feat: add ruleset api(#1844)

* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(config): remove usergroups default

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(config): remove usergroups default

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* sec(ghsa-2ww6-hf35-mfjm): intercept namespace subresource

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: conflicts

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

api/v1beta1/owner_list_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/tenant_webhook.go

@@ -15,7 +15,6 @@ func (in *Tenant) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		return nil
 	}
 
-	return ctrl.NewWebhookManagedBy(mgr).
-		For(in).
+	return ctrl.NewWebhookManagedBy(mgr, in).
 		Complete()
 }

api/v1beta2/capsuleconfiguration_status.go

@@ -4,11 +4,16 @@
 package v1beta2
 
 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 // CapsuleConfigurationStatus defines the Capsule configuration status.
 type CapsuleConfigurationStatus struct {
+	// Last time all caches were invalided
+	LastCacheInvalidation metav1.Time `json:"lastCacheInvalidation,omitempty"`
+
 	// Users which are considered Capsule Users and are bound to the Capsule Tenant construct.
 	Users api.UserListSpec `json:"users,omitempty"`
 }

api/v1beta2/capsuleconfiguration_types.go

@@ -4,6 +4,7 @@
 package v1beta2
 
 import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/projectcapsule/capsule/pkg/api"
@@ -53,6 +54,50 @@ type CapsuleConfigurationSpec struct {
 	// for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor
 	// be ignored by capsule.
 	Administrators api.UserListSpec `json:"administrators,omitempty"`
+	// Configuration for dynamic Validating and Mutating Admission webhooks managed by Capsule.
+	Admission DynamicAdmission `json:"admission,omitempty"`
+	// Define Properties for managed ClusterRoles by Capsule
+	// +kubebuilder:default={}
+	RBAC *RBACConfiguration `json:"rbac"`
+	// Define the period of time upon a cache invalidation is executed for all caches.
+	// +kubebuilder:default="24h"
+	CacheInvalidation metav1.Duration `json:"cacheInvalidation"`
+}
+
+type RBACConfiguration struct {
+	// The ClusterRoles applied for Administrators
+	// +kubebuilder:default={capsule-namespace-deleter}
+	AdministrationClusterRoles []string `json:"administrationClusterRoles,omitempty"`
+	// The ClusterRoles applied for ServiceAccounts which had owner Promotion
+	// +kubebuilder:default={capsule-namespace-provisioner,capsule-namespace-deleter}
+	PromotionClusterRoles []string `json:"promotionClusterRoles,omitempty"`
+	// Name for the ClusterRole required to grant Namespace Deletion permissions.
+	// +kubebuilder:default=capsule-namespace-deleter
+	DeleterClusterRole string `json:"deleter,omitempty"`
+	// Name for the ClusterRole required to grant Namespace Provision permissions.
+	// +kubebuilder:default=capsule-namespace-provisioner
+	ProvisionerClusterRole string `json:"provisioner,omitempty"`
+}
+
+type DynamicAdmission struct {
+	// Configure dynamic Mutating Admission for Capsule
+	Mutating DynamicAdmissionConfig `json:"mutating,omitempty"`
+
+	// Configure dynamic Validating Admission for Capsule
+	Validating DynamicAdmissionConfig `json:"validating,omitempty"`
+}
+
+type DynamicAdmissionConfig struct {
+	// Name the Admission Webhook
+	Name api.Name `json:"name,omitempty"`
+	// Labels added to the Admission Webhook
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+	// Annotations added to the Admission Webhook
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// From the upstram struct
+	Client admissionregistrationv1.WebhookClientConfig `json:"client"`
 }
 
 type NodeMetadata struct {

api/v1beta2/namespace_rule_type.go

@@ -0,0 +1,33 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+// +kubebuilder:object:generate=true
+type NamespaceRule struct {
+	// Enforce these properties via Rules
+	NamespaceRuleBody `json:",inline"`
+
+	// Select namespaces which are going to usese
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type NamespaceRuleBody struct {
+	// Enforcement Rules applied
+	//+optional
+	Enforce NamespaceRuleEnforceBody `json:"enforce,omitzero"`
+}
+
+// +kubebuilder:object:generate=true
+type NamespaceRuleEnforceBody struct {
+	// Define registries which are allowed to be used within this tenant
+	// The rules are aggregated, since you can use Regular Expressions the match registry endpoints
+	Registries []api.OCIRegistry `json:"registries,omitempty"`
+}

api/v1beta2/resourcepool_func_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/resourcepoolclaim_func_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/rule_status_type.go

@@ -0,0 +1,44 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
+type RuleStatus struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	// +optional
+	Status RuleStatusSpec `json:"status,omitzero"`
+}
+
+// +kubebuilder:object:root=true
+
+// RuleStatusList contains a list of RuleStatus.
+type RuleStatusList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitzero"`
+
+	Items []RuleStatus `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&RuleStatus{}, &RuleStatusList{})
+}
+
+// RuleStatus contains the accumulated rules applying to namespace it's deployed in.
+// +kubebuilder:object:generate=true
+type RuleStatusSpec struct {
+	// Managed Enforcement properties per Namespace (aggregated from rules)
+	//+optional
+	Rule NamespaceRuleBody `json:"rule,omitzero"`
+}

api/v1beta2/tenant_func.go

@@ -4,78 +4,17 @@
 package v1beta2
 
 import (
-	"context"
 	"slices"
 	"sort"
 
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apiserver/pkg/authentication/serviceaccount"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/projectcapsule/capsule/pkg/api"
-	"github.com/projectcapsule/capsule/pkg/api/meta"
 )
 
-func (in *Tenant) CollectOwners(ctx context.Context, c client.Client, allowPromotion bool, admins api.UserListSpec) (api.OwnerStatusListSpec, error) {
-	owners := in.Spec.Owners.ToStatusOwners()
-
-	// Promoted ServiceAccounts
-	if allowPromotion && len(in.Status.Namespaces) > 0 {
-		saList := &corev1.ServiceAccountList{}
-		if err := c.List(ctx, saList,
-			client.MatchingLabels{
-				meta.OwnerPromotionLabel: meta.OwnerPromotionLabelTrigger,
-			},
-		); err != nil {
-			return nil, err
-		}
-
-		for _, sa := range saList.Items {
-			for _, ns := range in.Status.Namespaces {
-				if sa.GetNamespace() != ns {
-					continue
-				}
-
-				owners.Upsert(api.CoreOwnerSpec{
-					UserSpec: api.UserSpec{
-						Kind: api.ServiceAccountOwner,
-						Name: serviceaccount.ServiceAccountUsernamePrefix + sa.Namespace + ":" + sa.Name,
-					},
-					ClusterRoles: []string{
-						api.ProvisionerRoleName,
-						api.DeleterRoleName,
-					},
-				})
-			}
-		}
-	}
-
-	// Administrators
-	for _, a := range admins {
-		owners.Upsert(api.CoreOwnerSpec{
-			UserSpec: a,
-			ClusterRoles: []string{
-				api.DeleterRoleName,
-			},
-		})
-	}
-
-	// Dedicated Owner Objects
-	listed, err := in.Spec.Permissions.ListMatchingOwners(ctx, c, in.GetName())
-	if err != nil {
-		return nil, err
-	}
-
-	for _, o := range listed {
-		owners.Upsert(o.Spec.CoreOwnerSpec)
-	}
-
-	return owners, nil
-}
-
 func (in *Tenant) GetRoleBindings() []api.AdditionalRoleBindingsSpec {
-	roleBindings := make([]api.AdditionalRoleBindingsSpec, 0) //nolint:prealloc
+	roleBindings := make([]api.AdditionalRoleBindingsSpec, 0, len(in.Spec.AdditionalRoleBindings))
 
 	for _, owner := range in.Status.Owners {
 		roleBindings = append(roleBindings, owner.ToAdditionalRolebindings()...)

api/v1beta2/tenant_func_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/tenant_status.go

@@ -47,6 +47,14 @@ type TenantStatusNamespaceItem struct {
 	UID k8stypes.UID `json:"uid,omitempty"`
 	// Managed Metadata
 	Metadata *TenantStatusNamespaceMetadata `json:"metadata,omitempty"`
+	// Managed Metadata
+	//+optional
+	Enforce TenantStatusNamespaceEnforcement `json:"enforce,omitzero"`
+}
+
+type TenantStatusNamespaceEnforcement struct {
+	// Registries which are allowed within this namespace
+	Registries []api.OCIRegistry `json:"registry,omitempty"`
 }
 
 type TenantStatusNamespaceMetadata struct {

api/v1beta2/tenant_types.go

@@ -19,6 +19,14 @@ type TenantSpec struct {
 	// Specify Permissions for the Tenant.
 	// +optional
 	Permissions Permissions `json:"permissions,omitzero"`
+	// Specify enforcement specifications for the scope of the Tenant.
+	//  We are moving all configuration enforcement. per namespace into a rule construct.
+	//  It's currently not final.
+	//
+	// Read More: https://projectcapsule.dev/docs/tenants/rules/
+	//+optional
+	Rules []*NamespaceRule `json:"rules,omitzero"`
+
 	// Specifies the owners of the Tenant.
 	// Optional
 	Owners api.OwnerListSpec `json:"owners,omitempty"`
@@ -36,27 +44,13 @@ type TenantSpec struct {
 	// Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
 	// +optional
 	IngressOptions IngressOptions `json:"ingressOptions,omitzero"`
-	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
-	ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
 	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
-	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
-	//
-	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
-	// +optional
-	NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitzero"`
-	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
-	//
-	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
-	// +optional
-	LimitRanges api.LimitRangesSpec `json:"limitRanges,omitzero"`
 	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
 	// +optional
 	ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitzero"`
 	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
 	AdditionalRoleBindings []api.AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
-	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
-	ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
 	// Specifies the allowed RuntimeClasses assigned to the Tenant.
 	// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
 	// Optional.
@@ -87,6 +81,26 @@ type TenantSpec struct {
 	// If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
 	// Optional
 	ForceTenantPrefix *bool `json:"forceTenantPrefix,omitempty"`
+
+	// Deprecated: Use Enforcement.Registries instead
+	//
+	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
+	ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
+	// Deprecated: Use Enforcement.Registries instead
+	//
+	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
+	ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
+
+	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
+	//
+	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+	// +optional
+	NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitzero"`
+	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
+	//
+	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
+	// +optional
+	LimitRanges api.LimitRangesSpec `json:"limitRanges,omitzero"`
 }
 
 type Permissions struct {
@@ -129,7 +143,8 @@ type Tenant struct {
 	// +optional
 	metav1.ObjectMeta `json:"metadata,omitzero"`
 
-	Spec TenantSpec `json:"spec"`
+	// +optional
+	Spec TenantSpec `json:"spec,omitzero"`
 
 	// +optional
 	Status TenantStatus `json:"status,omitzero"`

api/v1beta2/zz_generated.deepcopy.go

@@ -130,6 +130,13 @@ func (in *CapsuleConfigurationSpec) DeepCopyInto(out *CapsuleConfigurationSpec)
 		*out = make(api.UserListSpec, len(*in))
 		copy(*out, *in)
 	}
+	in.Admission.DeepCopyInto(&out.Admission)
+	if in.RBAC != nil {
+		in, out := &in.RBAC, &out.RBAC
+		*out = new(RBACConfiguration)
+		(*in).DeepCopyInto(*out)
+	}
+	out.CacheInvalidation = in.CacheInvalidation
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationSpec.
@@ -145,6 +152,7 @@ func (in *CapsuleConfigurationSpec) DeepCopy() *CapsuleConfigurationSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapsuleConfigurationStatus) DeepCopyInto(out *CapsuleConfigurationStatus) {
 	*out = *in
+	in.LastCacheInvalidation.DeepCopyInto(&out.LastCacheInvalidation)
 	if in.Users != nil {
 		in, out := &in.Users, &out.Users
 		*out = make(api.UserListSpec, len(*in))
@@ -177,6 +185,53 @@ func (in *CapsuleResources) DeepCopy() *CapsuleResources {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DynamicAdmission) DeepCopyInto(out *DynamicAdmission) {
+	*out = *in
+	in.Mutating.DeepCopyInto(&out.Mutating)
+	in.Validating.DeepCopyInto(&out.Validating)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicAdmission.
+func (in *DynamicAdmission) DeepCopy() *DynamicAdmission {
+	if in == nil {
+		return nil
+	}
+	out := new(DynamicAdmission)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DynamicAdmissionConfig) DeepCopyInto(out *DynamicAdmissionConfig) {
+	*out = *in
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	in.Client.DeepCopyInto(&out.Client)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicAdmissionConfig.
+func (in *DynamicAdmissionConfig) DeepCopy() *DynamicAdmissionConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(DynamicAdmissionConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatewayOptions) DeepCopyInto(out *GatewayOptions) {
 	*out = *in
@@ -357,6 +412,65 @@ func (in *NamespaceOptions) DeepCopy() *NamespaceOptions {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceRule) DeepCopyInto(out *NamespaceRule) {
+	*out = *in
+	in.NamespaceRuleBody.DeepCopyInto(&out.NamespaceRuleBody)
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRule.
+func (in *NamespaceRule) DeepCopy() *NamespaceRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceRuleBody) DeepCopyInto(out *NamespaceRuleBody) {
+	*out = *in
+	in.Enforce.DeepCopyInto(&out.Enforce)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRuleBody.
+func (in *NamespaceRuleBody) DeepCopy() *NamespaceRuleBody {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceRuleBody)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceRuleEnforceBody) DeepCopyInto(out *NamespaceRuleEnforceBody) {
+	*out = *in
+	if in.Registries != nil {
+		in, out := &in.Registries, &out.Registries
+		*out = make([]api.OCIRegistry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRuleEnforceBody.
+func (in *NamespaceRuleEnforceBody) DeepCopy() *NamespaceRuleEnforceBody {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceRuleEnforceBody)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeMetadata) DeepCopyInto(out *NodeMetadata) {
 	*out = *in
@@ -482,6 +596,31 @@ func (in ProcessedItems) DeepCopy() ProcessedItems {
 	return *out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RBACConfiguration) DeepCopyInto(out *RBACConfiguration) {
+	*out = *in
+	if in.AdministrationClusterRoles != nil {
+		in, out := &in.AdministrationClusterRoles, &out.AdministrationClusterRoles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.PromotionClusterRoles != nil {
+		in, out := &in.PromotionClusterRoles, &out.PromotionClusterRoles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RBACConfiguration.
+func (in *RBACConfiguration) DeepCopy() *RBACConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(RBACConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RawExtension) DeepCopyInto(out *RawExtension) {
 	*out = *in
@@ -925,6 +1064,80 @@ func (in *ResourceSpec) DeepCopy() *ResourceSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleStatus) DeepCopyInto(out *RuleStatus) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatus.
+func (in *RuleStatus) DeepCopy() *RuleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RuleStatus) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleStatusList) DeepCopyInto(out *RuleStatusList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RuleStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatusList.
+func (in *RuleStatusList) DeepCopy() *RuleStatusList {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleStatusList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RuleStatusList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleStatusSpec) DeepCopyInto(out *RuleStatusSpec) {
+	*out = *in
+	in.Rule.DeepCopyInto(&out.Rule)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatusSpec.
+func (in *RuleStatusSpec) DeepCopy() *RuleStatusSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleStatusSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Tenant) DeepCopyInto(out *Tenant) {
 	*out = *in
@@ -1241,6 +1454,17 @@ func (in *TenantResourceStatus) DeepCopy() *TenantResourceStatus {
 func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 	*out = *in
 	in.Permissions.DeepCopyInto(&out.Permissions)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]*NamespaceRule, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(NamespaceRule)
+				(*in).DeepCopyInto(*out)
+			}
+		}
+	}
 	if in.Owners != nil {
 		in, out := &in.Owners, &out.Owners
 		*out = make(api.OwnerListSpec, len(*in))
@@ -1269,11 +1493,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		(*in).DeepCopyInto(*out)
 	}
 	in.IngressOptions.DeepCopyInto(&out.IngressOptions)
-	if in.ContainerRegistries != nil {
-		in, out := &in.ContainerRegistries, &out.ContainerRegistries
-		*out = new(api.AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.NodeSelector != nil {
 		in, out := &in.NodeSelector, &out.NodeSelector
 		*out = make(map[string]string, len(*in))
@@ -1281,8 +1500,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*out)[key] = val
 		}
 	}
-	in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
-	in.LimitRanges.DeepCopyInto(&out.LimitRanges)
 	in.ResourceQuota.DeepCopyInto(&out.ResourceQuota)
 	if in.AdditionalRoleBindings != nil {
 		in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
@@ -1291,11 +1508,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.ImagePullPolicies != nil {
-		in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
-		*out = make([]api.ImagePullPolicySpec, len(*in))
-		copy(*out, *in)
-	}
 	if in.RuntimeClasses != nil {
 		in, out := &in.RuntimeClasses, &out.RuntimeClasses
 		*out = new(api.DefaultAllowedListSpec)
@@ -1317,6 +1529,18 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.ContainerRegistries != nil {
+		in, out := &in.ContainerRegistries, &out.ContainerRegistries
+		*out = new(api.AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ImagePullPolicies != nil {
+		in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
+		*out = make([]api.ImagePullPolicySpec, len(*in))
+		copy(*out, *in)
+	}
+	in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
+	in.LimitRanges.DeepCopyInto(&out.LimitRanges)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.
@@ -1375,6 +1599,28 @@ func (in *TenantStatus) DeepCopy() *TenantStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantStatusNamespaceEnforcement) DeepCopyInto(out *TenantStatusNamespaceEnforcement) {
+	*out = *in
+	if in.Registries != nil {
+		in, out := &in.Registries, &out.Registries
+		*out = make([]api.OCIRegistry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantStatusNamespaceEnforcement.
+func (in *TenantStatusNamespaceEnforcement) DeepCopy() *TenantStatusNamespaceEnforcement {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantStatusNamespaceEnforcement)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TenantStatusNamespaceItem) DeepCopyInto(out *TenantStatusNamespaceItem) {
 	*out = *in
@@ -1390,6 +1636,7 @@ func (in *TenantStatusNamespaceItem) DeepCopyInto(out *TenantStatusNamespaceItem
 		*out = new(TenantStatusNamespaceMetadata)
 		(*in).DeepCopyInto(*out)
 	}
+	in.Enforce.DeepCopyInto(&out.Enforce)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantStatusNamespaceItem.