","reason":"premise"}]}}