diff --git a/config/lychee.toml b/config/lychee.toml
index 8a90b99..b5ed339 100644
--- a/config/lychee.toml
+++ b/config/lychee.toml
@@ -1,4 +1,8 @@
root_dir = "content/en"
fallback_extensions = ["md", "html"]
-exclude = ["https://goteleport.com/"] # Teleport always returns 403, even it is available
+exclude = [
+ "https://goteleport.com/", # Teleport always returns 403, even it is available
+ "https://docs.redhat.com/", # Red Hat docs return 403 to bots
+ "https://issues.redhat.com/", # Red Hat issue tracker returns 403 to bots
+]
exclude_path = ["public/docs/reference/"]
diff --git a/content/en/docs/operating/setup/installation.md b/content/en/docs/operating/setup/installation.md
index c363ac9..c677253 100644
--- a/content/en/docs/operating/setup/installation.md
+++ b/content/en/docs/operating/setup/installation.md
@@ -118,8 +118,8 @@ manager:
Before you enable this option, you must implement the required permissions for your use case. Depending on which features you are using, you may need to take manual action, for example:
* [Migrate additional RoleBindings](/docs/tenants/permissions/#strict)
-
-
+* [Migrate `TenantResources` to use impersonation](/docs/replications/tenant/#impersonation)
+* [Migrate `GlobalTenantResources` to use impersonation](/docs/replications/global/#impersonation)
### Admission Policies
diff --git a/content/en/docs/operating/setup/openshift.md b/content/en/docs/operating/setup/openshift.md
index 1a86b1c..b9dea23 100644
--- a/content/en/docs/operating/setup/openshift.md
+++ b/content/en/docs/operating/setup/openshift.md
@@ -9,12 +9,12 @@ description: >
Capsule is a Kubernetes multi-tenancy operator that enables secure namespace-as-a-service in Kubernetes clusters. When combined with OpenShift's robust security model, it provides an excellent platform for multi-tenant environments.
-This guide demonstrates how to deploy Capsule and Capsule Proxy on OpenShift using the `nonroot-v2` and `restricted-v2` [SecurityContextConstraint (SCC)](https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/authentication_and_authorization/managing-pod-security-policies), ensuring tenant owners operate within OpenShift's security boundaries.
+This guide demonstrates how to deploy Capsule and Capsule Proxy on OpenShift using the `nonroot-v2` and `restricted-v2` [SecurityContextConstraint (SCC)](https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/authentication_and_authorization/managing-pod-security-policies), ensuring tenant owners operate within OpenShift's security boundaries.
## Why Capsule on OpenShift
-While OpenShift can be already configured to be quite multi-tenant (together with for example Kyverno), Capsule takes it a step further and easier to manage.
+While OpenShift can already be configured for multi-tenancy (for example with Kyverno), Capsule takes it a step further and makes it easier to manage.
-When people say a multitenant kubernetes cluster, they often think they will get one or two namespaces inside a cluster, with not that much privileges. But: Capsule is different. As a tenant owner, you can create as many namespaces as you want. RBAC is much easier, since Capsule is handling it, making it less error-prone. And resource quota is not set per namespace, but it's spread across a whole tenant, making management easy. Not to mention RBAC issues while listing clusterwide resources that are solved by the Capsule Proxy. Also, even some operators are able to be installed inside a tenant because of the [Capsule Proxy](/docs/proxy/). Add the service account as a tenant owner, and set the env variable `KUBERNETES_SERVICE_HOST` of the operator deployment to the capsule proxy url. Now your operator thinks it is admin, but it lives completely inside the tenant.
+When people think of a multi-tenant Kubernetes cluster, they often expect one or two namespaces with few privileges. Capsule, however, is different. As a tenant owner, you can create as many namespaces as you want. RBAC is much easier because Capsule handles it, making it less error-prone. Resource quotas are not set per namespace but are spread across the whole tenant, simplifying management. Capsule Proxy also solves RBAC issues when listing cluster-wide resources. Furthermore, some operators can be installed inside a tenant by using the [Capsule Proxy](/docs/proxy/): add the service account as a tenant owner and set the `KUBERNETES_SERVICE_HOST` environment variable of the operator deployment to the Capsule Proxy URL. The operator then behaves as if it has cluster-admin access, while remaining fully confined to the tenant.
## Prerequisites
Before starting, ensure you have:
@@ -24,26 +24,27 @@ Before starting, ensure you have:
- cert-manager installed
## Limitations
-There are a few limitations that are currently known of using OpenShift with Capsule:
-- A tenant owner can not create a namespace/project in the OpenShift GUI. This must be done with `kubectl`.
-- When copying the `login token` from the OpenShift GUI, there will always be the server address of the kubernetes api instead of the Capsule Proxy. There is a RFE created at Red Hat to make this url configurable ([RFE-7592](https://issues.redhat.com/browse/RFE-7592)). If you have a support contract at Red Hat, it would be great to create a SR and ask that you would also like to have this feature to be implemented. The more requests there are, the more likely it will be implemented.
+The following limitations are known when using OpenShift with Capsule:
+- A tenant owner cannot create a namespace/project in the OpenShift GUI. This must be done with `kubectl`.
+- When copying the `login token` from the OpenShift GUI, the server address will always point to the Kubernetes API instead of the Capsule Proxy. An RFE has been filed with Red Hat to make this URL configurable ([RFE-7592](https://issues.redhat.com/browse/RFE-7592)). If you have a support contract with Red Hat, consider opening a support request (SR) asking for this feature. The more requests there are, the higher the priority.
## Capsule Installation
-### Remove selfprovisioners rolebinding
-By default, OpenShift comes with a selfprovisioner role and rolebinding. This role lets all users always create namespaces. For the use case of Capsule, this should be removed. The [Red Hat documentation](https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/building_applications/projects#disabling-project-self-provisioning_configuring-project-creation) can be found here.
-Remove the subjects from the rolebinding:
+### Remove the self-provisioners ClusterRoleBinding
+By default, OpenShift includes a self-provisioner role and ClusterRoleBinding that allows all users to create namespaces. Capsule requires this to be removed. See the [Red Hat documentation](https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/building_applications/projects#disabling-project-self-provisioning_configuring-project-creation) for details.
+
+Remove the subjects from the ClusterRoleBinding:
```shell
kubectl patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
```
-Also set the `autoupdate` to false, so the rolebinding doesn't get reverted by Openshift.
+Also set `autoupdate` to false so the ClusterRoleBinding is not reverted by OpenShift.
```shell
kubectl patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'
```
### Extend the admin role
-In this example, we will add the default kubernetes `admin` role to the tenant owner, so it gets admin privileges on the namespaces that are in their tenant. This role should be extended.
-- Add the finalizers so users can create/edit resources that are managed by capsule
-- Add the SCC's that tenant owners can use. In this example, it is will be `restricted-v2` and `nonroot-v2`.
+This example extends the default Kubernetes `admin` role so tenant owners gain admin privileges on all namespaces within their tenant. The extension adds:
+- The finalizers required to create/edit resources managed by Capsule
+- The SCCs that tenant owners can use — in this example, `restricted-v2` and `nonroot-v2`
```yaml
kind: ClusterRole
@@ -70,8 +71,8 @@ rules:
- 'use'
```
-### Helm Chart values
-The jobs that Capsule uses can be runned with the `restricted-v2` SCC. For this, the securityContext and podSecurityContexts of the job must be disabled. For Capsule it self, we leave it to enabled. This is because capsule runs as `nonroot-v2`, which is still a very secure SCC. Also, always add the `pullPolicy: Always` on a multitenant cluster, to make sure you are working with the correct images you intended to.
+### Helm Chart Values
+The jobs that Capsule uses can be run with the `restricted-v2` SCC, so their `securityContext` and `podSecurityContext` must be disabled. For Capsule itself, they are left enabled because Capsule runs as `nonroot-v2`, which is still a very secure SCC. Always set `pullPolicy: Always` on a multi-tenant cluster to ensure the intended images are used.
The following chart values can be used:
```yaml
podSecurityContext:
@@ -91,8 +92,10 @@ The following chart values can be used:
```
Deploy the Capsule Helm chart with (at least) these values.
-### Example tenant
-A minimal example tenant can look as the following:
+### Example Tenant and TenantOwners
+
+A minimal example tenant looks like the following:
+
```yaml
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
@@ -101,39 +104,53 @@ metadata:
spec:
imagePullPolicies:
- Always
- owners:
- - clusterRoles:
- - admin
- - capsule-namespace-deleter
- kind: Group
- name: sun-admin-group
+ permissions:
+ matchOwners:
+ - matchLabels:
+ team: devops
priorityClasses:
allowed:
- openshift-user-critical
```
+Combined with a `TenantOwner` resource to grant access to the tenant:
+
+```yaml
+apiVersion: capsule.clastix.io/v1beta2
+kind: TenantOwner
+metadata:
+ labels:
+ team: devops
+ name: devops
+spec:
+ kind: Group
+ name: "oidc:org:devops:a"
+```
+
+More information about tenants and tenant owners can be found in the chapter [Tenants](/docs/tenants/).
+
## Capsule Proxy
-The same principles for Capsule are also for Capsule Proxy. That means, that all (pod)SecurityContexts should be disabled for the job.
-In this example we enable the `ProxyAllNamespaced` feature, because that is one of the things where the Proxy really shines in its power.
+For Capsule Proxy, all (pod)SecurityContexts can be disabled. By disabling these, the proxy and its jobs run under the `nonroot-v2` SCC.
+This example also enables the `ProxyAllNamespaced` feature, which is one of the Proxy's most powerful capabilities.
The following helm values can be used as a template:
+
```yaml
+ global:
+ jobs:
+ kubectl:
+ securityContext:
+ enabled: false
securityContext:
- enabled: true
+ enabled: false
podSecurityContext:
- enabled: true
+ enabled: false
options:
generateCertificates: false #set to false, since we are using cert-manager in .Values.certManager.generateCertificates
enableSSL: true
extraArgs:
- '--feature-gates=ProxyAllNamespaced=true'
- - '--feature-gates=ProxyClusterScoped=false'
image:
pullPolicy: Always
- global:
- jobs:
- kubectl:
- securityContext:
- enabled: true
webhooks:
enabled: true
certManager:
@@ -144,10 +161,10 @@ The following helm values can be used as a template:
route.openshift.io/termination: "reencrypt"
route.openshift.io/destination-ca-certificate-secret: capsule-proxy-root-secret
hosts:
- - host: "capsule-proxy.example.com"
- paths: ["/"]
+ - host: "capsule-proxy.example.com"
+ paths: ["/"]
```
-That is basically all the configuration needed for the Capsule Proxy.
+That is all the configuration needed for Capsule Proxy.
## Console Customization
The OpenShift console can be customized. For example, the capsule-proxy can be added as a shortcut on the top right application menu with the `ConsoleLink` CR:
@@ -160,7 +177,7 @@ spec:
applicationMenu:
imageURL: 'https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule.svg'
section: 'Capsule'
- href: 'capsule-proxy.example.com'
+ href: 'https://capsule-proxy.example.com'
location: ApplicationMenu
text: 'Capsule Proxy Kubernetes API'
```
@@ -202,4 +219,4 @@ spec:
```
# Conclusion
-After this section, you have a ready to go Capsule and Capsule-Proxy setup configured on OpenShift with some nice customizations in the OpenShift console. All ready to go and to ship to the development teams!
+You now have a fully configured Capsule and Capsule Proxy installation on OpenShift, including console customizations, and the environment is ready to hand off to development teams.
diff --git a/content/en/docs/proxy/proxysettings.md b/content/en/docs/proxy/proxysettings.md
index 8c2ee66..f4c4a52 100644
--- a/content/en/docs/proxy/proxysettings.md
+++ b/content/en/docs/proxy/proxysettings.md
@@ -69,14 +69,13 @@ spec:
A powerful tool to enhance the user-experience for all your users.
-## Proxysettings
-
-`ProxySettings` are created in a namespace of a tenant, if it's not in a namespace of a tenant it's not regarded as valid. With the `ProxySettings` Tenant Owners can further improve the experience for their fellow tenant users.
+## Proxysetting
+A `ProxySetting` is created in a namespace of a tenant, if it's not in a namespace of a tenant it's not regarded as valid. With the `ProxySetting` Tenant Owners can further improve the experience for their fellow tenant users.
```yaml
apiVersion: capsule.clastix.io/v1beta1
-kind: ProxySettings
+kind: ProxySetting
metadata:
name: solar-proxy
namespace: solar-prod
diff --git a/content/en/docs/proxy/reference.md b/content/en/docs/proxy/reference.md
index 3e95d45..21e43e6 100644
--- a/content/en/docs/proxy/reference.md
+++ b/content/en/docs/proxy/reference.md
@@ -79,7 +79,7 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
-
+ClusterResource Specification
| **Name** | **Type** | **Description** | **Required** |
@@ -87,7 +87,7 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
| **apiGroups** | []string | APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. | true |
| **resources** | []string | Resources is a list of resources this rule applies to. '*' represents all resources. | true |
| **[selector](#globalproxysettingsspecrulesindexclusterresourcesindexselector)** | object | Select all cluster scoped resources with the given label selector.
Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). | true |
-| **operations** | []enum | Operations which can be executed on the selected resources.
Deprecated: For all registered Routes only LIST ang GET requests will intercepted
Other permissions must be implemented via kubernetes native RBAC
*Enum*: List, Update, Delete
| false |
+| **operations** | []enum | Deprecated: For all registered Routes only LIST ang GET requests will intercepted
Operations which can be executed on the selected resources.
Other permissions must be implemented via kubernetes native RBAC
*Enum*: List, Update, Delete
| false |
### GlobalProxySettings.spec.rules[index].clusterResources[index].selector
@@ -161,14 +161,14 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
| **kind** | enum | Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
*Enum*: User, Group, ServiceAccount
| true |
| **name** | string | Name of tenant owner. | true |
| **[clusterResources](#proxysettingspecsubjectsindexclusterresourcesindex)** | []object | Cluster Resources for tenant Owner. | false |
-| **[proxySettings](#proxysettingspecsubjectsindexproxysettingsindex)** | []object | Proxy settings for tenant owner. | false |
+| **[proxySettings](#proxysettingspecsubjectsindexproxysettingsindex)** | []object | Deprecated: Use Global Proxy Settings instead (https://projectcapsule.dev/docs/proxy/proxysettings/#globalproxysettings)
Proxy settings for tenant owner. | false |
### ProxySetting.spec.subjects[index].clusterResources[index]
-
+ClusterResource Specification
| **Name** | **Type** | **Description** | **Required** |
@@ -176,7 +176,7 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
| **apiGroups** | []string | APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. | true |
| **resources** | []string | Resources is a list of resources this rule applies to. '*' represents all resources. | true |
| **[selector](#proxysettingspecsubjectsindexclusterresourcesindexselector)** | object | Select all cluster scoped resources with the given label selector.
Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). | true |
-| **operations** | []enum | Operations which can be executed on the selected resources.
Deprecated: For all registered Routes only LIST ang GET requests will intercepted
Other permissions must be implemented via kubernetes native RBAC
*Enum*: List, Update, Delete
| false |
+| **operations** | []enum | Deprecated: For all registered Routes only LIST ang GET requests will intercepted
Operations which can be executed on the selected resources.
Other permissions must be implemented via kubernetes native RBAC
*Enum*: List, Update, Delete
| false |
### ProxySetting.spec.subjects[index].clusterResources[index].selector
diff --git a/content/en/docs/proxy/setup/installation.md b/content/en/docs/proxy/setup/installation.md
index 49a4af4..779743f 100644
--- a/content/en/docs/proxy/setup/installation.md
+++ b/content/en/docs/proxy/setup/installation.md
@@ -312,32 +312,62 @@ ingress:
### User Authentication
-The capsule-proxy intercepts all the requests from the kubectl client directed to the APIs Server. Users using a TLS client-based authentication with a certificate and key can talk with the API Server since it can forward client certificates to the Kubernetes APIs server.
+The capsule-proxy intercepts all the requests from the kubectl client directed to the APIs Server. Users using a TLS client-based authentication with a certificate and key can talk with the API Server since it can forward client certificates to the Kubernetes APIs server. You can configure the capsule-proxy to use multiple authentication methods, for example, you can prefer Bearer Token authentication over TLS client-based authentication or use Forwarded Client Certificate Authentication (XFCC) if supported by your Ingress Controller. The following sections describe the supported authentication methods.
+```yaml
+options:
+ authPreferredTypes: "BearerToken,TLSCertificate,XForwardedClientCert"
+```
-#### Bearer Token Authentication
+#### Bearer Token Authentication
-#### Client Certificate Authentication
+Bearer Token authentication is supported by default, meaning that users providing tokens are always able to reach the APIs Server. You can configure the capsule-proxy to prefer Bearer Token authentication over TLS client-based authentication:
+```yaml
+options:
+ authPreferredTypes: "BearerToken"
+```
+#### Client Certificate Authentication
It is possible to protect the capsule-proxy using a certificate provided by Let's Encrypt. Keep in mind that, in this way, the TLS termination will be executed by the Ingress Controller, meaning that the authentication based on the client certificate will be withdrawn and not reversed to the upstream. For such cases you may want to rely on the token-based authentication, for example, OIDC or Bearer tokens. Users providing tokens are always able to reach the APIs Server or consider using the [Forwarded Client Certificate Authentication (XFCC)](#forwarded-client-certificate-authentication-xfcc) if supported by your Ingress Controller.
-#### Forwarded Client Certificate Authentication (XFCC)
+```yaml
+options:
+ authPreferredTypes: "TLSCertificate"
+```
+#### Forwarded Client Certificate Authentication (XFCC)
It is possible to protect the capsule-proxy using a certificate provided by Let's Encrypt. Keep in mind that, in this way, the TLS termination will be executed by the Ingress Controller, meaning that the authentication based on the client certificate will be withdrawn and not reversed to the upstream.
If your prerequisite is exposing capsule-proxy using an Ingress, you must rely on the token-based authentication, for example, OIDC or Bearer tokens. Users providing tokens are always able to reach the APIs Server.
+```yaml
+options:
+ authPreferredTypes: "XForwardedClientCert"
+```
+By default the HTTP-Header used for the client certificate is `X-Forwarded-Client-Cert`, but it can be customized using the `--xfcc-header-name` argument:
-### Trusted Sources
-
+```yaml
+options:
+ authPreferredTypes: "XForwardedClientCert"
+ extraArgs:
+ - "--xfcc-header-name=X-My-Custom-Client-Cert"
+```
+### Trusted Sources
+CIDR ranges of trusted proxies allowed to send forwarded client certificate headers:
+```yaml
+options:
+ extraArgs:
+ - "--trusted-proxy-cidrs=10.0.0.0/8"
+ - "--trusted-proxy-cidrs=127.0.0.1/32"
+```
### Certificate Management
diff --git a/content/en/docs/proxy/setup/options.md b/content/en/docs/proxy/setup/options.md
index 682b918..698f22a 100644
--- a/content/en/docs/proxy/setup/options.md
+++ b/content/en/docs/proxy/setup/options.md
@@ -32,6 +32,10 @@ options:
capsuleConfigurationName: default
# -- Define which groups must be ignored while proxying requests
ignoredUserGroups: []
+ # -- Names of the groups which are not used for impersonation (considered after impersonation-group-regexp)
+ ignoredImpersonationGroups: []
+ # -- Regular expression to match the groups which are considered for impersonation
+ impersonationGroupRegexp: ""
# -- Specify if capsule-proxy will use SSL
oidcUsernameClaim: preferred_username
# -- Specify if capsule-proxy will use SSL
@@ -54,7 +58,7 @@ options:
disableCaching: false
# -- Enable the rolebinding reflector, which allows to list the namespaces, where a rolebinding mentions a user.
roleBindingReflector: false
- # -- Authentication types to be used for requests. Possible Auth Types: [BearerToken, TLSCertificate]
+ # -- Authentication types to be used for requests. Possible Auth Types: [BearerToken, TLSCertificate, XForwardedClientCert]
authPreferredTypes: "BearerToken,TLSCertificate"
# -- QPS to use for interacting with Kubernetes API Server.
clientConnectionQPS: 20
@@ -62,6 +66,9 @@ options:
clientConnectionBurst: 30
# -- Enable Pprof for profiling
pprof: false
+ # -- CIDR ranges of trusted proxies allowed to make requests to the proxy
+ trustedProxyCidrs: []
+
```
The following options are available for the Capsule Proxy Controller:
diff --git a/content/en/docs/reference.md b/content/en/docs/reference.md
index 59acf41..d60415b 100644
--- a/content/en/docs/reference.md
+++ b/content/en/docs/reference.md
@@ -15,8 +15,14 @@ Resource Types:
- [CapsuleConfiguration](#capsuleconfiguration)
+- [CustomQuota](#customquota)
+
+- [GlobalCustomQuota](#globalcustomquota)
+
- [GlobalTenantResource](#globaltenantresource)
+- [QuantityLedger](#quantityledger)
+
- [ResourcePoolClaim](#resourcepoolclaim)
- [ResourcePool](#resourcepool)
@@ -68,6 +74,7 @@ CapsuleConfigurationSpec defines the Capsule configuration.
| **allowServiceAccountPromotion** | boolean | ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant
this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.
However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.
*Default*: false
| false |
| **forceTenantPrefix** | boolean | Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
*Default*: false
| false |
| **ignoreUserWithGroups** | []string | Define groups which when found in the request of a user will be ignored by the Capsule
this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups. | false |
+| **[impersonation](#capsuleconfigurationspecimpersonation)** | object | Service Account Client configuration for impersonation properties | false |
| **[nodeMetadata](#capsuleconfigurationspecnodemetadata)** | object | Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes. | false |
| **[overrides](#capsuleconfigurationspecoverrides)** | object | Allows to set different name rather than the canonical one for the Capsule configuration objects,
such as webhook secret or configurations.
*Default*: map[TLSSecretName:capsule-tls mutatingWebhookConfigurationName:capsule-mutating-webhook-configuration validatingWebhookConfigurationName:capsule-validating-webhook-configuration]
| false |
| **protectedNamespaceRegex** | string | Disallow creation of namespaces, whose name matches this regexp | false |
@@ -114,6 +121,7 @@ Configuration for dynamic Validating and Mutating Admission webhooks managed by
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
| **[mutating](#capsuleconfigurationspecadmissionmutating)** | object | Configure dynamic Mutating Admission for Capsule | false |
+| **serviceName** | string | Service Name of the Admission Service
*Default*: capsule-webhook-service
| false |
| **[validating](#capsuleconfigurationspecadmissionvalidating)** | object | Configure dynamic Validating Admission for Capsule | false |
@@ -126,17 +134,18 @@ Configure dynamic Mutating Admission for Capsule
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[client](#capsuleconfigurationspecadmissionmutatingclient)** | object | From the upstram struct | true |
+| **[client](#capsuleconfigurationspecadmissionmutatingclient)** | object | whats the problem | true |
| **annotations** | map[string]string | Annotations added to the Admission Webhook | false |
| **labels** | map[string]string | Labels added to the Admission Webhook | false |
| **name** | string | Name the Admission Webhook | false |
+| **[webhooks](#capsuleconfigurationspecadmissionmutatingwebhooksindex)** | []object | Define Dynamic Admission Webhooks | false |
### CapsuleConfiguration.spec.admission.mutating.client
-From the upstram struct
+whats the problem
| **Name** | **Type** | **Description** | **Required** |
@@ -164,6 +173,181 @@ If the webhook is running within the cluster, then you should use `service`.
| **port** | integer | If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
`port` should be a valid port number (1-65535, inclusive).
*Format*: int32
| false |
+### CapsuleConfiguration.spec.admission.mutating.webhooks[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **admissionReviewVersions** | []string | AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
versions the Webhook expects. API server will try to use first version in
the list which it supports. If none of the versions specified in this list
supported by API server, validation will fail for this object.
If a persisted webhook configuration specifies allowed versions and does not
include any versions known to the API Server, calls to the webhook will fail
and be subject to the failure policy. | true |
+| **name** | string | The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
Required. | true |
+| **path** | string | `path` is the URL path which will be sent in any request to
this service. | true |
+| **sideEffects** | string | SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission chain and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some. | true |
+| **failurePolicy** | string | FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail. | false |
+| **[matchConditions](#capsuleconfigurationspecadmissionmutatingwebhooksindexmatchconditionsindex)** | []object | MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
The exact matching logic is (in order):
1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
2. If ALL matchConditions evaluate to TRUE, the webhook is called.
3. If any matchCondition evaluates to an error (but none are FALSE):
- If failurePolicy=Fail, reject the request
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped | false |
+| **matchPolicy** | string | matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
- Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent" | false |
+| **[namespaceSelector](#capsuleconfigurationspecadmissionmutatingwebhooksindexnamespaceselector)** | object | NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:
"namespaceSelector": {
"matchExpressions": [
{
"key": "runlevel",
"operator": "NotIn",
"values": [
"0",
"1"
]
}
]
}
If instead you want to only run the webhook on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:
"namespaceSelector": {
"matchExpressions": [
{
"key": "environment",
"operator": "In",
"values": [
"prod",
"staging"
]
}
]
}
See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. | false |
+| **[objectSelector](#capsuleconfigurationspecadmissionmutatingwebhooksindexobjectselector)** | object | ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything. | false |
+| **[opts](#capsuleconfigurationspecadmissionmutatingwebhooksindexopts)** | object | Capsule Custom Admission Options | false |
+| **reinvocationPolicy** | string | reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
Allowed values are "Never" and "IfNeeded".
Never: the webhook will not be called more than once in a single admission evaluation.
IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
if the object being admitted is modified by other admission plugins after the initial webhook call.
Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
Note:
* the number of additional invocations is not guaranteed to be exactly one.
* if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
* webhooks that use this option may be reordered to minimize the number of additional invocations.
* to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
Defaults to "Never". | false |
+| **[rules](#capsuleconfigurationspecadmissionmutatingwebhooksindexrulesindex)** | []object | Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches _any_ Rule.
However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
from putting the cluster in a state which cannot be recovered from without completely
disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. | false |
+| **timeoutSeconds** | integer | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 1 and 30 seconds.
Default to 10 seconds.
*Format*: int32
| false |
+
+
+### CapsuleConfiguration.spec.admission.mutating.webhooks[index].matchConditions[index]
+
+
+
+MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **expression** | string | Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required. | true |
+| **name** | string | Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required. | true |
+
+
+### CapsuleConfiguration.spec.admission.mutating.webhooks[index].namespaceSelector
+
+
+
+NamespaceSelector decides whether to run the webhook on an object based
+on whether the namespace for that object matches the selector. If the
+object itself is a namespace, the matching is performed on
+object.metadata.labels. If the object is another cluster scoped resource,
+it never skips the webhook.
+
+For example, to run the webhook on any objects whose namespace is not
+associated with "runlevel" of "0" or "1"; you will set the selector as
+follows:
+"namespaceSelector": {
+ "matchExpressions": [
+ {
+ "key": "runlevel",
+ "operator": "NotIn",
+ "values": [
+ "0",
+ "1"
+ ]
+ }
+ ]
+}
+
+If instead you want to only run the webhook on any objects whose
+namespace is associated with the "environment" of "prod" or "staging";
+you will set the selector as follows:
+"namespaceSelector": {
+ "matchExpressions": [
+ {
+ "key": "environment",
+ "operator": "In",
+ "values": [
+ "prod",
+ "staging"
+ ]
+ }
+ ]
+}
+
+See
+https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+for more examples of label selectors.
+
+Default to the empty LabelSelector, which matches everything.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#capsuleconfigurationspecadmissionmutatingwebhooksindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### CapsuleConfiguration.spec.admission.mutating.webhooks[index].namespaceSelector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### CapsuleConfiguration.spec.admission.mutating.webhooks[index].objectSelector
+
+
+
+ObjectSelector decides whether to run the webhook based on if the
+object has matching labels. objectSelector is evaluated against both
+the oldObject and newObject that would be sent to the webhook, and
+is considered to match if either object matches the selector. A null
+object (oldObject in the case of create, or newObject in the case of
+delete) or an object that cannot have labels (like a
+DeploymentRollback or a PodProxyOptions object) is not considered to
+match.
+Use the object selector only if the webhook is opt-in, because end
+users may skip the admission webhook by setting the labels.
+Default to the empty LabelSelector, which matches everything.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#capsuleconfigurationspecadmissionmutatingwebhooksindexobjectselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### CapsuleConfiguration.spec.admission.mutating.webhooks[index].objectSelector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### CapsuleConfiguration.spec.admission.mutating.webhooks[index].opts
+
+
+
+Capsule Custom Admission Options
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **administrators** | boolean | If enabled, the request is only sent to admission if the user is mentioned
As Part of the Capsule Administrators
*Default*: false
| true |
+| **capsuleUsers** | boolean | If enabled, the request is only sent to admission if the user is mentioned
As Part of the Capsule Users
*Default*: false
| true |
+
+
+### CapsuleConfiguration.spec.admission.mutating.webhooks[index].rules[index]
+
+
+
+RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+sure that all the tuple expansions are valid.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiGroups** | []string | APIGroups is the API groups the resources belong to. '*' is all groups.
If '*' is present, the length of the slice must be one.
Required. | false |
+| **apiVersions** | []string | APIVersions is the API versions the resources belong to. '*' is all versions.
If '*' is present, the length of the slice must be one.
Required. | false |
+| **operations** | []string | Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
for all of those operations and any future admission operations that are added.
If '*' is present, the length of the slice must be one.
Required. | false |
+| **resources** | []string | Resources is a list of resources this rule applies to.
For example:
'pods' means pods.
'pods/log' means the log subresource of pods.
'*' means all resources, but not subresources.
'pods/*' means all subresources of pods.
'*/scale' means all scale subresources.
'*/*' means all resources and their subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
Depending on the enclosing object, subresources might not be allowed.
Required. | false |
+| **scope** | string | scope specifies the scope of this rule.
Valid values are "Cluster", "Namespaced", and "*"
"Cluster" means that only cluster-scoped resources will match this rule.
Namespace API objects are cluster-scoped.
"Namespaced" means that only namespaced resources will match this rule.
"*" means that there are no scope restrictions.
Subresources match the scope of their parent resource.
Default is "*". | false |
+
+
### CapsuleConfiguration.spec.admission.validating
@@ -173,17 +357,18 @@ Configure dynamic Validating Admission for Capsule
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[client](#capsuleconfigurationspecadmissionvalidatingclient)** | object | From the upstram struct | true |
+| **[client](#capsuleconfigurationspecadmissionvalidatingclient)** | object | whats the problem | true |
| **annotations** | map[string]string | Annotations added to the Admission Webhook | false |
| **labels** | map[string]string | Labels added to the Admission Webhook | false |
| **name** | string | Name the Admission Webhook | false |
+| **[webhooks](#capsuleconfigurationspecadmissionvalidatingwebhooksindex)** | []object | Define Dynamic Admission Webhooks | false |
### CapsuleConfiguration.spec.admission.validating.client
-From the upstram struct
+whats the problem
| **Name** | **Type** | **Description** | **Required** |
@@ -211,6 +396,199 @@ If the webhook is running within the cluster, then you should use `service`.
| **port** | integer | If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
`port` should be a valid port number (1-65535, inclusive).
*Format*: int32
| false |
+### CapsuleConfiguration.spec.admission.validating.webhooks[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **admissionReviewVersions** | []string | AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
versions the Webhook expects. API server will try to use first version in
the list which it supports. If none of the versions specified in this list
supported by API server, validation will fail for this object.
If a persisted webhook configuration specifies allowed versions and does not
include any versions known to the API Server, calls to the webhook will fail
and be subject to the failure policy. | true |
+| **name** | string | The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
Required. | true |
+| **path** | string | `path` is the URL path which will be sent in any request to
this service. | true |
+| **sideEffects** | string | SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission chain and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some. | true |
+| **failurePolicy** | string | FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail. | false |
+| **[matchConditions](#capsuleconfigurationspecadmissionvalidatingwebhooksindexmatchconditionsindex)** | []object | MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
The exact matching logic is (in order):
1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
2. If ALL matchConditions evaluate to TRUE, the webhook is called.
3. If any matchCondition evaluates to an error (but none are FALSE):
- If failurePolicy=Fail, reject the request
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped | false |
+| **matchPolicy** | string | matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
- Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent" | false |
+| **[namespaceSelector](#capsuleconfigurationspecadmissionvalidatingwebhooksindexnamespaceselector)** | object | NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:
"namespaceSelector": {
"matchExpressions": [
{
"key": "runlevel",
"operator": "NotIn",
"values": [
"0",
"1"
]
}
]
}
If instead you want to only run the webhook on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:
"namespaceSelector": {
"matchExpressions": [
{
"key": "environment",
"operator": "In",
"values": [
"prod",
"staging"
]
}
]
}
See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. | false |
+| **[objectSelector](#capsuleconfigurationspecadmissionvalidatingwebhooksindexobjectselector)** | object | ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything. | false |
+| **[opts](#capsuleconfigurationspecadmissionvalidatingwebhooksindexopts)** | object | Capsule Custom Admission Options | false |
+| **[rules](#capsuleconfigurationspecadmissionvalidatingwebhooksindexrulesindex)** | []object | Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches _any_ Rule.
However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
from putting the cluster in a state which cannot be recovered from without completely
disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. | false |
+| **timeoutSeconds** | integer | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 1 and 30 seconds.
Default to 10 seconds.
*Format*: int32
| false |
+
+
+### CapsuleConfiguration.spec.admission.validating.webhooks[index].matchConditions[index]
+
+
+
+MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **expression** | string | Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required. | true |
+| **name** | string | Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required. | true |
+
+
+### CapsuleConfiguration.spec.admission.validating.webhooks[index].namespaceSelector
+
+
+
+NamespaceSelector decides whether to run the webhook on an object based
+on whether the namespace for that object matches the selector. If the
+object itself is a namespace, the matching is performed on
+object.metadata.labels. If the object is another cluster scoped resource,
+it never skips the webhook.
+
+For example, to run the webhook on any objects whose namespace is not
+associated with "runlevel" of "0" or "1"; you will set the selector as
+follows:
+"namespaceSelector": {
+ "matchExpressions": [
+ {
+ "key": "runlevel",
+ "operator": "NotIn",
+ "values": [
+ "0",
+ "1"
+ ]
+ }
+ ]
+}
+
+If instead you want to only run the webhook on any objects whose
+namespace is associated with the "environment" of "prod" or "staging";
+you will set the selector as follows:
+"namespaceSelector": {
+ "matchExpressions": [
+ {
+ "key": "environment",
+ "operator": "In",
+ "values": [
+ "prod",
+ "staging"
+ ]
+ }
+ ]
+}
+
+See
+https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+for more examples of label selectors.
+
+Default to the empty LabelSelector, which matches everything.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#capsuleconfigurationspecadmissionvalidatingwebhooksindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### CapsuleConfiguration.spec.admission.validating.webhooks[index].namespaceSelector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### CapsuleConfiguration.spec.admission.validating.webhooks[index].objectSelector
+
+
+
+ObjectSelector decides whether to run the webhook based on if the
+object has matching labels. objectSelector is evaluated against both
+the oldObject and newObject that would be sent to the webhook, and
+is considered to match if either object matches the selector. A null
+object (oldObject in the case of create, or newObject in the case of
+delete) or an object that cannot have labels (like a
+DeploymentRollback or a PodProxyOptions object) is not considered to
+match.
+Use the object selector only if the webhook is opt-in, because end
+users may skip the admission webhook by setting the labels.
+Default to the empty LabelSelector, which matches everything.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#capsuleconfigurationspecadmissionvalidatingwebhooksindexobjectselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### CapsuleConfiguration.spec.admission.validating.webhooks[index].objectSelector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### CapsuleConfiguration.spec.admission.validating.webhooks[index].opts
+
+
+
+Capsule Custom Admission Options
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **administrators** | boolean | If enabled, the request is only sent to admission if the user is mentioned
As Part of the Capsule Administrators
*Default*: false
| true |
+| **capsuleUsers** | boolean | If enabled, the request is only sent to admission if the user is mentioned
As Part of the Capsule Users
*Default*: false
| true |
+
+
+### CapsuleConfiguration.spec.admission.validating.webhooks[index].rules[index]
+
+
+
+RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+sure that all the tuple expansions are valid.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiGroups** | []string | APIGroups is the API groups the resources belong to. '*' is all groups.
If '*' is present, the length of the slice must be one.
Required. | false |
+| **apiVersions** | []string | APIVersions is the API versions the resources belong to. '*' is all versions.
If '*' is present, the length of the slice must be one.
Required. | false |
+| **operations** | []string | Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
for all of those operations and any future admission operations that are added.
If '*' is present, the length of the slice must be one.
Required. | false |
+| **resources** | []string | Resources is a list of resources this rule applies to.
For example:
'pods' means pods.
'pods/log' means the log subresource of pods.
'*' means all resources, but not subresources.
'pods/*' means all subresources of pods.
'*/scale' means all scale subresources.
'*/*' means all resources and their subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
Depending on the enclosing object, subresources might not be allowed.
Required. | false |
+| **scope** | string | scope specifies the scope of this rule.
Valid values are "Cluster", "Namespaced", and "*"
"Cluster" means that only cluster-scoped resources will match this rule.
Namespace API objects are cluster-scoped.
"Namespaced" means that only namespaced resources will match this rule.
"*" means that there are no scope restrictions.
Subresources match the scope of their parent resource.
Default is "*". | false |
+
+
+### CapsuleConfiguration.spec.impersonation
+
+
+
+Service Account Client configuration for impersonation properties
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **caSecretKey** | string | Key in the secret that holds the CA certificate (e.g., "ca.crt")
*Default*: ca.crt
| false |
+| **caSecretName** | string | Name of the secret containing the CA certificate | false |
+| **caSecretNamespace** | string | Namespace where the CA certificate secret is located | false |
+| **endpoint** | string | Kubernetes API Endpoint to use for impersonation | false |
+| **globalDefaultServiceAccount** | string | Default ServiceAccount for global resources (GlobalTenantResource)
When defined, users are required to use this ServiceAccount anywhere in the cluster
unless they explicitly provide their own. | false |
+| **globalDefaultServiceAccountNamespace** | string | Default ServiceAccount for global resources (GlobalTenantResource)
When defined, users are required to use this ServiceAccount anywhere in the cluster
unless they explicitly provide their own. | false |
+| **skipTlsVerify** | boolean | If true, TLS certificate verification is skipped (not recommended for production)
*Default*: false
| false |
+| **tenantDefaultServiceAccount** | string | Default ServiceAccount for namespaced resources (TenantResource)
When defined, users are required to use this ServiceAccount within the namespace
where they deploy the resource, unless they explicitly provide their own. | false |
+
+
### CapsuleConfiguration.spec.nodeMetadata
@@ -262,8 +640,8 @@ such as webhook secret or configurations.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
| **TLSSecretName** | string | Defines the Secret name used for the webhook server.
Must be in the same Namespace where the Capsule Deployment is deployed.
*Default*: capsule-tls
| true |
-| **mutatingWebhookConfigurationName** | string | Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
*Default*: capsule-mutating-webhook-configuration
| true |
-| **validatingWebhookConfigurationName** | string | Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
*Default*: capsule-validating-webhook-configuration
| true |
+| **mutatingWebhookConfigurationName** | string | Deprecated: use dynamic admission instead
Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
*Default*: capsule-mutating-webhook-configuration
| true |
+| **validatingWebhookConfigurationName** | string | Deprecated: use dynamic admission instead
Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
*Default*: capsule-validating-webhook-configuration
| true |
### CapsuleConfiguration.spec.users[index]
@@ -288,7 +666,6 @@ CapsuleConfigurationStatus defines the Capsule configuration status.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **lastCacheInvalidation** | string | Last time all caches were invalided
*Format*: date-time
| false |
| **[users](#capsuleconfigurationstatususersindex)** | []object | Users which are considered Capsule Users and are bound to the Capsule Tenant construct. | false |
@@ -304,84 +681,83 @@ CapsuleConfigurationStatus defines the Capsule configuration status.
| **kind** | enum | Kind of entity. Possible values are "User", "Group", and "ServiceAccount"
*Enum*: User, Group, ServiceAccount
| true |
| **name** | string | Name of the entity. | true |
-## GlobalTenantResource
+## CustomQuota
+
-GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
| **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
-| **kind** | string | GlobalTenantResource | true |
+| **kind** | string | CustomQuota | true |
| **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#globaltenantresourcespec)** | object | GlobalTenantResourceSpec defines the desired state of GlobalTenantResource. | true |
-| **[status](#globaltenantresourcestatus)** | object | GlobalTenantResourceStatus defines the observed state of GlobalTenantResource. | false |
+| **[spec](#customquotaspec)** | object | CustomQuotaSpec. | true |
+| **[status](#customquotastatus)** | object | CustomQuotaStatus defines the observed state of GlobalResourceQuota. | false |
-### GlobalTenantResource.spec
+### CustomQuota.spec
-GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
+CustomQuotaSpec.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[resources](#globaltenantresourcespecresourcesindex)** | []object | Defines the rules to select targeting Namespace, along with the objects that must be replicated. | true |
-| **resyncPeriod** | string | Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
*Default*: 60s
| true |
-| **pruningOnDelete** | boolean | When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
*Default*: true
| false |
-| **[tenantSelector](#globaltenantresourcespectenantselector)** | object | Defines the Tenant selector used target the tenants on which resources must be propagated. | false |
+| **limit** | int or string | Resource Quantity as limit | true |
+| **[options](#customquotaspecoptions)** | object | Additional Options for the CustomQuotaSpecification
*Default*: map[emitMetricPerClaimUsage:false]
| true |
+| **[sources](#customquotaspecsourcesindex)** | []object | Target resource | true |
+| **[scopeSelectors](#customquotaspecscopeselectorsindex)** | []object | Select items governed by this quota | false |
-### GlobalTenantResource.spec.resources[index]
-
+### CustomQuota.spec.options
+Additional Options for the CustomQuotaSpecification
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[additionalMetadata](#globaltenantresourcespecresourcesindexadditionalmetadata)** | object | Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources. | false |
-| **[namespaceSelector](#globaltenantresourcespecresourcesindexnamespaceselector)** | object | Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted. | false |
-| **[namespacedItems](#globaltenantresourcespecresourcesindexnamespaceditemsindex)** | []object | List of the resources already existing in other Namespaces that must be replicated. | false |
-| **rawItems** | []RawExtension | List of raw resources that must be replicated. | false |
+| **emitMetricPerClaimUsage** | boolean | Additionally expose usage metrics for each claim contributing to the quota.
This is disabled by default to avoid high cardinality in the metrics, but can be enabled for more granular monitoring and alerting.
*Default*: false
| false |
-### GlobalTenantResource.spec.resources[index].additionalMetadata
+### CustomQuota.spec.sources[index]
+
-Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
-added to the replicated resources.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | | false |
-| **labels** | map[string]string | | false |
+| **apiVersion** | string | API version of the referent. | true |
+| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **op** | enum | Operation used to evaluate usage.
*Enum*: add, sub, count
*Default*: add
| false |
+| **path** | string | Path on GVK where usage is evaluated.
Must be empty when op is "count".
Required and non-empty for all other operations. | false |
+| **[selectors](#customquotaspecsourcesindexselectorsindex)** | []object | Provide more granular selectors for these sources
The ScopeSelector and NamespaceSelector are always applied
Allowing these selectors to make further selecting on the resulting subset. | false |
-### GlobalTenantResource.spec.resources[index].namespaceSelector
+### CustomQuota.spec.sources[index].selectors[index]
+
-Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
-In case of nil value, all the Tenant Namespaces are targeted.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globaltenantresourcespecresourcesindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **fieldSelectors** | []string | Additional boolean JSONPath expressions.
All must evaluate to true for this selector to match. | false |
+| **[matchExpressions](#customquotaspecsourcesindexselectorsindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
-### GlobalTenantResource.spec.resources[index].namespaceSelector.matchExpressions[index]
+### CustomQuota.spec.sources[index].selectors[index].matchExpressions[index]
@@ -396,103 +772,915 @@ relates the key and values.
| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
-### GlobalTenantResource.spec.resources[index].namespacedItems[index]
+### CustomQuota.spec.scopeSelectors[index]
+
+
+
+A label selector is a label query over a set of resources. The result of matchLabels and
+matchExpressions are ANDed. An empty label selector matches all objects. A null
+label selector matches no objects.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#customquotaspecscopeselectorsindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+### CustomQuota.spec.scopeSelectors[index].matchExpressions[index]
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
-| **namespace** | string | Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | true |
-| **[selector](#globaltenantresourcespecresourcesindexnamespaceditemsindexselector)** | object | Label selector used to select the given resources in the given Namespace. | true |
-| **apiVersion** | string | API version of the referent. | false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
-### GlobalTenantResource.spec.resources[index].namespacedItems[index].selector
+### CustomQuota.status
-Label selector used to select the given resources in the given Namespace.
+CustomQuotaStatus defines the observed state of GlobalResourceQuota.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globaltenantresourcespecresourcesindexnamespaceditemsindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
-| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+| **[conditions](#customquotastatusconditionsindex)** | []object | Conditions | true |
+| **[targets](#customquotastatustargetsindex)** | []object | Targeting GVK | true |
+| **[claims](#customquotastatusclaimsindex)** | []object | Objects regarding this policy | false |
+| **[usage](#customquotastatususage)** | object | Usage measurements | false |
+
+
+### CustomQuota.status.conditions[index]
+
+
+
+Condition contains details for one aspect of the current state of this API Resource.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
*Format*: date-time
| true |
+| **message** | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.
*Enum*: True, False, Unknown
| true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
*Format*: int64
*Minimum*: 0
| false |
+
+
+### CustomQuota.status.targets[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **group** | string | | true |
+| **kind** | string | | true |
+| **version** | string | | true |
+| **op** | enum | Operation used to evaluate usage.
*Enum*: add, sub, count
*Default*: add
| false |
+| **path** | string | Path on GVK where usage is evaluated.
Must be empty when op is "count".
Required and non-empty for all other operations. | false |
+| **scope** | string | Path on GVK where usage is evaluated | false |
+| **[selectors](#customquotastatustargetsindexselectorsindex)** | []object | Provide more granular selectors for these sources
The ScopeSelector and NamespaceSelector are always applied
Allowing these selectors to make further selecting on the resulting subset. | false |
+
+
+### CustomQuota.status.targets[index].selectors[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **fieldSelectors** | []string | Additional boolean JSONPath expressions.
All must evaluate to true for this selector to match. | false |
+| **[matchExpressions](#customquotastatustargetsindexselectorsindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### CustomQuota.status.targets[index].selectors[index].matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### CustomQuota.status.claims[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **group** | string | | true |
+| **kind** | string | | true |
+| **name** | string | Name of the referent. | true |
+| **uid** | string | UID of the tracked Tenant to pin point tracking | true |
+| **usage** | int or string | Resource Quantity for given item | true |
+| **version** | string | | true |
+| **namespace** | string | Namespace of the referent, when not specified it acts as LocalObjectReference. | false |
+
+
+### CustomQuota.status.usage
+
+
+
+Usage measurements
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **available** | int or string | Used is the current observed total available of the resource (limit - used). | false |
+| **used** | int or string | Used is the current observed total usage of the resource. | false |
+
+## GlobalCustomQuota
+
+
+
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
+| **kind** | string | GlobalCustomQuota | true |
+| **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
+| **[spec](#globalcustomquotaspec)** | object | ClusterCustomQuotaSpec. | true |
+| **[status](#globalcustomquotastatus)** | object | CustomQuotaStatus defines the observed state of GlobalResourceQuota. | false |
+
+
+### GlobalCustomQuota.spec
+
+
+
+ClusterCustomQuotaSpec.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **limit** | int or string | Resource Quantity as limit | true |
+| **[options](#globalcustomquotaspecoptions)** | object | Additional Options for the CustomQuotaSpecification
*Default*: map[emitMetricPerClaimUsage:false]
| true |
+| **[sources](#globalcustomquotaspecsourcesindex)** | []object | Target resource | true |
+| **[namespaceSelectors](#globalcustomquotaspecnamespaceselectorsindex)** | []object | Select specifc namespaces where this Quota selects items. | false |
+| **[scopeSelectors](#globalcustomquotaspecscopeselectorsindex)** | []object | Select items governed by this quota | false |
+
+
+### GlobalCustomQuota.spec.options
+
+
+
+Additional Options for the CustomQuotaSpecification
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **emitMetricPerClaimUsage** | boolean | Additionally expose usage metrics for each claim contributing to the quota.
This is disabled by default to avoid high cardinality in the metrics, but can be enabled for more granular monitoring and alerting.
*Default*: false
| false |
+
+
+### GlobalCustomQuota.spec.sources[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiVersion** | string | API version of the referent. | true |
+| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **op** | enum | Operation used to evaluate usage.
*Enum*: add, sub, count
*Default*: add
| false |
+| **path** | string | Path on GVK where usage is evaluated.
Must be empty when op is "count".
Required and non-empty for all other operations. | false |
+| **[selectors](#globalcustomquotaspecsourcesindexselectorsindex)** | []object | Provide more granular selectors for these sources
The ScopeSelector and NamespaceSelector are always applied
Allowing these selectors to make further selecting on the resulting subset. | false |
+
+
+### GlobalCustomQuota.spec.sources[index].selectors[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **fieldSelectors** | []string | Additional boolean JSONPath expressions.
All must evaluate to true for this selector to match. | false |
+| **[matchExpressions](#globalcustomquotaspecsourcesindexselectorsindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### GlobalCustomQuota.spec.sources[index].selectors[index].matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### GlobalCustomQuota.spec.namespaceSelectors[index]
+
+
+
+Selector for resources and their labels or selecting origin namespaces
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#globalcustomquotaspecnamespaceselectorsindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### GlobalCustomQuota.spec.namespaceSelectors[index].matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### GlobalCustomQuota.spec.scopeSelectors[index]
+
+
+
+A label selector is a label query over a set of resources. The result of matchLabels and
+matchExpressions are ANDed. An empty label selector matches all objects. A null
+label selector matches no objects.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#globalcustomquotaspecscopeselectorsindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### GlobalCustomQuota.spec.scopeSelectors[index].matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### GlobalCustomQuota.status
+
+
+
+CustomQuotaStatus defines the observed state of GlobalResourceQuota.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[conditions](#globalcustomquotastatusconditionsindex)** | []object | Conditions | true |
+| **[targets](#globalcustomquotastatustargetsindex)** | []object | Targeting GVK | true |
+| **[claims](#globalcustomquotastatusclaimsindex)** | []object | Objects regarding this policy | false |
+| **namespaces** | []string | Observed Namespaces | false |
+| **[usage](#globalcustomquotastatususage)** | object | Usage measurements | false |
+
+
+### GlobalCustomQuota.status.conditions[index]
+
+
+
+Condition contains details for one aspect of the current state of this API Resource.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
*Format*: date-time
| true |
+| **message** | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.
*Enum*: True, False, Unknown
| true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
*Format*: int64
*Minimum*: 0
| false |
+
+
+### GlobalCustomQuota.status.targets[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **group** | string | | true |
+| **kind** | string | | true |
+| **version** | string | | true |
+| **op** | enum | Operation used to evaluate usage.
*Enum*: add, sub, count
*Default*: add
| false |
+| **path** | string | Path on GVK where usage is evaluated.
Must be empty when op is "count".
Required and non-empty for all other operations. | false |
+| **scope** | string | Path on GVK where usage is evaluated | false |
+| **[selectors](#globalcustomquotastatustargetsindexselectorsindex)** | []object | Provide more granular selectors for these sources
The ScopeSelector and NamespaceSelector are always applied
Allowing these selectors to make further selecting on the resulting subset. | false |
+
+
+### GlobalCustomQuota.status.targets[index].selectors[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **fieldSelectors** | []string | Additional boolean JSONPath expressions.
All must evaluate to true for this selector to match. | false |
+| **[matchExpressions](#globalcustomquotastatustargetsindexselectorsindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### GlobalCustomQuota.status.targets[index].selectors[index].matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### GlobalCustomQuota.status.claims[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **group** | string | | true |
+| **kind** | string | | true |
+| **name** | string | Name of the referent. | true |
+| **uid** | string | UID of the tracked Tenant to pin point tracking | true |
+| **usage** | int or string | Resource Quantity for given item | true |
+| **version** | string | | true |
+| **namespace** | string | Namespace of the referent, when not specified it acts as LocalObjectReference. | false |
+
+
+### GlobalCustomQuota.status.usage
+
+
+
+Usage measurements
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **available** | int or string | Used is the current observed total available of the resource (limit - used). | false |
+| **used** | int or string | Used is the current observed total usage of the resource. | false |
+
+## GlobalTenantResource
+
+
+
+
+
+
+GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
+| **kind** | string | GlobalTenantResource | true |
+| **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
+| **[spec](#globaltenantresourcespec)** | object | GlobalTenantResourceSpec defines the desired state of GlobalTenantResource. | true |
+| **[status](#globaltenantresourcestatus)** | object | GlobalTenantResourceStatus defines the observed state of GlobalTenantResource. | false |
+
+
+### GlobalTenantResource.spec
+
+
+
+GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[resources](#globaltenantresourcespecresourcesindex)** | []object | Defines the rules to select targeting Namespace, along with the objects that must be replicated. | true |
+| **resyncPeriod** | string | Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
*Default*: 60s
| true |
+| **[settings](#globaltenantresourcespecsettings)** | object | Provide additional settings
*Default*: map[]
| true |
+| **cordoned** | boolean | When cordoning a replication it will no longer execute any applies or deletions (paused).
This is useful for maintenances
*Default*: false
| false |
+| **[dependsOn](#globaltenantresourcespecdependsonindex)** | []object | DependsOn may contain a meta.NamespacedObjectReference slice
with references to TenantResource resources that must be ready before this
TenantResource can be reconciled. | false |
+| **pruningOnDelete** | boolean | When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
*Default*: true
| false |
+| **scope** | enum | Resource Scope, Can either be
- Tenant: Create Resources for each tenant in selected Tenants
- Namespace: Create Resources for each namespace in selected Tenants
*Enum*: Namespace, Tenant, None
*Default*: Namespace
| false |
+| **[serviceAccount](#globaltenantresourcespecserviceaccount)** | object | Local ServiceAccount which will perform all the actions defined in the TenantResource
You must provide permissions accordingly to that ServiceAccount | false |
+| **[tenantSelector](#globaltenantresourcespectenantselector)** | object | Defines the Tenant selector used target the tenants on which resources must be propagated. | false |
+
+
+### GlobalTenantResource.spec.resources[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[additionalMetadata](#globaltenantresourcespecresourcesindexadditionalmetadata)** | object | Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources. | false |
+| **[context](#globaltenantresourcespecresourcesindexcontext)** | object | Provide additional template context, which can be used throughout all
the declared items for the replication | false |
+| **[generators](#globaltenantresourcespecresourcesindexgeneratorsindex)** | []object | Templates for advanced use cases | false |
+| **[namespaceSelector](#globaltenantresourcespecresourcesindexnamespaceselector)** | object | Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted. | false |
+| **[namespacedItems](#globaltenantresourcespecresourcesindexnamespaceditemsindex)** | []object | List of the resources already existing in other Namespaces that must be replicated. | false |
+| **rawItems** | []object | List of raw resources that must be replicated. | false |
+
+
+### GlobalTenantResource.spec.resources[index].additionalMetadata
+
+
+
+Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
+added to the replicated resources.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **annotations** | map[string]string | | false |
+| **labels** | map[string]string | | false |
+
+
+### GlobalTenantResource.spec.resources[index].context
+
+
+
+Provide additional template context, which can be used throughout all
+the declared items for the replication
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[resources](#globaltenantresourcespecresourcesindexcontextresourcesindex)** | []object | | false |
+
+
+### GlobalTenantResource.spec.resources[index].context.resources[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiVersion** | string | API version of the referent. | true |
+| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **index** | string | Index to mount the resource in the template context | false |
+| **name** | string | Name of the values referent. This is useful
when you traying to get a specific resource | false |
+| **namespace** | string | Namespace of the values referent. | false |
+| **optional** | boolean | Only relevant if name is set. If an item is not optional, there will be an error thrown when it does not exist
*Default*: true
| false |
+| **[selector](#globaltenantresourcespecresourcesindexcontextresourcesindexselector)** | object | Selector which allows to get any amount of these resources based on labels | false |
+
+
+### GlobalTenantResource.spec.resources[index].context.resources[index].selector
+
+
+
+Selector which allows to get any amount of these resources based on labels
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#globaltenantresourcespecresourcesindexcontextresourcesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### GlobalTenantResource.spec.resources[index].context.resources[index].selector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### GlobalTenantResource.spec.resources[index].generators[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **missingKey** | enum | Missing Key Option for templating
*Enum*: invalid, zero, error
*Default*: zero
| false |
+| **template** | string | Template contains any amount of yaml which is applied to Kubernetes.
This can be a single resource or multiple resources | false |
+
+
+### GlobalTenantResource.spec.resources[index].namespaceSelector
+
+
+
+Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
+In case of nil value, all the Tenant Namespaces are targeted.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#globaltenantresourcespecresourcesindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### GlobalTenantResource.spec.resources[index].namespaceSelector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### GlobalTenantResource.spec.resources[index].namespacedItems[index]
+
+
+
+Reference
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiVersion** | string | API version of the referent. | true |
+| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **name** | string | Name of the values referent. This is useful
when you traying to get a specific resource | false |
+| **namespace** | string | Namespace of the values referent. | false |
+| **optional** | boolean | Only relevant if name is set. If an item is not optional, there will be an error thrown when it does not exist
*Default*: true
| false |
+| **[selector](#globaltenantresourcespecresourcesindexnamespaceditemsindexselector)** | object | Selector which allows to get any amount of these resources based on labels | false |
+
+
+### GlobalTenantResource.spec.resources[index].namespacedItems[index].selector
+
+
+
+Selector which allows to get any amount of these resources based on labels
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#globaltenantresourcespecresourcesindexnamespaceditemsindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### GlobalTenantResource.spec.resources[index].namespacedItems[index].selector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### GlobalTenantResource.spec.settings
+
+
+
+Provide additional settings
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **adopt** | boolean | Enabling this allows TenanResources to interact with objects which were not created by a TenantResource. In this case on prune no deletion of the entire object is made.
*Default*: false
| false |
+| **force** | boolean | Force indicates that in case of conflicts with server-side apply, the client should acquire ownership of the conflicting field.
You may create collisions with this.
*Default*: false
| false |
+
+
+### GlobalTenantResource.spec.dependsOn[index]
+
+
+
+LocalObjectReference contains enough information to locate the referenced Kubernetes resource object.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **name** | string | Name of the referent. | true |
+
+
+### GlobalTenantResource.spec.serviceAccount
+
+
+
+Local ServiceAccount which will perform all the actions defined in the TenantResource
+You must provide permissions accordingly to that ServiceAccount
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **name** | string | Name of the referent. | true |
+| **namespace** | string | Namespace of the referent. | true |
+
+
+### GlobalTenantResource.spec.tenantSelector
+
+
+
+Defines the Tenant selector used target the tenants on which resources must be propagated.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#globaltenantresourcespectenantselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### GlobalTenantResource.spec.tenantSelector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### GlobalTenantResource.status
+
+
+
+GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **size** | integer | How many items are being replicated by the TenantResource. | true |
+| **[conditions](#globaltenantresourcestatusconditionsindex)** | []object | Condition of the GlobalTenantResource. | false |
+| **[processedItems](#globaltenantresourcestatusprocesseditemsindex)** | []object | List of the replicated resources for the given TenantResource. | false |
+| **selectedTenants** | []string | List of Tenants addressed by the GlobalTenantResource. | false |
+| **[serviceAccount](#globaltenantresourcestatusserviceaccount)** | object | Serviceaccount used for impersonation | false |
+
+
+### GlobalTenantResource.status.conditions[index]
+
+
+
+Condition contains details for one aspect of the current state of this API Resource.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
*Format*: date-time
| true |
+| **message** | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.
*Enum*: True, False, Unknown
| true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
*Format*: int64
*Minimum*: 0
| false |
+
+
+### GlobalTenantResource.status.processedItems[index]
+
+
+
+Advanced Status Item for pin pointing items in tenants/namespaces.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **group** | string | | false |
+| **kind** | string | | false |
+| **name** | string | | false |
+| **namespace** | string | | false |
+| **origin** | string | | false |
+| **[status](#globaltenantresourcestatusprocesseditemsindexstatus)** | object | | false |
+| **tenant** | string | | false |
+| **version** | string | | false |
+
+
+### GlobalTenantResource.status.processedItems[index].status
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **status** | enum | status of the condition, one of True, False, Unknown.
*Enum*: True, False, Unknown
| true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **created** | boolean | Indicates wether the resource was created or adopted | false |
+| **lastApply** | string | An opaque value that represents the internal version of this object that can
be used by clients to determine when objects have changed. May be used for optimistic
concurrency, change detection, and the watch operation on a resource or set of resources.
Clients must treat these values as opaque and passed unmodified back to the server.
They may only be valid for a particular resource or set of resources.
Populated by the system.
Read-only.
Value must be treated as opaque by clients and .
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
*Format*: date-time
| false |
+| **message** | string | message is a human readable message indicating details about the transition.
This may be an empty string. | false |
+
+
+### GlobalTenantResource.status.serviceAccount
+
+
+
+Serviceaccount used for impersonation
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **name** | string | Name of the referent. | true |
+| **namespace** | string | Namespace of the referent. | true |
+
+## QuantityLedger
+
+
+
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
+| **kind** | string | QuantityLedger | true |
+| **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
+| **[spec](#quantityledgerspec)** | object | QuotaLedgerSpec contains the immutable target reference. | false |
+| **[status](#quantityledgerstatus)** | object | QuantityLedgerStatus contains the mutable coordination state used by admission
and quota controllers. | false |
+
+
+### QuantityLedger.spec
+
+
+
+QuotaLedgerSpec contains the immutable target reference.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[targetRef](#quantityledgerspectargetref)** | object | TargetRef points to the quota object that this ledger belongs to. | true |
+
+
+### QuantityLedger.spec.targetRef
+
+
+
+TargetRef points to the quota object that this ledger belongs to.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **kind** | string | Kind of the target quota resource, for example "CustomQuota" or "GlobalCustomQuota". | true |
+| **name** | string | Name of the target quota resource. | true |
+| **apiGroup** | string | APIGroup of the target quota resource, for example "capsule.clastix.io". | false |
+| **namespace** | string | Namespace of the target quota resource.
Must be empty for cluster-scoped targets. | false |
+| **uid** | string | UID of the target quota resource.
Optional, but useful for stale reference detection. | false |
+
+
+### QuantityLedger.status
+
+
+
+QuantityLedgerStatus contains the mutable coordination state used by admission
+and quota controllers.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **allocated** | int or string | Allocated is the admission-owned total that has been accepted by the webhook.
It must be updated only through optimistic concurrency on QuantityLedger. | false |
+| **[conditions](#quantityledgerstatusconditionsindex)** | []object | Conditions for the resource claim | false |
+| **[pendingDeletes](#quantityledgerstatuspendingdeletesindex)** | []object | Pending delete hints carried over from admission delete handling. | false |
+| **[reservations](#quantityledgerstatusreservationsindex)** | []object | Active inflight reservations for this quota. | false |
+| **reserved** | int or string | Reserved is the aggregate sum of all active reservations.
Controllers/webhooks should treat this as derived data from Reservations. | false |
-### GlobalTenantResource.spec.resources[index].namespacedItems[index].selector.matchExpressions[index]
+### QuantityLedger.status.conditions[index]
-A label selector requirement is a selector that contains values, a key, and an operator that
-relates the key and values.
+Condition contains details for one aspect of the current state of this API Resource.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **key** | string | key is the label key that the selector applies to. | true |
-| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
-| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
*Format*: date-time
| true |
+| **message** | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.
*Enum*: True, False, Unknown
| true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
*Format*: int64
*Minimum*: 0
| false |
-### GlobalTenantResource.spec.tenantSelector
+### QuantityLedger.status.pendingDeletes[index]
-Defines the Tenant selector used target the tenants on which resources must be propagated.
+QuantityLedgerPendingDelete tracks objects that are expected to disappear from claims
+soon, but may still temporarily appear during rebuild due to propagation delay.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globaltenantresourcespectenantselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
-| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+| **createdAt** | string |
*Format*: date-time
| true |
+| **[objectRef](#quantityledgerstatuspendingdeletesindexobjectref)** | object | QuotaLedgerObjectRef identifies the object for which a reservation exists.
UID may be empty for CREATE admission before the object is persisted. | true |
-### GlobalTenantResource.spec.tenantSelector.matchExpressions[index]
+### QuantityLedger.status.pendingDeletes[index].objectRef
-A label selector requirement is a selector that contains values, a key, and an operator that
-relates the key and values.
+QuotaLedgerObjectRef identifies the object for which a reservation exists.
+UID may be empty for CREATE admission before the object is persisted.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **key** | string | key is the label key that the selector applies to. | true |
-| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
-| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+| **apiVersion** | string | APIVersion of the tracked object, for example "v1". | true |
+| **kind** | string | Kind of the tracked object, for example "Pod". | true |
+| **apiGroup** | string | APIGroup of the tracked object. | false |
+| **name** | string | Name of the tracked object. | false |
+| **namespace** | string | Namespace of the tracked object. | false |
+| **uid** | string | UID of the tracked object. | false |
-### GlobalTenantResource.status
+### QuantityLedger.status.reservations[index]
-GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
+QuantityLedgerReservation represents one active inflight reservation.
+ID should be stable for retries of the same admission request.
+In practice, admission.Request.UID is a good default.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[processedItems](#globaltenantresourcestatusprocesseditemsindex)** | []object | List of the replicated resources for the given TenantResource. | true |
-| **selectedTenants** | []string | List of Tenants addressed by the GlobalTenantResource. | true |
-
+| **createdAt** | string | Time the reservation was first created.
*Format*: date-time
| true |
+| **id** | string | Unique reservation identifier. | true |
+| **[objectRef](#quantityledgerstatusreservationsindexobjectref)** | object | Object that this reservation is intended to create/update. | true |
+| **updatedAt** | string | Time the reservation was last refreshed or updated.
*Format*: date-time
| true |
+| **usage** | int or string | Amount reserved for this request. | true |
+| **expiresAt** | string | Time after which the reservation may be considered stale.
*Format*: date-time
| false |
-### GlobalTenantResource.status.processedItems[index]
+### QuantityLedger.status.reservations[index].objectRef
+Object that this reservation is intended to create/update.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
-| **name** | string | Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names | true |
-| **namespace** | string | Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | true |
-| **apiVersion** | string | API version of the referent. | false |
+| **apiVersion** | string | APIVersion of the tracked object, for example "v1". | true |
+| **kind** | string | Kind of the tracked object, for example "Pod". | true |
+| **apiGroup** | string | APIGroup of the tracked object. | false |
+| **name** | string | Name of the tracked object. | false |
+| **namespace** | string | Namespace of the tracked object. | false |
+| **uid** | string | UID of the tracked object. | false |
## ResourcePoolClaim
@@ -815,9 +2003,48 @@ ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
| **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
| **kind** | string | RuleStatus | true |
| **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
+| **[spec](#rulestatusspecindex)** | []object | | false |
| **[status](#rulestatusstatus)** | object | RuleStatus contains the accumulated rules applying to namespace it's deployed in. | false |
+### RuleStatus.spec[index]
+
+
+
+For future inmplementatiosn where users might manage RuleStatus CRs tehmselves
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[enforce](#rulestatusspecindexenforce)** | object | Enforcement for given rule | false |
+
+
+### RuleStatus.spec[index].enforce
+
+
+
+Enforcement for given rule
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[registries](#rulestatusspecindexenforceregistriesindex)** | []object | Define registries which are allowed to be used within this tenant
The rules are aggregated, since you can use Regular Expressions the match registry endpoints | false |
+
+
+### RuleStatus.spec[index].enforce.registries[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **url** | string | OCI Registry endpoint, is treated as regular expression. | true |
+| **policy** | []string | Allowed PullPolicy for the given registry. Supplying no value allows all policies. | false |
+| **validation** | []enum | Requesting Resources
*Enum*: pod/images, pod/volumes
*Default*: [pod/images pod/volumes]
| false |
+
+
### RuleStatus.status
@@ -827,9 +2054,27 @@ RuleStatus contains the accumulated rules applying to namespace it's deployed in
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
+| **[conditions](#rulestatusstatusconditionsindex)** | []object | Conditions | true |
| **[rule](#rulestatusstatusrule)** | object | Managed Enforcement properties per Namespace (aggregated from rules) | false |
+### RuleStatus.status.conditions[index]
+
+
+
+Condition contains details for one aspect of the current state of this API Resource.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
*Format*: date-time
| true |
+| **message** | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.
*Enum*: True, False, Unknown
| true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
*Format*: int64
*Minimum*: 0
| false |
+
+
### RuleStatus.status.rule
@@ -839,14 +2084,14 @@ Managed Enforcement properties per Namespace (aggregated from rules)
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[enforce](#rulestatusstatusruleenforce)** | object | Enforcement Rules applied | false |
+| **[enforce](#rulestatusstatusruleenforce)** | object | Enforcement for given rule | false |
### RuleStatus.status.rule.enforce
-Enforcement Rules applied
+Enforcement for given rule
| **Name** | **Type** | **Description** | **Required** |
@@ -932,7 +2177,11 @@ TenantResourceSpec defines the desired state of TenantResource.
| :---- | :---- | :----------- | :-------- |
| **[resources](#tenantresourcespecresourcesindex)** | []object | Defines the rules to select targeting Namespace, along with the objects that must be replicated. | true |
| **resyncPeriod** | string | Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
*Default*: 60s
| true |
+| **[settings](#tenantresourcespecsettings)** | object | Provide additional settings
*Default*: map[]
| true |
+| **cordoned** | boolean | When cordoning a replication it will no longer execute any applies or deletions (paused).
This is useful for maintenances
*Default*: false
| false |
+| **[dependsOn](#tenantresourcespecdependsonindex)** | []object | DependsOn may contain a meta.NamespacedObjectReference slice
with references to TenantResource resources that must be ready before this
TenantResource can be reconciled. | false |
| **pruningOnDelete** | boolean | When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
*Default*: true
| false |
+| **[serviceAccount](#tenantresourcespecserviceaccount)** | object | Local ServiceAccount which will perform all the actions defined in the TenantResource
You must provide permissions accordingly to that ServiceAccount | false |
### TenantResource.spec.resources[index]
@@ -945,9 +2194,11 @@ TenantResourceSpec defines the desired state of TenantResource.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
| **[additionalMetadata](#tenantresourcespecresourcesindexadditionalmetadata)** | object | Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources. | false |
+| **[context](#tenantresourcespecresourcesindexcontext)** | object | Provide additional template context, which can be used throughout all
the declared items for the replication | false |
+| **[generators](#tenantresourcespecresourcesindexgeneratorsindex)** | []object | Templates for advanced use cases | false |
| **[namespaceSelector](#tenantresourcespecresourcesindexnamespaceselector)** | object | Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted. | false |
| **[namespacedItems](#tenantresourcespecresourcesindexnamespaceditemsindex)** | []object | List of the resources already existing in other Namespaces that must be replicated. | false |
-| **rawItems** | []RawExtension | List of raw resources that must be replicated. | false |
+| **rawItems** | []object | List of raw resources that must be replicated. | false |
### TenantResource.spec.resources[index].additionalMetadata
@@ -964,6 +2215,78 @@ added to the replicated resources.
| **labels** | map[string]string | | false |
+### TenantResource.spec.resources[index].context
+
+
+
+Provide additional template context, which can be used throughout all
+the declared items for the replication
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[resources](#tenantresourcespecresourcesindexcontextresourcesindex)** | []object | | false |
+
+
+### TenantResource.spec.resources[index].context.resources[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **apiVersion** | string | API version of the referent. | true |
+| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **index** | string | Index to mount the resource in the template context | false |
+| **name** | string | Name of the values referent. This is useful
when you traying to get a specific resource | false |
+| **namespace** | string | Namespace of the values referent. | false |
+| **optional** | boolean | Only relevant if name is set. If an item is not optional, there will be an error thrown when it does not exist
*Default*: true
| false |
+| **[selector](#tenantresourcespecresourcesindexcontextresourcesindexselector)** | object | Selector which allows to get any amount of these resources based on labels | false |
+
+
+### TenantResource.spec.resources[index].context.resources[index].selector
+
+
+
+Selector which allows to get any amount of these resources based on labels
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#tenantresourcespecresourcesindexcontextresourcesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### TenantResource.spec.resources[index].context.resources[index].selector.matchExpressions[index]
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### TenantResource.spec.resources[index].generators[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **missingKey** | enum | Missing Key Option for templating
*Enum*: invalid, zero, error
*Default*: zero
| false |
+| **template** | string | Template contains any amount of yaml which is applied to Kubernetes.
This can be a single resource or multiple resources | false |
+
+
### TenantResource.spec.resources[index].namespaceSelector
@@ -997,22 +2320,24 @@ relates the key and values.
-
+Reference
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
+| **apiVersion** | string | API version of the referent. | true |
| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
-| **namespace** | string | Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | true |
-| **[selector](#tenantresourcespecresourcesindexnamespaceditemsindexselector)** | object | Label selector used to select the given resources in the given Namespace. | true |
-| **apiVersion** | string | API version of the referent. | false |
+| **name** | string | Name of the values referent. This is useful
when you traying to get a specific resource | false |
+| **namespace** | string | Namespace of the values referent. | false |
+| **optional** | boolean | Only relevant if name is set. If an item is not optional, there will be an error thrown when it does not exist
*Default*: true
| false |
+| **[selector](#tenantresourcespecresourcesindexnamespaceditemsindexselector)** | object | Selector which allows to get any amount of these resources based on labels | false |
### TenantResource.spec.resources[index].namespacedItems[index].selector
-Label selector used to select the given resources in the given Namespace.
+Selector which allows to get any amount of these resources based on labels
| **Name** | **Type** | **Description** | **Required** |
@@ -1036,6 +2361,44 @@ relates the key and values.
| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+### TenantResource.spec.settings
+
+
+
+Provide additional settings
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **adopt** | boolean | Enabling this allows TenanResources to interact with objects which were not created by a TenantResource. In this case on prune no deletion of the entire object is made.
*Default*: false
| false |
+| **force** | boolean | Force indicates that in case of conflicts with server-side apply, the client should acquire ownership of the conflicting field.
You may create collisions with this.
*Default*: false
| false |
+
+
+### TenantResource.spec.dependsOn[index]
+
+
+
+LocalObjectReference contains enough information to locate the referenced Kubernetes resource object.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **name** | string | Name of the referent. | true |
+
+
+### TenantResource.spec.serviceAccount
+
+
+
+Local ServiceAccount which will perform all the actions defined in the TenantResource
+You must provide permissions accordingly to that ServiceAccount
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **name** | string | Name of the referent. | true |
+
+
### TenantResource.status
@@ -1045,22 +2408,75 @@ TenantResourceStatus defines the observed state of TenantResource.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[processedItems](#tenantresourcestatusprocesseditemsindex)** | []object | List of the replicated resources for the given TenantResource. | true |
+| **size** | integer | How many items are being replicated by the TenantResource. | true |
+| **[conditions](#tenantresourcestatusconditionsindex)** | []object | Condition of the GlobalTenantResource. | false |
+| **[processedItems](#tenantresourcestatusprocesseditemsindex)** | []object | List of the replicated resources for the given TenantResource. | false |
+| **[serviceAccount](#tenantresourcestatusserviceaccount)** | object | Serviceaccount used for impersonation | false |
+
+
+### TenantResource.status.conditions[index]
+
+
+
+Condition contains details for one aspect of the current state of this API Resource.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
*Format*: date-time
| true |
+| **message** | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.
*Enum*: True, False, Unknown
| true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
*Format*: int64
*Minimum*: 0
| false |
### TenantResource.status.processedItems[index]
+Advanced Status Item for pin pointing items in tenants/namespaces.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **group** | string | | false |
+| **kind** | string | | false |
+| **name** | string | | false |
+| **namespace** | string | | false |
+| **origin** | string | | false |
+| **[status](#tenantresourcestatusprocesseditemsindexstatus)** | object | | false |
+| **tenant** | string | | false |
+| **version** | string | | false |
+
+
+### TenantResource.status.processedItems[index].status
+
+
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **kind** | string | Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
-| **name** | string | Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names | true |
-| **namespace** | string | Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | true |
-| **apiVersion** | string | API version of the referent. | false |
+| **status** | enum | status of the condition, one of True, False, Unknown.
*Enum*: True, False, Unknown
| true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **created** | boolean | Indicates wether the resource was created or adopted | false |
+| **lastApply** | string | An opaque value that represents the internal version of this object that can
be used by clients to determine when objects have changed. May be used for optimistic
concurrency, change detection, and the watch operation on a resource or set of resources.
Clients must treat these values as opaque and passed unmodified back to the server.
They may only be valid for a particular resource or set of resources.
Populated by the system.
Read-only.
Value must be treated as opaque by clients and .
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
*Format*: date-time
| false |
+| **message** | string | message is a human readable message indicating details about the transition.
This may be an empty string. | false |
+
+
+### TenantResource.status.serviceAccount
+
+
+
+Serviceaccount used for impersonation
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **name** | string | Name of the referent. | true |
+| **namespace** | string | Namespace of the referent. | true |
## Tenant
@@ -1093,6 +2509,7 @@ TenantSpec defines the desired state of Tenant.
| **[additionalRoleBindings](#tenantspecadditionalrolebindingsindex-1)** | []object | Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional. | false |
| **[containerRegistries](#tenantspeccontainerregistries-1)** | object | Deprecated: Use Enforcement.Registries instead
Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional. | false |
| **cordoned** | boolean | Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
*Default*: false
| false |
+| **data** | JSON | Specify additional data relating to the tenant.
Mainly useable in templating and more accessible than labels/annotations. | false |
| **[deviceClasses](#tenantspecdeviceclasses)** | object | Specifies options for the DeviceClass resources. | false |
| **forceTenantPrefix** | boolean | Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
When set to 'true', it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,
separated by a dash (i.e. for Tenant 'foo', namespace names must be prefixed with 'foo-'),
this is useful to avoid Namespace name collision.
When set to 'false', it allows Namespaces created for this Tenant to be named anything.
Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.
If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
Optional | false |
| **[gatewayOptions](#tenantspecgatewayoptions)** | object | Specifies options for the GatewayClass resources. | false |
@@ -1802,6 +3219,7 @@ Specify Permissions for the Tenant.
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
+| **allowOwnerPromotion** | boolean | ClusterRoles granted to the promoted ServiceAccounts across the Tenant
*Default*: true
| false |
| **[matchOwners](#tenantspecpermissionsmatchownersindex)** | []object | Matches TenantOwner objects which are promoted to owners of this tenant
The elements are OR operations and independent. You can see the resulting Tenant Owners
in the Status.Owners specification of the Tenant. | false |
@@ -1954,20 +3372,21 @@ that relates the scope name and values.
-
+Rules Distributed via Tenants
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[enforce](#tenantspecrulesindexenforce)** | object | Enforcement Rules applied | false |
-| **[namespaceSelector](#tenantspecrulesindexnamespaceselector)** | object | Select namespaces which are going to usese | false |
+| **[enforce](#tenantspecrulesindexenforce)** | object | Enforcement for given rule | false |
+| **[namespaceSelector](#tenantspecrulesindexnamespaceselector)** | object | Select namespaces which are going to be targeted with this rule | false |
+| **[permissions](#tenantspecrulesindexpermissions)** | object | Permissions for given rule | false |
### Tenant.spec.rules[index].enforce
-Enforcement Rules applied
+Enforcement for given rule
| **Name** | **Type** | **Description** | **Required** |
@@ -1993,7 +3412,7 @@ Enforcement Rules applied
-Select namespaces which are going to usese
+Select namespaces which are going to be targeted with this rule
| **Name** | **Type** | **Description** | **Required** |
@@ -2006,6 +3425,60 @@ Select namespaces which are going to usese
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+
+
+### Tenant.spec.rules[index].permissions
+
+
+
+Permissions for given rule
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[rules](#tenantspecrulesindexpermissionsrulesindex)** | []object | Define Promotion Rules which distributed additional ClusterRoles across the Tenant
for promoted ServiceAccounts. | false |
+
+
+### Tenant.spec.rules[index].permissions.rules[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **clusterRoles** | []string | ClusterRoles granted to the promoted ServiceAccounts across the Tenant
kubebuilder:validation:Minimum=1 | false |
+| **[selector](#tenantspecrulesindexpermissionsrulesindexselector)** | object | Match ServiceAccounts which are promoted which are granted these additional ClusterRoles
across the Tenant | false |
+
+
+### Tenant.spec.rules[index].permissions.rules[index].selector
+
+
+
+Match ServiceAccounts which are promoted which are granted these additional ClusterRoles
+across the Tenant
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[matchExpressions](#tenantspecrulesindexpermissionsrulesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+
+
+### Tenant.spec.rules[index].permissions.rules[index].selector.matchExpressions[index]
+
+
+
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
@@ -2176,10 +3649,11 @@ Returns the observed state of the Tenant.
| :---- | :---- | :----------- | :-------- |
| **[conditions](#tenantstatusconditionsindex)** | []object | Tenant Condition | true |
| **size** | integer | How many namespaces are assigned to the Tenant. | true |
-| **state** | enum | The operational state of the Tenant. Possible values are "Active", "Cordoned".
*Enum*: Cordoned, Active
*Default*: Active
| true |
+| **state** | enum | The operational state of the Tenant. Possible values are "Active", "Cordoned" or "Terminating".
*Enum*: Cordoned, Active, Terminating
*Default*: Active
| true |
| **[classes](#tenantstatusclasses)** | object | Available Class Types within Tenant | false |
| **namespaces** | []string | List of namespaces assigned to the Tenant. (Deprecated) | false |
| **[owners](#tenantstatusownersindex)** | []object | Collected owners for this tenant | false |
+| **[promotions](#tenantstatuspromotionsindex)** | []object | Promoted ServiceAccounts across the Tenant | false |
| **[spaces](#tenantstatusspacesindex)** | []object | Tracks state for the namespaces associated with this tenant | false |
@@ -2230,6 +3704,21 @@ Available Class Types within Tenant
| **clusterRoles** | []string | Defines additional cluster-roles for the specific Owner.
*Default*: [admin capsule-namespace-deleter]
| false |
+### Tenant.status.promotions[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **kind** | enum | Kind of entity. Possible values are "User", "Group", and "ServiceAccount"
*Enum*: User, Group, ServiceAccount
| true |
+| **name** | string | Name of the entity. | true |
+| **clusterRoles** | []string | Defines additional cluster-roles for the specific Owner.
*Default*: [admin capsule-namespace-deleter]
| false |
+| **targets** | []string | Defines additional cluster-roles for the specific Owner. | false |
+
+
### Tenant.status.spaces[index]
diff --git a/content/en/docs/replications/global.md b/content/en/docs/replications/global.md
index 6cd94f7..ac57de9 100644
--- a/content/en/docs/replications/global.md
+++ b/content/en/docs/replications/global.md
@@ -1449,6 +1449,17 @@ namespace:
phase: Active
```
+### Monitoring
+
+Currently mainly the conditions of `GlobalTenantResources` are exposed as metrics:
+
+```
+# HELP capsule_global_resource_condition The current condition status of a global tenant resource.
+# TYPE capsule_global_resource_condition gauge
+capsule_global_resource_condition{condition="Cordoned",name="templated-forbidden-namespace"} 0
+capsule_global_resource_condition{condition="Ready",name="templated-forbidden-namespace"} 1
+```
+
## Examples
Different use cases for `GlobalTenantResource` objects.
diff --git a/content/en/docs/replications/tenant.md b/content/en/docs/replications/tenant.md
index 7c2ec10..fdfaff1 100644
--- a/content/en/docs/replications/tenant.md
+++ b/content/en/docs/replications/tenant.md
@@ -1284,3 +1284,15 @@ namespace:
phase: Active
```
+### Monitoring
+
+Currently mainly the conditions of `TenantResources` are exposed as metrics:
+
+```
+# HELP capsule_resource_condition The current condition status of a tenant resource.
+# TYPE capsule_resource_condition gauge
+capsule_resource_condition{condition="Cordoned",name="templated-forbidden-namespace",target_namespace="e2e-tenantresource-ssa-system"} 0
+capsule_resource_condition{condition="Ready",name="templated-forbidden-namespace",target_namespace="e2e-tenantresource-ssa-system"} 1
+```
+
+
diff --git a/content/en/docs/resource-management/customquotas/_index.md b/content/en/docs/resource-management/customquotas/_index.md
index 082e3e1..3b2f349 100644
--- a/content/en/docs/resource-management/customquotas/_index.md
+++ b/content/en/docs/resource-management/customquotas/_index.md
@@ -127,7 +127,7 @@ The following constraints apply to the JSONPath:
* `\r` (carriage return)
* `\t` (tab)
* Values can resolve to array results, which are then summed up. (For example, `.spec.containers[*].resources.limits.cpu` would sum the CPU limits of all containers in a Pod.)
- * Missing fields are treated as zero (`0`). We allow Keys to be missing be default. Meaning if you eg define this JP `.spec.initContainers[*].resources.limits.cpu` on a Pod that has no initContainers, it will simply contribute 0 to the usage instead of causing an error. This is useful for flexibility and to avoid unintended disruptions, but it also means that you need to be careful when defining your JSONPaths to ensure they accurately capture the intended usage.
+ * Missing fields are resulting in an error, as it's assumed that if a path requires calculation it should force the targeted sources to define these paths. Meaning if you eg define this JP `.spec.initContainers[*].resources.limits.cpu` on a Pod that has no initContainers, it will error. If you want to only calculate the path if it exists, you can use a [fielselector](#fieldselectors) to only match objects where the path exists, for example with `.spec.initContainers` as fieldSelector.
### Quota Matches
diff --git a/content/en/docs/tenants/enforcement.md b/content/en/docs/tenants/enforcement.md
index 2c92513..b696c6f 100644
--- a/content/en/docs/tenants/enforcement.md
+++ b/content/en/docs/tenants/enforcement.md
@@ -516,7 +516,7 @@ With the above configuration, any attempt of Alice to create a `Service` of type
> Note: This feature is offered only by API type `GatewayClass` in group `gateway.networking.k8s.io` version `v1`.
-[GatewayClass](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass) is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of `Gateways` that can be instantiated. [Read More](https://gateway-api.sigs.k8s.io/api-types/gatewayclass/)
+[GatewayClass](https://gateway-api.sigs.k8s.io/docs/concepts/api-overview/#gatewayclass) is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of `Gateways` that can be instantiated. [Read More](https://gateway-api.sigs.k8s.io/docs/concepts/api-overview/#gatewayclass)
Bill can assign a set of dedicated `GatewayClasses` to the `solar` `Tenant` to force the applications in the `solar` `Tenant` to be published only by the assigned Gateway Controller:
@@ -535,7 +535,7 @@ spec:
env: "production"
```
-With the said Tenant specification, Alice can create a [Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/) resource if `spec.gatewayClassName` equals to:
+With the said Tenant specification, Alice can create a [Gateway](https://gateway-api.sigs.k8s.io/docs/concepts/api-overview/#gateway) resource if `spec.gatewayClassName` equals to:
* Any `GatewayClass` which has the label `env` with the value `production`
@@ -563,7 +563,7 @@ Any attempt of Alice to use a non-valid `GatewayClass`, or missing it, is denied
> Note: The Default `GatewayClass` must have a label which is allowed within the tenant. This behavior is only implemented this way for the `GatewayClass` default.
-This feature allows specifying a custom default value on a `Tenant` basis. Currently there is no global default feature for a `GatewayClass`. Each [Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/) must have a `spec.gatewayClassName` set.
+This feature allows specifying a custom default value on a `Tenant` basis. Currently there is no global default feature for a `GatewayClass`. Each [Gateway](https://gateway-api.sigs.k8s.io/docs/concepts/api-overview/#gateway) must have a `spec.gatewayClassName` set.
```yaml
apiVersion: capsule.clastix.io/v1beta2
diff --git a/content/en/docs/tenants/permissions.md b/content/en/docs/tenants/permissions.md
index 639bcee..63e3b37 100644
--- a/content/en/docs/tenants/permissions.md
+++ b/content/en/docs/tenants/permissions.md
@@ -79,10 +79,10 @@ metadata:
spec:
permissions:
matchOwners:
- - matchLabels:
- team: devops
- - matchLabels:
- customer: x
+ - matchLabels:
+ team: devops
+ - matchLabels:
+ customer: x
```
Since the ownership is now loosely coupled, all `TenantOwners` matching the given labels will be owners of the tenant. We can verify this via the `.status.owners` field of the Tenant resource:
@@ -624,7 +624,7 @@ spec:
## Promotion
-As [Tenant Owner](#ownership) you can perform `ServiceAccount` Promotion.
+As [Tenant Owner](#ownership) you can perform `ServiceAccount` Promotion.
### Owner Promotion
@@ -684,7 +684,7 @@ apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
name: solar
-spec:
+spec:
permissions:
promotions:
allowOwnerPromotion: false
diff --git a/content/en/docs/tenants/quotas.md b/content/en/docs/tenants/quotas.md
index 6b76eab..2c40cd8 100644
--- a/content/en/docs/tenants/quotas.md
+++ b/content/en/docs/tenants/quotas.md
@@ -10,7 +10,7 @@ With help of Capsule, Bill, the cluster admin, can set and enforce resources quo
## Resource Quota
{{% alert title="Deprecated" color="info" %}}
-This feature will be deprecated in a future release of Capsule. Instead use [Resource Pools](/docs/resourcepools/) to handle any cases around distributed ResourceQuotas
+This feature will be deprecated in a future release of Capsule. Instead use [Resource Pools](/docs/resource-management/resourcepools/) or [Custom Quotas](/docs/resource-management/customquotas/) to handle any cases around distributed ResourceQuotas
{{% /alert %}}
With help of Capsule, Bill, the cluster admin, can set and enforce resources quota and limits for Alice's `Tenant`. Set resources quota for each `Namespace` in the Alice's `Tenant` by defining them in the `Tenant` spec:
diff --git a/content/en/docs/whats-new.md b/content/en/docs/whats-new.md
index 802ffac..2ebdb26 100644
--- a/content/en/docs/whats-new.md
+++ b/content/en/docs/whats-new.md
@@ -23,24 +23,35 @@ weight: 1
* Complete Renovation of Replications [Read More](/docs/replications/).
* Introducing new rule approach for tenant enforcement [Read More](/docs/tenants/rules/).
* Added `RequiredMetadata` for `Namespaces` created in a `Tenant` [Read More](/docs/tenants/metadata/#requiredmetadata).
+* [Additional Metadata](/docs/tenants/metadata/#additionalmetadata) is now validated at admission.
* Introducing new OCI Registry enforcement [Read More](/docs/tenants/rules/#registries)
* Added rule-based promotions for `ServiceAccounts` in `Tenants` [Read More](/docs/tenants/rules/#promotions).
* Added Implicit Assignment of `TenantOwner` [Read More](/docs/tenants/permissions/#implicit-tenant-assignment).
* Added Aggregation of `TenantOwner` [Read More](/docs/tenants/permissions/#aggregation).
* Introducing `data` field for `Tenants` [Read More](/docs/operating/templating/#data).
* Added new label `projectcapsule.dev/tenant` which is added for all namespaced resources belonging to a `Tenant` [Read More](/docs/tenants/metadata/#managed).
+* Resources labeled with `projectcapsule.dev/managed-by=controller` can only be created, updated or deleted by the Capsule controller and [administrators](/docs/tenants/permissions/#administrators), and are rejected for all other operations. This prevents deletion of managed resources by users, which are not identified as capsule users (current behavior).
* Added configuration options for managed RBAC [Read More](/docs/operating/setup/configuration/#rbac)
* Added configuration options for Impersonation [Read More](/docs/operating/setup/configuration/#impersonation)
* Added configuration options for Cache invalidation [Read More](/docs/operating/setup/configuration/#cacheinvalidation)
* Added configuration options for Dynamic Admission Webhooks [Read More](/docs/operating/setup/configuration/#admission)
-* Added Built-In Installation for Gangplank with the Capsule Proxy [Read More](/docs/proxy/gangplank/)
+* Migrated event emissions to `events.k8s.io/v1` from legacy `core/v1`.
+* Proxy: Added Built-In Installation for Gangplank [Read More](/docs/proxy/gangplank/)
+* Proxy: Added support for Forwarded Client Certificate Authentication (XFCC) [Read More](/docs/proxy/setup/installation/#forwarded-client-certificate-authentication-xfcc)
+* Proxy: Added trusted source configuration [Read More](/docs/proxy/setup/installation/#trusted-sources)
## Fixes 🐛
-* Fixed `ResourcePool` resource quota calculation when multiple `ResourcePoolClaim`s are present in a namespace but not everything is used. For details, see [ResourcePools bound behavior](/docs/resourcepools/#bound).
+* Fixed `ResourcePool` resource quota calculation when multiple `ResourcePoolClaim`s are present in a namespace but not everything is used. For details, see [ResourcePools bound behavior](/docs/resource-management/resourcepools/#bound).
* Improved `matchConditions` for admission webhooks that intercept all namespaced items, to avoid processing subresource requests and Events, improving performance and reducing log noise.
* `Namespaces` are considered active until all unmanaged namespaced resources are deleted. [Read More](/docs/tenants/namespaces/#termination)
* `PersistentVolumeClaims` support now providing `.spec.selector`. When `.spec.selector` is provided we always aggregate a custom `matchExpressions` for the `PersistentVolumeClaims` to ensure that only the `PersistentVolumeClaims` created in the `Tenant` can mount `PersistentVolumes` provisioned from/for the same `Tenant` [Read More](/docs/resource-management/customquotas/#persistentvolumeclaims)
+* Regex-Selectors were not considered on classes driven Tenant status reconciles.
+* A single Unready namespace could cause the entire Tenant reconcilation to be incomplete. Now unready or terminating namespaces are ignored for further processing ensuring that ready/new namespaces get their required contents.
+* When a Tenant is cordoned, namespaces can no longer be deleted.
+* When classes issue a reconcile for a tenant, only the tenant.status.classes spec is updated instead of the entire tenant.status, to avoid conflicts with other controllers and reduce the risk of losing changes made by other controllers.
+* Our E2E-Testing has been changed to be highly concurrent to simulate large scale setups and uncover potential race conditions or performance issues that may arise in such environments. This has led to the discovery and fixing of several issues related to concurrency and performance, which has improved the overall stability and reliability of Capsule.
+* TLS controller correctly patches all the webhooks with the same CA Bundle, to avoid issues with multiple webhooks and ensure that all webhooks are correctly secured, if enabled. [Read More](/docs/operating/setup/installation/#certificate-management)
## Documentation 📚
diff --git a/content/en/ecosystem/integrations/teleport.md b/content/en/ecosystem/integrations/teleport.md
index 3a84d07..47f2892 100644
--- a/content/en/ecosystem/integrations/teleport.md
+++ b/content/en/ecosystem/integrations/teleport.md
@@ -15,7 +15,7 @@ If you want to pass requests from teleport users through the capsule-proxy for u
## Prerequisites
-1. [Capsule](/docs/operating/setup/installation/)
+1. [Capsule](/docs/proxy/setup/installation/)
2. [Capsule Proxy](/docs/proxy/)
3. [Teleport Cluster](https://goteleport.com/)
4. [teleport-kube-agent](https://goteleport.com/docs/enroll-resources/kubernetes-access/getting-started/)
@@ -64,8 +64,7 @@ If you want to test this integration locally, follow these steps.
### References
-
--
--
+- [Proxy Installation](/docs/proxy/setup/installation/)
### Tools
@@ -280,7 +279,7 @@ extraVolumeMounts:
- `kubectl create ns foo-bar` (should fail, since not owner)
- `kubectl create ns oil-bar` (should succeed)
-From here you could enable `ProxyClusterScoped` [feature gate](https://projectcapsule.dev/docs/proxy/options/) to allow listing of cluster scoped resources via [ProxySettings](https://projectcapsule.dev/docs/proxy/proxysettings/).
+From here you could enable `ProxyClusterScoped` [feature gate](/docs/proxy/setup/options/) to allow listing of cluster scoped resources via [ProxySettings](/docs/proxy/proxysettings/).
## Cleanup