NO-JIRA: Document CEL over webhooks policy for AI agents

[bryan-cox]

Summary

• Documents the team's deliberate choice to use CEL validation rules instead of admission webhooks, capturing tribal knowledge that was only shared verbally
• Adds a path-scoped .claude/rules/ rule that triggers when agents touch the webhook files, redirecting them to CEL
• Adds a bullet to api/AGENTS.md reinforcing CEL as the correct validation mechanism

Context

AI agents frequently attempt to extend the webhook in hostedcluster_webhook.go when adding validation. The webhook exists almost exclusively for KubeVirt platform-specific needs. The rationale for avoiding webhooks:

• Konnectivity latency: In hosted-on-hosted topologies (IBM Cloud), requests traverse apiserver → konnectivity server → agent → node → webhook service
• Availability coupling: A down webhook blocks all writes to the resource
• Operational overhead: TLS certs, webhook configs, running service vs. CEL embedded in the CRD

Test plan

• Verify .claude/rules/webhook-validation.md loads when Claude works with hostedcluster_webhook.go
• Verify AGENTS.md and api/AGENTS.md render correctly

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Added developer guidance on validation patterns, recommending CEL rules over webhooks for new validation logic.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@bryan-cox: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Documents the team's deliberate choice to use CEL validation rules instead of admission webhooks, capturing tribal knowledge that was only shared verbally
• Adds a path-scoped .claude/rules/ rule that triggers when agents touch the webhook files, redirecting them to CEL
• Adds a bullet to api/AGENTS.md reinforcing CEL as the correct validation mechanism

Context

AI agents frequently attempt to extend the webhook in hostedcluster_webhook.go when adding validation. The webhook exists almost exclusively for KubeVirt platform-specific needs. The rationale for avoiding webhooks:

• Konnectivity latency: In hosted-on-hosted topologies (IBM Cloud), requests traverse apiserver → konnectivity server → agent → node → webhook service
• Availability coupling: A down webhook blocks all writes to the resource
• Operational overhead: TLS certs, webhook configs, running service vs. CEL embedded in the CRD

Test plan

• Verify .claude/rules/webhook-validation.md loads when Claude works with hostedcluster_webhook.go
• Verify AGENTS.md and api/AGENTS.md render correctly

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 096cda6f-d8e8-4df7-897a-0476776ba87d

📥 Commits

Reviewing files that changed from the base of the PR and between feda5c8 and 7339dfe.

📒 Files selected for processing (1)

• .claude/rules/webhook-validation.md

✅ Files skipped from review due to trivial changes (1)

• .claude/rules/webhook-validation.md

---

📝 Walkthrough

Walkthrough

This pull request adds documentation clarifying that the HostedCluster admission webhook files (hypershift-operator/controllers/hostedcluster/hostedcluster_webhook*.go) are not a general-purpose validation extension point. It introduces .claude/rules/webhook-validation.md describing HyperShift’s preference for CRD CEL validation markers (implemented on API types and covered by envtests), notes the webhook’s limited KubeVirt-specific roles (defaulting and JSON patch annotation checks), and records a CAPI conversion-webhook exception during the v1beta2 migration. It also updates AGENTS.md and api/AGENTS.md to direct contributors to use CEL rules instead of admission webhooks.

Sequence Diagram(s)

(omitted)

Possibly related PRs

• openshift/hypershift#8477: Related updates to API guidance and contributor conventions that overlap with CEL-over-webhooks validation guidance.

Suggested reviewers

• clebs
• sdminonne

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: documenting a CEL-over-webhooks policy for AI agents, which aligns with the PR's primary objective of capturing and formalizing the team's validation preference.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only documentation changes (.md files). No Ginkgo tests or Go test files are present. The custom check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	PR contains only documentation changes (webhook-validation.md, AGENTS.md, api/AGENTS.md). No Ginkgo test code added or modified. Custom check not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only documentation files (.md). Custom check is for Ginkgo e2e tests, which are not present in this PR. Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The custom check requires assessment of new Ginkgo e2e tests for SNO compatibility. This PR adds only documentation files (.md files) and contains no Ginkgo tests. The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only documentation. No deployment manifests, operator code, controllers, or scheduling constraints modified.
Ote Binary Stdout Contract	✅ Passed	PR is documentation-only (markdown files in .claude/rules/, AGENTS.md, api/AGENTS.md). No executable code or process-level modifications. Check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR contains only documentation files. No Ginkgo e2e tests are added, so the IPv6 and disconnected network compatibility check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[csrwng]

it's only the conversion webhook that is required for CAPI

[bryan-cox]

Good catch — updated to "a conversion webhook is required" in 7339dfe.

[bryan-cox]

/retest

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.55%. Comparing base (b0a10c5) to head (7339dfe).
⚠️ Report is 44 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8478      +/-   ##
==========================================
+ Coverage   37.49%   37.55%   +0.05%     
==========================================
  Files         751      751              
  Lines       91984    92029      +45     
==========================================
+ Hits        34487    34557      +70     
+ Misses      54854    54830      -24     
+ Partials     2643     2642       -1     

see 8 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	32.76% <ø> (+0.12%)	⬆️
cpo-hostedcontrolplane	36.78% <ø> (+0.01%)	⬆️
cpo-other	37.84% <ø> (+0.11%)	⬆️
hypershift-operator	47.93% <ø> (ø)
other	27.77% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[csrwng]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[enxebre]

nit: this is valid for api/ not only api/hypershift/v1beta1

[coderabbitai]

🧹 Nitpick comments (1)

.claude/rules/webhook-validation.md (1)

24-24: 💤 Low value

Consider mentioning the CAPI exception in the other guidance files.

The exception for CAPI resources during the v1beta2 migration period is documented here but not mentioned in api/AGENTS.md or AGENTS.md. If this exception is important for contributors to know, consider adding a brief note in those files as well for consistency.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/rules/webhook-validation.md at line 24, Add a short note to
api/AGENTS.md and AGENTS.md mentioning the CAPI exception for webhooks during
the v1beta2 migration period (as documented in
.claude/rules/webhook-validation.md) so contributors see the caveat in the agent
guidance; update both files' relevant webhook or migration sections with one
concise sentence pointing to the existing CAPI exception and linking or
referencing the .claude/rules/webhook-validation.md entry for details.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.claude/rules/webhook-validation.md:
- Line 24: Add a short note to api/AGENTS.md and AGENTS.md mentioning the CAPI
exception for webhooks during the v1beta2 migration period (as documented in
.claude/rules/webhook-validation.md) so contributors see the caveat in the agent
guidance; update both files' relevant webhook or migration sections with one
concise sentence pointing to the existing CAPI exception and linking or
referencing the .claude/rules/webhook-validation.md entry for details.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6ef88b4d-5fa0-45c9-8174-2221d18c48ce

📥 Commits

Reviewing files that changed from the base of the PR and between 8c2d0c8 and feda5c8.

📒 Files selected for processing (3)

• .claude/rules/webhook-validation.md
• AGENTS.md
• api/AGENTS.md

[bryan-cox]

/verified bypass

[openshift-ci-robot]

@bryan-cox: The verified label has been added.

Details

In response to this:

/verified bypass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bryan-cox: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Documents the team's deliberate choice to use CEL validation rules instead of admission webhooks, capturing tribal knowledge that was only shared verbally
• Adds a path-scoped .claude/rules/ rule that triggers when agents touch the webhook files, redirecting them to CEL
• Adds a bullet to api/AGENTS.md reinforcing CEL as the correct validation mechanism

Context

AI agents frequently attempt to extend the webhook in hostedcluster_webhook.go when adding validation. The webhook exists almost exclusively for KubeVirt platform-specific needs. The rationale for avoiding webhooks:

• Konnectivity latency: In hosted-on-hosted topologies (IBM Cloud), requests traverse apiserver → konnectivity server → agent → node → webhook service
• Availability coupling: A down webhook blocks all writes to the resource
• Operational overhead: TLS certs, webhook configs, running service vs. CEL embedded in the CRD

Test plan

• Verify .claude/rules/webhook-validation.md loads when Claude works with hostedcluster_webhook.go
• Verify AGENTS.md and api/AGENTS.md render correctly

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
• Added developer guidance on validation patterns, recommending CEL rules over webhooks for new validation logic.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/override e2e-aks
/override e2e-aws
/override e2e-aws-upgrade-hypershift-operator
/override e2e-azure-self-managed
/override e2e-kubevirt-aws-ovn-reduced
/override e2e-v2-aws

[openshift-ci]

@bryan-cox: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-aks
• e2e-aws
• e2e-aws-upgrade-hypershift-operator
• e2e-azure-self-managed
• e2e-kubevirt-aws-ovn-reduced
• e2e-v2-aws

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/e2e-aks
• ci/prow/e2e-aws
• ci/prow/e2e-aws-upgrade-hypershift-operator
• ci/prow/e2e-azure-self-managed
• ci/prow/e2e-azure-v2-self-managed
• ci/prow/e2e-kubevirt-aws-ovn-reduced
• ci/prow/e2e-v2-aws
• ci/prow/images
• ci/prow/okd-scos-images
• ci/prow/security
• ci/prow/verify-deps
• pull-ci-openshift-hypershift-main-e2e-aks
• pull-ci-openshift-hypershift-main-e2e-aws
• pull-ci-openshift-hypershift-main-e2e-aws-upgrade-hypershift-operator
• pull-ci-openshift-hypershift-main-e2e-azure-self-managed
• pull-ci-openshift-hypershift-main-e2e-azure-v2-self-managed
• pull-ci-openshift-hypershift-main-e2e-kubevirt-aws-ovn-reduced
• pull-ci-openshift-hypershift-main-e2e-v2-aws
• pull-ci-openshift-hypershift-main-images
• pull-ci-openshift-hypershift-main-okd-scos-images
• pull-ci-openshift-hypershift-main-security
• pull-ci-openshift-hypershift-main-verify-deps
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override e2e-aks
/override e2e-aws
/override e2e-aws-upgrade-hypershift-operator
/override e2e-azure-self-managed
/override e2e-kubevirt-aws-ovn-reduced
/override e2e-v2-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/override ci/prow/e2e-aks
/override ci/prow/e2e-aws
/override ci/prow/e2e-aws-upgrade-hypershift-operator
/override ci/prow/e2e-azure-self-managed
/override ci/prow/e2e-kubevirt-aws-ovn-reduced
/override ci/prow/e2e-v2-aws

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-aks, ci/prow/e2e-aws, ci/prow/e2e-aws-upgrade-hypershift-operator, ci/prow/e2e-azure-self-managed, ci/prow/e2e-kubevirt-aws-ovn-reduced, ci/prow/e2e-v2-aws

Details

In response to this:

/override ci/prow/e2e-aks
/override ci/prow/e2e-aws
/override ci/prow/e2e-aws-upgrade-hypershift-operator
/override ci/prow/e2e-azure-self-managed
/override ci/prow/e2e-kubevirt-aws-ovn-reduced
/override ci/prow/e2e-v2-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/override ci/prow/e2e-azure-v2-self-managed

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-azure-v2-self-managed

Details

In response to this:

/override ci/prow/e2e-azure-v2-self-managed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/override ci/prow/e2e-aks

[hypershift-jira-solve-ci]

Confirmed: release imports for initial, n3minor, n4minor, and n2minor all completed successfully. The n1minor (4.22.0) release import is completely absent from the "Imported release" lines — it never completed. Now I have the full picture. Let me produce the final report.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aks
• Build ID: 2053845299289395200
• Target: e2e-aks
• PR: NO-JIRA: Document CEL over webhooks policy for AI agents #8478 (NO-JIRA: Document CEL over webhooks policy for AI agents)
• Cluster: build01 (namespace ci-op-458iwrf5)
• Result: FAILURE (step [release:n1minor] failed during release import phase)

Test Failure Analysis

Error

step [release:n1minor] failed: failed to get CLI image: unable to extract the 'cli' image from the release image: pods "release-images-n1minor-cli" not found

Summary

This is a transient CI infrastructure failure unrelated to the PR content. The job failed during the release image import phase — before any test code executed. ci-operator launched a pod (release-images-n1minor-cli) to extract the CLI image reference from the OCP 4.22 release payload (n1minor). The pod completed successfully (exitCode 0), but was garbage-collected from the Kubernetes API server before ci-operator could read its termination message containing the CLI image pull spec. This race condition prevented the n1minor (OCP 4.22) release import from completing, which blocked the entire e2e-aks test step from running. The four other release imports (initial, n2minor, n3minor, n4minor) all completed successfully — only n1minor was affected.

Root Cause

Race condition in ci-operator's pod termination message retrieval on the CI build cluster.

The precise sequence of events:

1. 14:31:32 — ci-operator resolved n1minor to registry.ci.openshift.org/ocp/release:4.22.0-0.ci-2026-05-11-083123 and imported the release tag.
2. 14:31:33 — Pod release-images-n1minor-cli was created in namespace ci-op-458iwrf5 on node ip-10-0-182-254.ec2.internal. Its job: run cluster-version-operator image cli > /dev/termination-log to extract the CLI image reference.
3. 14:31:37 — Init container (ci-scheduling-dns-wait) completed.
4. 14:31:37–38 — Main container (release) completed with exitCode 0, writing the CLI image reference (registry.ci.openshift.org/ocp/4.22-2026-05-11-083123@sha256:76e1baa...) to the termination message.
5. 14:31:40 — ci-operator acknowledged the pod succeeded ("Pod release-images-n1minor-cli succeeded after 3s"), but by this time the pod object had already been deleted from the API server. The metricsAgent confirmed: pods "release-images-n1minor-cli" not found.
6. Because ci-operator could not read the termination message, it could not determine the CLI image reference for the n1minor release, causing the step to fail with "unable to extract the 'cli' image."

Why n4minor succeeded but n1minor didn't: Both pods completed at nearly the same time on the same node and both were garbage-collected. However, ci-operator processed n4minor's termination message first (the "Waiting to import tag[0] on imagestream stable-n4minor:cli" line appears at 14:31:39, before the pod was deleted). For n1minor, ci-operator was still processing other pods and didn't read n1minor's termination message before the pod was removed.

This namespace (ci-op-458iwrf5) was shared with another job (pull-ci-openshift-hypershift-main-e2e-azure-v2-self-managed), as evidenced by the step-graph manifests having labels for the other job. Namespace sharing can increase pod churn and exacerbate garbage-collection race conditions.

This failure is completely unrelated to PR #8478, which is a documentation-only change ("Document CEL over webhooks policy for AI agents"). No test code was ever executed — the failure occurred in the CI infrastructure's release import machinery.

Recommendations

1. Rerun the job — This is a transient infrastructure flake. A simple re-trigger of ci/prow/e2e-aks should succeed.
2. No code changes needed — PR NO-JIRA: Document CEL over webhooks policy for AI agents #8478 is a documentation-only change and did not contribute to this failure.
3. Consider reporting the flake — If this pattern recurs, file an issue against the openshift/ci-tools repository describing the race condition where completed pods are garbage-collected before ci-operator reads their termination messages during release import. The relevant code path is the CLI image extraction in the [release:*] step handler.

Evidence

Evidence	Detail
Failed step	[release:n1minor] — Import the release payload "n1minor" from an external source
Release	OCP 4.22.0-0.ci-2026-05-11-083123
Pod name	release-images-n1minor-cli in namespace ci-op-458iwrf5
Pod exit code	0 (Succeeded)
Pod termination message	registry.ci.openshift.org/ocp/4.22-2026-05-11-083123@sha256:76e1baa07b1a1193777c56ef46bb9e3d5de21e199fd4a2036f92d90195d0dbe5
Pod created	14:31:33 UTC
Pod completed	14:31:37–38 UTC
Pod not found	14:31:40 UTC (2–3 seconds after completion)
Successful imports	initial (5.0), n2minor (4.21), n3minor (4.20), n4minor (4.19) — all completed
Failed import	n1minor (4.22) — never completed, no "Imported release" log line
Namespace sharing	ci-op-458iwrf5 shared with e2e-azure-v2-self-managed job (confirmed via step-graph labels)
Node	ip-10-0-182-254.ec2.internal (all CLI pods ran on same node)
Job duration	18m30s (14:31:27 – 14:49:57 UTC)
Test execution	None — failure occurred before any test steps ran
Error message	failed to get CLI image: unable to extract the 'cli' image from the release image: pods "release-images-n1minor-cli" not found
Failure reason	executing_graph:step_failed:importing_release

---

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-aks

Details

In response to this:

/override ci/prow/e2e-aks

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-05-11T14:31:25Z
• View Job
• View Job History

[csrwng]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,csrwng]
• api/OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.