This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
The Dedicated Admin Operator manages RBAC permissions for OpenShift Dedicated (OSD) customers. It watches for new namespaces and automatically assigns RoleBindings to the dedicated-admins group, while using a regex-based blacklist to protect infrastructure namespaces (kube-, openshift-, default, logging, etc.).
make gobuild # Build binary (runs gocheck + gotest first)
make gotest # Run all Go tests
make gocheck # Lint (gofmt -s + go vet)
make build # Docker build (requires clean git checkout or ALLOW_DIRTY_CHECKOUT=true)
make generate-syncset # Generate SelectorSyncSet YAML from manifests/
make clean # Remove build artifactsRun a single test package:
go test -v ./pkg/controller/namespace/
go test -v ./pkg/dedicatedadmin/Build with dirty checkout for local testing:
ALLOW_DIRTY_CHECKOUT=true make buildDependency management: Uses dep (Gopkg.toml/Gopkg.lock), not Go modules.
Operator SDK: v0.5.0 with controller-runtime v0.1.10. The entrypoint is cmd/manager/main.go.
Two active controllers (registered via pkg/controller/add_*.go):
-
Namespace Controller (
pkg/controller/namespace/): Watches all Namespaces. On create/update, checks the blacklist regex. If not blacklisted, creates two RoleBindings (dedicated-admins-project-0anddedicated-admins-project-1) binding thededicated-adminsgroup todedicated-admins-projectandadminClusterRoles. -
RoleBinding Controller (
pkg/controller/rolebinding/): Self-healing — if a managed RoleBinding is deleted, it recreates it (unless the namespace is blacklisted).
Key packages:
config/config.go: Constants — operator name, namespace (openshift-dedicated-admin), default blacklist regexpkg/dedicatedadmin/: Blacklist logic (IsBlackListedNamespace) and operator config loading from ConfigMappkg/dedicatedadmin/project/resources.go: RoleBinding definitions (the two bindings created per namespace)pkg/metrics/: Prometheus gauge for blacklisted namespace count
Blacklist: Comma-separated regexes in ConfigMap key project_blacklist. Default from config/config.go. Evaluated by dedicatedadmin.IsBlackListedNamespace().
Resource management: Cluster resources (ClusterRoles, ServiceMonitor, etc.) in manifests/ are managed by Hive SelectorSyncSet, not by the operator code. The generate-syncset make target produces the SyncSet template from manifests.
Tests use the standard Go testing package with controller-runtime's fake client (client.NewFakeClient()). No external test frameworks or envtest setup required.
Test files:
pkg/dedicatedadmin/dedicatedadmin_test.go— blacklist regex matchingpkg/controller/namespace/namespace_controller_test.go— namespace reconciliationpkg/controller/rolebinding/rolebinding_controller_test.go— RoleBinding self-healing
- Binary:
build/_output/bin/dedicated-admin-operator - Image:
${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}/dedicated-admin-operator:v${VERSION}(defaults toquay.io/$USER/...) - SyncSet template:
build/templates/olm-artifacts-template.yaml.tmpl