Skip to content

CNTRLPLANE-3731: Add Agentic SDLC context files to cluster-policy-controller#191

Open
atiratree wants to merge 1 commit into
openshift:mainfrom
atiratree:CNTRLPLANE-3731
Open

CNTRLPLANE-3731: Add Agentic SDLC context files to cluster-policy-controller#191
atiratree wants to merge 1 commit into
openshift:mainfrom
atiratree:CNTRLPLANE-3731

Conversation

@atiratree

@atiratree atiratree commented Jun 26, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Documentation
    • Added an AI agent development guide covering controller workflows, do/don’t guidance, common agent mistakes, security considerations, and unit test expectations.
    • Added a new architecture overview describing the deployment model, end-to-end data flow, controller responsibilities, informer strategy, and failure/recovery behaviors.
    • Added contributor documentation covering contribution scope, review expectations, local development, testing/CI, and cluster verification steps.
    • Updated the main README with links to the new docs and redirected CLAUDE to the agent guide.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 26, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

@atiratree: This pull request references CNTRLPLANE-3731 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from benluddy and tjungblu June 26, 2026 09:26
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign atiratree for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR adds repository documentation in AGENTS.md, ARCHITECTURE.md, and CONTRIBUTING.md, updates CLAUDE.md to point to AGENTS.md, and adds README links to the new docs.

Changes

Repository documentation set

Layer / File(s) Summary
Entry points
AGENTS.md, CLAUDE.md, README.md
Adds the new agent guide, redirects CLAUDE.md to it, and links the documentation set from the README.
Agent rules
AGENTS.md
Documents controller scope, library-go patterns, development rules, common mistakes, security notes, testing guidance, and contact references.
Architecture overview
ARCHITECTURE.md
Describes the controller deployment model, startup flow, registration and enablement rules, and the main controller responsibilities.
Controller behavior
ARCHITECTURE.md
Covers namespace security allocation, resource quota management, cluster quota reconciliation, CSR approval, and PSA label synchronization.
Infrastructure and failure modes
ARCHITECTURE.md
Covers informer/client setup, design decisions, and failure and recovery behavior.
Contributor workflow
CONTRIBUTING.md
Adds contribution scope, coding conventions, testing expectations, PR workflow, review expectations, local development steps, and resource links.

Estimated code review effort: 2 (Simple) | ~20 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding agentic SDLC context/documentation files to cluster-policy-controller.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR changes are docs-only (AGENTS.md, ARCHITECTURE.md, CLAUDE.md, CONTRIBUTING.md, README.md); no test titles were added or modified.
Test Structure And Quality ✅ Passed PASS — This PR only changes docs (AGENTS/ARCHITECTURE/CONTRIBUTING/README/CLAUDE); no Ginkgo or test files changed, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed Docs-only PR; no new Ginkgo/e2e test code or MicroShift-sensitive API usage was added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Only markdown docs changed; no new Go/Ginkgo e2e tests were added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: This PR only changes markdown docs; no deployment manifests, operator code, or controllers were modified, so topology-aware scheduling checks don't apply.
Ote Binary Stdout Contract ✅ Passed Only markdown docs changed; no process-level binary code or stdout paths were modified, so the OTE stdout contract is unaffected.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only markdown docs changed; no new Ginkgo e2e tests or network-dependent test code was added.
No-Weak-Crypto ✅ Passed The PR only adds/links documentation; changed files contain no weak-crypto algorithms, custom crypto code, or secret/token comparisons.
Container-Privileges ✅ Passed Only markdown docs changed; no container/K8s manifests were modified, so there are no privilege settings to flag.
No-Sensitive-Data-In-Logs ✅ Passed Only markdown docs were added/edited; no code or log statements were introduced, so no sensitive data exposure in logs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Around line 185-201: The fenced diagram/example blocks in AGENTS.md are
unlabeled, which triggers markdownlint and removes highlighting. Update both
affected fenced blocks near the ClusterPolicyController flow and the later
example section to use an explicit language tag such as text, keeping the
content unchanged. Make sure the fix applies to both identified blocks,
including the one referenced by the ControllerInitializers /
RunClusterPolicyController diagram.
- Around line 245-246: AGENTS.md has stale Go and Kubernetes client version
references that no longer match the module metadata. Update both version
mentions in the guide so they align with the values declared in go.mod and
vendor/modules.txt, changing the Go version reference from 1.25 to 1.23.0 and
the client-go reference from v1.35.2 to v0.32.2. Make the same correction in
both AGENTS.md sections that describe these toolchain/dependency versions.

In `@ARCHITECTURE.md`:
- Around line 297-300: Fix the spelling of the controller name in the Components
list so it matches the Reconciliation naming used elsewhere. Update the
referenced `ClusterQuotaReconcilationController` entry in `ARCHITECTURE.md` to
the correct `ClusterQuotaReconciliationController` spelling, keeping the rest of
the section unchanged.
- Around line 39-441: The fenced examples in ARCHITECTURE.md are missing
language identifiers, which is triggering MD040. Update each fenced block in the
document to use an appropriate tag such as text for diagrams and plain examples,
and any other fitting language where relevant, so the snippets are properly
labeled and the lint warning is cleared. Use the existing fenced sections around
the architecture diagrams and code samples as the targets.

In `@CONTRIBUTING.md`:
- Around line 62-69: Clarify the filename convention in CONTRIBUTING.md by
scoping “All filenames should be lowercase” to source/package filenames, or
explicitly exempting top-level documentation files like the repo-root docs
referenced elsewhere. Update the Directory and File Conventions section so the
rule no longer conflicts with uppercase root docs, and keep the guidance
consistent with the existing notes about Go source files, package directories,
and nested subdirectories.
- Around line 170-179: The verification command text is inconsistent with the
repository guidance and should be aligned in CONTRIBUTING.md. Update the section
that describes PR verification to use the actual supported commands referenced
by AGENTS.md, specifically /verified or /verified by ci, and remove the
unsupported /verified by @{your_github_handle} wording. Keep the surrounding
Cluster Bot guidance intact while making the verification step match the real
merge workflow.
- Around line 128-137: The markdown examples in CONTRIBUTING.md use unlabeled
code fences that trigger MD040. Update the PR title example block in the example
section and the directory tree block referenced in the comment to include a
fence language such as text so the fences are explicitly labeled. Use the
existing example sections around the PR title examples and directory tree
snippet to locate and adjust the fences consistently.
- Around line 223-245: The Go version requirement in CONTRIBUTING.md is
inconsistent with the repository’s actual toolchain; update the Required Tools
and verification text to match the Go version used by go.mod and
Dockerfile.rhel. Keep the wording aligned with the repo’s build/runtime
requirement, and ensure the version note under the prerequisite check reflects
the same Go version.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fdbc0af8-6748-42ca-b60d-53e69262e277

📥 Commits

Reviewing files that changed from the base of the PR and between 050c1ee and cf1ec18.

📒 Files selected for processing (4)
  • AGENTS.md
  • ARCHITECTURE.md
  • CLAUDE.md
  • CONTRIBUTING.md

Comment thread AGENTS.md Outdated
Comment on lines +185 to +201
```
cmd/cluster-policy-controller/main.go
NewClusterPolicyControllerCommand("start")
RunClusterPolicyController()
├──▶ Parse OpenShiftControllerManagerConfig
├──▶ Wait for API server health (/healthz, up to 5 min)
├──▶ Create EnhancedControllerContext
├──▶ Iterate ControllerInitializers map
│ └──▶ For each enabled controller: call InitFunc
├──▶ StartInformers()
└──▶ Block on ctx.Done()
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Label the bare fenced examples.

These two diagrams/examples are missing a language tag, which trips markdownlint and disables syntax highlighting. Use text (or another explicit label) for both blocks.

Also applies to: 205-247

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 185-185: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 185 - 201, The fenced diagram/example blocks in
AGENTS.md are unlabeled, which triggers markdownlint and removes highlighting.
Update both affected fenced blocks near the ClusterPolicyController flow and the
later example section to use an explicit language tag such as text, keeping the
content unchanged. Make sure the fix applies to both identified blocks,
including the one referenced by the ControllerInitializers /
RunClusterPolicyController diagram.

Source: Linters/SAST tools

Comment thread AGENTS.md Outdated
Comment on lines +245 to +246
├── go.mod # Go 1.25, k8s v1.35.2
└── OWNERS # control-plane-approvers, ibihim, liouk

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "go.mod toolchain:"
grep -nE '^(go |toolchain )' go.mod || true

echo
echo "client-go references:"
grep -nE 'client-go|k8s.io/client-go' go.mod vendor/modules.txt || true

echo
echo "AGENTS.md version claims:"
rg -n 'Go 1\.25|client-go v1\.35\.2|k8s v1\.35\.2' AGENTS.md

Repository: openshift/cluster-policy-controller

Length of output: 29111


Update the version references in AGENTS.md
AGENTS.md still says Go 1.25 and client-go v1.35.2, but go.mod/vendor/modules.txt declare go 1.23.0 and k8s.io/client-go v0.32.2. Please align the guide in both places (AGENTS.md:245-246 and AGENTS.md:566-567).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 245 - 246, AGENTS.md has stale Go and Kubernetes
client version references that no longer match the module metadata. Update both
version mentions in the guide so they align with the values declared in go.mod
and vendor/modules.txt, changing the Go version reference from 1.25 to 1.23.0
and the client-go reference from v1.35.2 to v0.32.2. Make the same correction in
both AGENTS.md sections that describe these toolchain/dependency versions.

Comment thread ARCHITECTURE.md Outdated
Comment thread ARCHITECTURE.md Outdated
Comment thread CONTRIBUTING.md
Comment on lines +62 to +69
### Directory and File Conventions

- Avoid package sprawl. Find an appropriate subdirectory for new packages.
- Libraries with no appropriate home belong in new package subdirectories of `pkg/`.
- Avoid general utility packages. Packages called "util" are suspect. Instead, derive a name that describes your desired function.
- All filenames should be lowercase.
- Go source files and directories use underscores, not dashes.
- Package directories should generally avoid using separators as much as possible. When package names are multiple words, they usually should be in nested subdirectories.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Scope the filename rule.

“All filenames should be lowercase” conflicts with the uppercase repo-root docs you reference later. Narrow this to source/package filenames or explicitly exempt the top-level docs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CONTRIBUTING.md` around lines 62 - 69, Clarify the filename convention in
CONTRIBUTING.md by scoping “All filenames should be lowercase” to source/package
filenames, or explicitly exempting top-level documentation files like the
repo-root docs referenced elsewhere. Update the Directory and File Conventions
section so the rule no longer conflicts with uppercase root docs, and keep the
guidance consistent with the existing notes about Go source files, package
directories, and nested subdirectories.

Comment thread CONTRIBUTING.md
Comment on lines +128 to +137
**Example PR Title**:
```
OCPBUGS-12345: fix UID range allocation for namespaces with existing annotations
```

or

```
NO-JIRA: fix typo in CONTRIBUTING.md
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Label the unlabeled fences.

These blocks will keep tripping markdownlint MD040; add a fence language (text is fine here) to the PR title examples and the directory tree block. As per static analysis, the warnings are at lines 129, 135, and 272.

Also applies to: 272-280

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 129-129: Fenced code blocks should have a language specified

(MD040, fenced-code-language)


[warning] 135-135: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CONTRIBUTING.md` around lines 128 - 137, The markdown examples in
CONTRIBUTING.md use unlabeled code fences that trigger MD040. Update the PR
title example block in the example section and the directory tree block
referenced in the comment to include a fence language such as text so the fences
are explicitly labeled. Use the existing example sections around the PR title
examples and directory tree snippet to locate and adjust the fences
consistently.

Source: Linters/SAST tools

Comment thread CONTRIBUTING.md
Comment on lines +170 to +179
As part of merging a PR, there is a requirement to verify that the changes you've made are working as expected using the `/verified` comment command.

While there are a lot of scenarios where the existing CI/CD checks may be sufficient to verify your changes are working (and can be denoted by commenting `/verified by ci`),
there may be scenarios where manual verification is required.

You can use the `Cluster Bot` Slack App to create a cluster from a PR by sending it a message in the format of `launch ${OCP_VERSION},${PR_LINK} ${PLATFORM},${VARIANT}`.
As an example, `launch 4.22,https://github.com/openshift/cluster-policy-controller/pull/123 aws` would launch an OpenShift 4.22 cluster with the changes made in the PR running on AWS.
For more information on what `Cluster Bot` can do, you can send it a message saying `help` and it will respond with additional documentation on how it can be used.

Once you've verified your changes work as expected, you can mark the PR as verified by commenting `/verified by @{your_github_handle}` on the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Use the documented verification syntax.

/verified by @{your_github_handle} doesn’t match the repo guidance in AGENTS.md, which only mentions /verified or /verified by ci. Please align this section with the actual PR command syntax. Based on learnings, use /verified or /verified by ci when marking a PR verified before merge.

🧰 Tools
🪛 LanguageTool

[style] ~172-~172: Consider using a synonym to be more concise.
Context: ...fied` comment command. While there are a lot of scenarios where the existing CI/CD chec...

(A_LOT_OF)


[uncategorized] ~179-~179: The official name of this software platform is spelled with a capital “H”.
Context: ...n mark the PR as verified by commenting /verified by @{your_github_handle} on the PR. ### Additional Res...

(GITHUB)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CONTRIBUTING.md` around lines 170 - 179, The verification command text is
inconsistent with the repository guidance and should be aligned in
CONTRIBUTING.md. Update the section that describes PR verification to use the
actual supported commands referenced by AGENTS.md, specifically /verified or
/verified by ci, and remove the unsupported /verified by @{your_github_handle}
wording. Keep the surrounding Cluster Bot guidance intact while making the
verification step match the real merge workflow.

Source: Learnings

Comment thread CONTRIBUTING.md
@tchap

tchap commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

I put together this summary and overall review. Feel free to check it out or feed it to an agent:

Desired Document Structure

The files follow a clear design: AGENTS.md is the agent entry point, ARCHITECTURE.md holds architecture details, CONTRIBUTING.md is shared across repos, and README.md is kept slim. Files are meant to link to each other rather than duplicate content. CLAUDE.md symlinks to AGENTS.md.

This review evaluates each file against that intent and these principles:

  1. Don't duplicate what can be inferred from code — An agent (or grep) can discover file paths, function signatures, and directory structure on its own. Documenting these is low-value and creates staleness risk.
  2. Focus on the non-obvious — The why behind decisions, hidden invariants, traps, ordering constraints, and things that break silently.
  3. Keep facts verifiable or omit them — Hardcoded version numbers, file lists, and directory trees rot. Either say "check go.mod" or don't include the number.
  4. Link, don't duplicate — Each file has its own role. When content belongs in another file, link to it.
  5. Minimize maintenance burden — Every fact that can change is a future incorrect statement.

File-by-file Assessment

AGENTS.md (653 lines)

Good parts:

  • "Common Agent Mistakes to Avoid" section — high-value, non-obvious, agent-specific. This is the best section in the file.
  • "What to Never Do" / "What to Ask First" — concise guardrails with clear why explanations.
  • Security Notes — highlights irreversible/dangerous areas.
  • Links to ARCHITECTURE.md and CONTRIBUTING.md for details — correct cross-referencing.

Problems:

Issue Severity Details
File is too long (653 lines) Medium Since CLAUDE.md symlinks to AGENTS.md, this entire file is loaded into agent context every turn. Trimming the items below would significantly reduce its size and focus it on the high-value content agents can't infer from code.
Content that should only live in ARCHITECTURE.md High Despite the intent to link rather than duplicate, several sections are copy-pasted from ARCHITECTURE.md: the Controller table (lines 112-119), startup flow diagram (lines 185-201), EnhancedControllerContext description (lines 170-181), and controller initialization pattern (lines 148-168). These should be replaced with links to the corresponding ARCHITECTURE.md sections.
Directory tree with inline comments Medium Lines 205-246: The full directory tree with comments is guessable from find. It will rot (it already claims repair.go (embedded in above) but repair_test.go exists as a standalone file).
Test file list Medium Lines 621-632: Exhaustive test file enumeration adds nothing an agent can't get from find . -name '*_test.go'. Will rot.
Stale version numbers High Line 245/566-567: Claims "Go 1.25" and "k8s v1.35.2" — actual go.mod says Go 1.23.0 and client-go v0.32.2. The "check go.mod" caveat doesn't help when the displayed number contradicts it.
"Important Files" table Low Lines 249-258: duplicates the directory tree above it.
Testify claim Low Line 634: "Go testing + testify assertions" — testify is used in only 2 of 10 test files, most use raw testing. Minor but imprecise.
"Tech Stack" section Low Lists dependencies an agent can read from go.mod. Low value, high rot.
Namespaces section Low Lines 583-593: duplicates info already in ARCHITECTURE.md.

ARCHITECTURE.md (590 lines)

Good parts:

  • "Why Does It Exist?" section — excellent high-level motivation.
  • "Design Decisions" section — documents why, with trade-offs. This is the gold standard for what architecture docs should contain.
  • "Failure Modes and Recovery" — operationally valuable, non-obvious.
  • Controller detail sections with flow diagrams — useful shared knowledge. This is the right home for this content.

Problems:

Issue Severity Details
Typo Low Line 299: ClusterQuotaReconcilationController (missing 'i' in Reconciliation).
Code fences without language tags Low Some fenced blocks lack language identifiers (e.g., the ASCII diagrams). Cosmetic lint issue.

CONTRIBUTING.md (419 lines)

This file is shared across repos, so most findings here are not specific to this PR. Noting them for awareness.

Good parts:

  • Clear PR process with Jira prefix convention.
  • Rebase checklist — very practical.
  • Debugging section with oc commands — immediately useful for humans.
  • AI code review etiquette note — relevant and timely.

Problems (noting these are constrained by the shared-across-repos nature):

Issue Severity Details
Go version wrong High Line 225: "Go 1.25+" — actual is 1.23.0. This one is repo-specific and should be fixed.

Summary of Main Findings

  1. Version numbers are wrong across files — Go 1.25 and k8s v1.35.2 are stated but the actual versions are Go 1.23.0 and client-go v0.32.2. Either fix them or (better) remove them entirely and just say "see go.mod".

  2. AGENTS.md duplicates ARCHITECTURE.md despite the intent to link — The controller table, startup flow, EnhancedControllerContext description, and initialization pattern appear in both files. Replacing these with links to ARCHITECTURE.md would cut AGENTS.md significantly and eliminate the main source of duplication.

  3. AGENTS.md contains too much guessable-from-code content — Directory trees, test file lists, dependency lists, and "Important Files" tables will rot and add no value over what find, grep, and go.mod already provide. Removing them further trims the file that gets loaded into agent context every turn.

  4. The highest-value content is correctly placed — "Common Agent Mistakes", "What to Never Do", "Design Decisions", and "Failure Modes" are exactly the kind of non-obvious, hard-to-infer-from-code information these files should contain.

Recommendations

  • Replace duplicated sections in AGENTS.md with links to ARCHITECTURE.md — the architecture content already lives in the right place; AGENTS.md just needs to point there instead of repeating it.
  • Remove guessable-from-code content from AGENTS.md — directory trees, test file lists, dependency lists. This reduces file length and maintenance burden.
  • Remove or replace hardcoded version numbers with "check go.mod" throughout.
  • Fix the typo in ARCHITECTURE.md line 299 (ReconcilationReconciliation).

@atiratree

Copy link
Copy Markdown
Member Author

@tchap thanks for the feedback. I hope it is better now.

@tchap

tchap commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Two things:

  1. I would add links to the other docs into README, because people are not gonna notice.
  2. I would reconsider whether ARCHITECTURE needs to be so detailed, and I would in particular try not to mention containts like 30 seconds and what not. This is simply about preventing rot.

Overall it's always hard to review this, because it's more of a art. If it works for the agents, it's ok. I also take it as bit of a WIP, especially AGENTS.md, which can be updated regularly based on what works and what doesn't.

Personally I find the structure good and pretty complete. I haven't verified all the details about the architecture, though, I am assuming it's correct and I am mostly reviewing the structure.

@tchap

tchap commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

BTW for some reason your branch is 28 commits behind main, so you should rather rebase to make sure the files contain right and up-to-date information.

@tchap

tchap commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

I tried some verification with Claude:

Factual Accuracy Verification

Claims in all four files were verified against the source code. Most are accurate. The following discrepancies were found:

Errors

1. Privileged Namespaces Controller targets — ARCHITECTURE.md line 383

Claim: "Target Namespaces: Namespaces matching OpenShift infrastructure patterns (openshift-*, kube-*, default)."

Actual: The controller uses factory.NamesFilter("default", "kube-system", "kube-public") — three exact namespace names, no wildcards. It does not target openshift-* namespaces or all kube-* namespaces.

2. PSA annotation casing — ARCHITECTURE.md line 364

Claim: security.openshift.io/minimally-sufficient-pod-security-standard (kebab-case)

Actual: security.openshift.io/MinimallySufficientPodSecurityStandard (camelCase), per vendor/github.com/openshift/api/security/v1/consts.go.

3. WorkQueueBucket type name — ARCHITECTURE.md line 287

Claim: Lists WorkQueueBucket as a component.

Actual: The public interface is BucketingWorkQueue; the private struct is workQueueBucket (lowercase). No public type WorkQueueBucket exists.

Misleading

4. Service account constant claim — AGENTS.md line 300

Claim: "Every controller uses a dedicated service account name constant in config.go"

Actual: Five of six do, but resourcequota-controller uses an inline string literal in pkg/cmd/controller/quota.go, not a constant in config.go.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 3, 2026
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 3, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Line 300: The service-account guidance in AGENTS.md is too absolute given the
current controller set, since one controller still uses an inline literal
instead of a config.go constant. Reword the rule to make the dedicated service
account constant the preferred pattern, or explicitly mention the exception, and
use the controller/client-builder terminology already present so it’s easy to
align with ClientBuilder.Client() and the config.go constants.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 761a8945-9654-43fc-88d0-c48a72df7d58

📥 Commits

Reviewing files that changed from the base of the PR and between cf1ec18 and e30089e.

📒 Files selected for processing (5)
  • AGENTS.md
  • ARCHITECTURE.md
  • CLAUDE.md
  • CONTRIBUTING.md
  • README.md
✅ Files skipped from review due to trivial changes (2)
  • CLAUDE.md
  • README.md

Comment thread AGENTS.md
@atiratree

Copy link
Copy Markdown
Member Author

Thanks for the second review. I tried to incorporate the suggestions.

BTW for some reason your branch is 28 commits behind main, so you should rather rebase to make sure the files contain right and up-to-date information.

Doh! I mixed up the master x main again.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 9-13: The last reference in the README resource list is pointing
back to README.md instead of the contribution guide, creating a self-loop.
Update the final bullet in the README.md links section so the CONTRIBUTING.md
entry points to the actual contribution guide, matching the surrounding
AGENTS.md and ARCHITECTURE.md links.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e4f1bde4-0d24-43dd-b229-3caad6c10cb6

📥 Commits

Reviewing files that changed from the base of the PR and between e30089e and ef42976.

📒 Files selected for processing (5)
  • AGENTS.md
  • ARCHITECTURE.md
  • CLAUDE.md
  • CONTRIBUTING.md
  • README.md
✅ Files skipped from review due to trivial changes (1)
  • CLAUDE.md

Comment thread README.md
Comment thread AGENTS.md Outdated

## Common Workflows

### Adding a New Controller

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like much of the following can be guessed from existing code since there are existing controllers. I would be careful with particular code snippets or checklists if it's just copying actual existing code. This AGENTS.md is still pretty long. The following section of what to do and what not to do is nice, but perhaps the code snippets are not that helpful. Just something to consider...

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, I removed most of the code snippets.

@atiratree atiratree force-pushed the CNTRLPLANE-3731 branch 2 times, most recently from 0cc4bd0 to ab2ea96 Compare July 7, 2026 09:40

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Around line 67-69: The filename policy in AGENTS.md is inconsistent with
existing uppercase repo-root documentation like AGENTS.md itself. Update the
guidance in the “What to Always Do” section to scope the lowercase rule to
source/package filenames or explicitly exempt top-level documentation files, and
make sure the wording is internally consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e9da5ccd-8cf6-46d4-b2b5-08b2bbbdd461

📥 Commits

Reviewing files that changed from the base of the PR and between 8489990 and ab2ea96.

📒 Files selected for processing (5)
  • AGENTS.md
  • ARCHITECTURE.md
  • CLAUDE.md
  • CONTRIBUTING.md
  • README.md
✅ Files skipped from review due to trivial changes (2)
  • CLAUDE.md
  • README.md

Comment thread AGENTS.md
Comment on lines +67 to +69

### What to Always Do

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Scope the filename rule.

This guidance is self-contradictory as written: the repo-root docs in this PR are uppercase, including this file. Narrow it to source/package filenames or explicitly exempt top-level documentation files.

♻️ Proposed fix
- - All filenames should be lowercase.
+ - Source/package filenames should be lowercase.
+   - Top-level documentation files are exempt.

As per coding guidelines: All filenames should be lowercase.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 67 - 69, The filename policy in AGENTS.md is
inconsistent with existing uppercase repo-root documentation like AGENTS.md
itself. Update the guidance in the “What to Always Do” section to scope the
lowercase rule to source/package filenames or explicitly exempt top-level
documentation files, and make sure the wording is internally consistent.

Source: Coding guidelines

@tchap

tchap commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 7, 2026
Comment thread AGENTS.md Outdated
Comment on lines +44 to +45
- Synchronize Pod Security Admission labels based on SCC assignments
- Label privileged system namespaces with PSA privileged level

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Synchronize Pod Security Admission labels based on SCC assignments
- Label privileged system namespaces with PSA privileged level
- If PSA enforcement is turned on, synchronize Pod Security Admission (PSA) labels based on SCC assignments
- If PSA enforcement is turned off, synchronize only warn and audit PSA labels based on SCC assignments

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, mentioning the enforcement now.

Comment thread AGENTS.md Outdated

- **Don't forget the service account constant** - Every controller should use a dedicated service account name constant in `config.go` for `ClientBuilder.Client()`. Missing this means the controller can't authenticate.

- **Don't confuse the two PSA label sync controllers** - There are two distinct controllers: `podsecurity-admission-label-syncer` (syncs labels based on SCC/RBAC analysis) and `privileged-namespaces-psa-label-syncer` (just labels system namespaces as privileged). They serve different purposes.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non sense, they are being used based on the feature flag for PSA enforcement.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed some of these design decissions/nuances from this section. It should not be in a Mistakes section.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this was my mistake. We enforce privileged for "default", "kube-system" and "kube-public" with a dedicated controller. I mixed it up with the feature flag variant.

Comment thread AGENTS.md Outdated

- **Don't confuse the two PSA label sync controllers** - There are two distinct controllers: `podsecurity-admission-label-syncer` (syncs labels based on SCC/RBAC analysis) and `privileged-namespaces-psa-label-syncer` (just labels system namespaces as privileged). They serve different purposes.

- **Don't modify `nsexemptions/` without understanding the implications** - The namespace exemption list determines which namespaces are never synced by the PSA label syncer. Changes here affect cluster security posture.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would feel most comfortable if an AI wouldn't change this at all. Only reason for an AI to touch this is to cheat on tests.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, changed the wording

Comment thread AGENTS.md Outdated

- **Don't use table-driven tests without the `t.Run()` pattern** - All tests should use subtests for better failure isolation:

- **Don't assume the PSA label syncer controls all namespaces** - It only syncs namespaces where `security.openshift.io/scc.podSecurityLabelSync` is not `"false"` and the namespace is not exempted. System namespaces starting with `openshift-` require explicit opt-in.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not know why an agent would assume that and why it would need this for development.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed

Comment thread ARCHITECTURE.md Outdated
│ │ │ │ ┌──────────────┐ ┌──────────────────────────┐ │ │ │ │
│ │ │ │ │ Namespace │ │ Pod Security Admission │ │ │ │ │
│ │ │ │ │ SCC │ │ Label Syncer │ │ │ │ │
│ │ │ │ │ Allocation │ │ (+ Privileged NS) │ │ │ │ │

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(+ Privileged NS)?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed the diagram to mention all the 6 controllers

Comment thread ARCHITECTURE.md Outdated
Apply PSA labels (server-side apply):
- pod-security.kubernetes.io/enforce: <level>

@ibihim ibihim Jul 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only if feature flag is enabled as mentioned in "two modes".

Comment thread ARCHITECTURE.md

**Field Ownership**: Uses server-side apply with field manager `pod-security-admission-label-synchronization-controller`. Includes logic to migrate ownership from the legacy `cluster-policy-controller` field manager.

### 6. Privileged Namespaces PSA Label Syncer

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would remove this and settle solely on 5.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably doesn't hurt to have it here since we an overview of every controller, but I can remove it if you think it doesn't give much useful/extra information.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this was my mistake. We enforce privileged for "default", "kube-system" and "kube-public".

Comment thread ARCHITECTURE.md
```yaml
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged

@ibihim ibihim Jul 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrong.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried on a live cluster, and we do have these labels set.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this was my mistake. We enforce privileged for "default", "kube-system" and "kube-public".

Comment thread ARCHITECTURE.md Outdated
**Rationale**:
- **Different logic**: System namespaces are always privileged (simple). User namespaces need SCC/RBAC analysis (complex).
- **Different failure modes**: The privileged controller is critical infrastructure. The syncer is more nuanced and can be wrong without catastrophic impact.
- **Different opt-in models**: System namespaces are always labeled. User namespaces can opt out.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only reason is the feature flag. One sets all 3 PSA labels, the other doesn't set the enforce label, which therefore falls back to the global variable, which is privileged.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was not entirerly correct so I removed this section. I am keeping only the more obvious Design Decisions for the AI.

Comment thread ARCHITECTURE.md Outdated
**Symptom**: Multiple field managers trying to set the same PSA labels.

**Recovery**:
- The controller detects when another manager owns a label and backs off

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming human intervention <- customer sets a different label by hand

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack - changed the wording

@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 8, 2026
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

Comment thread ARCHITECTURE.md Outdated
Take the most permissive PSA level across all SAs
Apply the following PSA labels if OpenShiftPodSecurityAdmission feature is enabled (server-side apply):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, if I wasn't specific enough:

  • If OpenShiftPodSecurityAdmission=true we set pod-security.kubernetes.io/enforce, pod-security.kubernetes.io/warn and pod-security.kubernetes.io/audit
  • If OpenShiftPodSecurityAdmission=false pod-security.kubernetes.io/warn and pod-security.kubernetes.io/audit. we do not set we set pod-security.kubernetes.io/enforce,

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, using your wording now.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@atiratree: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security ed4cba0 link false /test security
ci/prow/e2e-aws ed4cba0 link true /test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants