chore(deps): update github/codeql-action digest to dcc1a66 (#1522 )

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
chore(deps): update github/codeql-action action to v3.29.2 (#1523 )
2026-02-19 20:39:51 +00:00 · 2025-07-01 11:16:40 +03:00 · 2025-07-01 11:16:22 +03:00 · 2025-06-30 13:41:40 +03:00 · 2025-06-30 11:02:48 +03:00 · 2025-06-30 11:02:30 +03:00
424 changed files with 12814 additions and 43474 deletions
--- a/.github/configs/lintconf.yaml
+++ b/.github/configs/lintconf.yaml
@@ -11,6 +11,7 @@ rules:
    - "false"
    - "on"
    - "off"
+
    check-keys: false
  braces:
    min-spaces-inside: 0
--- a/.github/maintainers.yaml
+++ b/.github/maintainers.yaml
@@ -1,3 +1,4 @@
+maintainers:
 - name: Adriano Pezzuto
  github: https://github.com/bsctl
  company: Clastix
@@ -21,9 +22,16 @@
  company: Peak Scale
  projects:
    - https://github.com/projectcapsule/capsule
+    - https://github.com/projectcapsule/capsule-proxy
 - name: Massimiliano Giovagnoli
  github: https://github.com/maxgio92
  company: Proximus
  projects:
    - https://github.com/projectcapsule/capsule
    - https://github.com/projectcapsule/capsule-proxy
+- name: Hristo Hristov
+  github: https://github.com/Svarrogh1337
+  company: Vaerolabs
+  projects:
+    - https://github.com/projectcapsule/capsule
+    - https://github.com/projectcapsule/capsule-proxy
--- a/.github/workflows/check-actions.yml
+++ b/.github/workflows/check-actions.yml
@@ -17,7 +17,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@4830be28ce81da52ec70d65c552a7403821d98d4 # v3.0.23
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@fc87bb5b5a97953d987372e74478de634726b3e5 # v3.0.25
        with:
          # slsa-github-generator requires using a semver tag for reusable workflows.
          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -14,6 +14,28 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  compliance:
+    name: "License Compliance"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: "Checkout Code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.FOSSA_API_KEY }}
+      - name: "Run FOSSA Scan"
+        if: steps.checksecret.outputs.result == 'true'
+        uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+      - name: "Run FOSSA Test"
+        if: steps.checksecret.outputs.result == 'true'
+        uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          run-tests: true
  sast:
    name: "SAST"
    runs-on: ubuntu-24.04
@@ -26,15 +48,15 @@ jobs:
    steps:
      - name: Checkout Source
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version-file: 'go.mod'
      - name: Run Gosec Security Scanner
-        uses: securego/gosec@955a68d0d19f4afb7503068f95059f7d0c529017 # v2.22.3
+        uses: securego/gosec@d2d3ae66bd8d340b78b5142b6fe610691783c2fe # v2.22.5
        with:
          args: '-no-fail -fmt sarif -out gosec.sarif ./...'
      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@ed51cb5abd90d0e898e492d5e3f24423da71c2fb
+        uses: github/codeql-action/upload-sarif@dcc1a6637b570d406bec5125dce2e2157d914359
        with:
          sarif_file: gosec.sarif
  unit_tests:
@@ -43,7 +65,7 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version-file: 'go.mod'
      - name: Unit Test
@@ -55,7 +77,7 @@ jobs:
          value: ${{ secrets.CODECOV_TOKEN }}
      - name: Upload Report to Codecov
        if: ${{ steps.checksecret.outputs.result == 'true' }}
-        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: projectcapsule/capsule
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -28,7 +28,7 @@ jobs:
      - name: ko build
        run: VERSION=${{ github.sha }} make ko-build-all
      - name: Trivy Scan Image
-        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
@@ -40,6 +40,6 @@ jobs:
          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@ed51cb5abd90d0e898e492d5e3f24423da71c2fb
+        uses: github/codeql-action/upload-sarif@dcc1a6637b570d406bec5125dce2e2157d914359
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -28,7 +28,7 @@ jobs:
        with:
          build-cache-key: publish-images
      - name: Run Trivy vulnerability (Repo)
-        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
@@ -36,7 +36,7 @@ jobs:
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
      - name: Install Cosign
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
      - name: Publish Capsule
        id: publish-capsule
        uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
@@ -51,7 +51,7 @@ jobs:
          sbom-name: capsule
          sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule
          signature-repository: ghcr.io/${{ github.repository_owner }}/capsule
-          main-path: ./
+          main-path: ./cmd/
        env:
          REPOSITORY: ${{ github.repository }}
  generate-capsule-provenance:
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -23,16 +23,26 @@ concurrency:
 jobs:
  e2e:
    name: E2E Testing
-    runs-on: ubuntu-latest
+    runs-on:
+      labels: ubuntu-latest-8-cores
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version-file: 'go.mod'
      - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
        with:
          version: v3.14.2
-      - name: e2e testing
-        run: make e2e
+      - name: unit tracing
+        run: sudo make trace-unit
+      - name: e2e tracing
+        run: sudo make trace-e2e
+      - name: build seccomp profile
+        run: make seccomp
+      - name: upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: capsule-seccomp
+          path: capsule-seccomp.json
--- a/.github/workflows/helm-publish.yml
+++ b/.github/workflows/helm-publish.yml
@@ -46,7 +46,7 @@ jobs:
      chart-digest: ${{ steps.helm_publish.outputs.digest }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+      - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
      - name: "Extract Version"
        id: extract_version
        run: |
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -18,7 +18,7 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version-file: 'go.mod'
      - name: Generate manifests
@@ -45,7 +45,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version-file: 'go.mod'
      - name: Run golangci-lint
--- a/.github/workflows/releaser.yml
+++ b/.github/workflows/releaser.yml
@@ -11,40 +11,41 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  # seccomp-generation:
-  #  name: Seccomp Generation
-  #  strategy:
-  #    fail-fast: false
-  #    matrix:
-  #      # differently from the e2e workflow
-  #      # we don't need all the versions of kubernetes
-  #      # to generate the seccomp profile.
-  #      k8s-version:
-  #        - "v1.30.0"
-  #  runs-on: ubuntu-latest
-  #  steps:
-  #    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-  #      with:
-  #        fetch-depth: 0
-  #    - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
-  #      with:
-  #        go-version-file: 'go.mod'
-  #    - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
-  #      with:
-  #        version: v3.14.2
-  #    - name: unit tracing
-  #      run: sudo make trace-unit
-  #    - name: e2e tracing
-  #      run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
-  #    - name: build seccomp profile
-  #      run: make seccomp
-  #    - name: upload artifact
-  #      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-  #      with:
-  #        name: capsule-seccomp
-  #        path: capsule-seccomp.json
+  seccomp-generation:
+    name: Seccomp Generation
+    strategy:
+      fail-fast: false
+      matrix:
+        # differently from the e2e workflow
+        # we don't need all the versions of kubernetes
+        # to generate the seccomp profile.
+        k8s-version:
+          - "v1.30.0"
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: 'go.mod'
+      - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
+        with:
+          version: v3.14.2
+      - name: unit tracing
+        run: sudo make trace-unit
+      - name: e2e tracing
+        run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
+      - name: build seccomp profile
+        run: make seccomp
+      - name: upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: capsule-seccomp
+          path: capsule-seccomp.json
+
  create-release:
-    # needs: seccomp-generation
+    needs: seccomp-generation
    runs-on: ubuntu-latest
    permissions:
      contents: write
@@ -55,7 +56,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Install Go
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version-file: 'go.mod'
      - name: Setup caches
@@ -63,14 +64,14 @@ jobs:
        timeout-minutes: 5
        continue-on-error: true
      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-      - uses: anchore/sbom-action/download-syft@9f7302141466aa6482940f15371237e9d9f4c34a
+      - uses: anchore/sbom-action/download-syft@9246b90769f852b3a8921f330c59e0b3f439d6e9
      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-      # - name: download artifact
-      #  uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
-      #  with:
-      #    name: capsule-seccomp
-      #    path: ./capsule-seccomp.json
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+      - name: download artifact
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: capsule-seccomp
+          path: ./capsule-seccomp.json
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -24,7 +24,7 @@ jobs:
        with:
          persist-credentials: false
      - name: Run analysis
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
        with:
          results_file: results.sarif
          results_format: sarif
@@ -37,6 +37,6 @@ jobs:
          path: results.sarif
          retention-days: 5
      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
        with:
          sarif_file: results.sarif
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,26 @@
+name: Stale-Bot
+permissions: {}
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run every day at midnight
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write # only for delete-branch option
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Close stale pull requests
+        uses: actions/stale@f78de9780efb7a789cf4745957fa3374cbb94fd5
+        with:
+          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
+          stale-pr-message: 'This pull request has been marked as stale because it has been inactive for more than 30 days. Please update this pull request or it will be automatically closed in 30 days.'
+          days-before-issue-stale: 60
+          days-before-pr-stale: 30
+          days-before-issue-close: 30
+          days-before-pr-close: 30
+          stale-pr-label: stale
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 *.dylib
 bin
 dist/
+config/

 # Test binary, build with `go test -c`
 *.test
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,89 @@
+version: "2"
+run:
+  tests: false
+  allow-parallel-runners: true
+linters:
+  default: all
+  disable:
+    - depguard
+    - err113
+    - exhaustruct
+    - funlen
+    - gochecknoglobals
+    - gochecknoinits
+    - ireturn
+    - lll
+    - mnd
+    - nilnil
+    - nonamedreturns
+    - paralleltest
+    - perfsprint
+    - recvcheck
+    - testpackage
+    - unparam
+    - varnamelen
+    - wrapcheck
+    - noinlineerr
+    - revive
+  settings:
+    cyclop:
+      max-complexity: 27
+    dupl:
+      threshold: 100
+    gocognit:
+      min-complexity: 50
+    goconst:
+      min-len: 2
+      min-occurrences: 2
+    goheader:
+      template: |-
+        Copyright 2020-2025 Project Capsule Authors
+        SPDX-License-Identifier: Apache-2.0
+    inamedparam:
+      skip-single-param: true
+    nakedret:
+      max-func-lines: 50
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - zz_.*\.go$
+      - .+\.generated.go
+      - .+_test.go
+      - .+_test_.+.go
+      - third_party$
+      - builtin$
+      - examples$
+    rules:
+    - path: pkg/meta/
+      linters:
+      - dupl
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/projectcapsule/capsule)
+    gofumpt:
+      module-path: github.com/projectcapsule/capsule
+      extra-rules: false
+  exclusions:
+    generated: lax
+    paths:
+      - zz_.*\.go$
+      - .+\.generated.go
+      - .+_test.go
+      - .+_test_.+.go
+      - third_party$
+      - builtin$
+      - examples$
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,60 +0,0 @@
-linters-settings:
-  dupl:
-    threshold: 100
-  goconst:
-    min-len: 2
-    min-occurrences: 2
-  cyclop:
-    max-complexity: 27
-  gocognit:
-    min-complexity: 50
-  gci:
-    sections:
-      - standard
-      - default
-      - prefix(github.com/projectcapsule/capsule)
-  goheader:
-    template: |-
-      Copyright 2020-2023 Project Capsule Authors.
-      SPDX-License-Identifier: Apache-2.0
-  gofumpt:
-    module-path: github.com/projectcapsule/capsule
-    extra-rules: false
-  inamedparam:
-    # Skips check for interface methods with only a single parameter.
-    # Default: false
-    skip-single-param: true
-  nakedret:
-    # Make an issue if func has more lines of code than this setting, and it has naked returns.
-    max-func-lines: 50
-linters:
-  enable-all: true
-  disable:
-    - err113
-    - depguard
-    - perfsprint
-    - funlen
-    - gochecknoinits
-    - lll
-    - gochecknoglobals
-    - mnd
-    - nilnil
-    - recvcheck
-    - unparam
-    - paralleltest
-    - ireturn
-    - testpackage
-    - varnamelen
-    - wrapcheck
-    - exhaustruct
-    - nonamedreturns
-issues:
-  exclude-files:
-    - "zz_.*\\.go$"
-    - ".+\\.generated.go"
-    - ".+_test.go"
-    - ".+_test_.+.go"
-run:
-  timeout: 3m
-  allow-parallel-runners: true
-  tests: false
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -8,7 +8,8 @@ before:
 gomod:
  proxy: false
 builds:
-  - main: .
+  - id: "{{ .ProjectName }}"
+    main: ./cmd/
    binary: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
    env:
      - CGO_ENABLED=0
@@ -28,6 +29,26 @@ builds:
          -X main.GitDirty={{ .Date }}
          -X main.BuildTime={{ .Date }}
          -X main.GitRepo={{ .ProjectName }}
+  # - id: "{{ .ProjectName }}-wasm"
+  #   main: ./cmd/
+  #   binary: "{{ .ProjectName }}.wasm"
+  #   env:
+  #     - CGO_ENABLED=0
+  #   goos:
+  #   - js
+  #   goarch:
+  #   - wasm
+  #   flags:
+  #     - -trimpath
+  #   mod_timestamp: '{{ .CommitTimestamp }}'
+  #   ldflags:
+  #     - >-
+  #         -X main.Version={{ .Tag }}
+  #         -X main.GitCommit={{ .Commit }}
+  #         -X main.GitTag={{ .Tag }}
+  #         -X main.GitDirty={{ .Date }}
+  #         -X main.BuildTime={{ .Date }}
+  #         -X main.GitRepo={{ .ProjectName }}
 release:
  prerelease: auto
  footer: |
@@ -44,20 +65,20 @@ release:

    [Review the Major Changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#major-changes)

-    **Kubernetes compatibility**
-
-    [!IMPORTANT]
-    Note that the Capsule project offers support only for the latest minor version of Kubernetes.
-    Backwards compatibility with older versions of Kubernetes and OpenShift is [offered by vendors](https://projectcapsule.dev/support/).
-
-    | Kubernetes version | Minimum required |
-    |--------------------|------------------|
-    | `v1.31`            | `>= 1.31.0`      |
+    > [!IMPORTANT]
+    > **Kubernetes compatibility**
+    >
+    > Note that the Capsule project offers support only for the latest minor version of Kubernetes.
+    > Backwards compatibility with older versions of Kubernetes and OpenShift is [offered by vendors](https://projectcapsule.dev/support/).
+    >
+    > | Kubernetes version | Minimum required |
+    > |--------------------|------------------|
+    > | `v1.33`            | `>= 1.33.0`      |


    Thanks to all the contributors! 🚀 🦄
-  # extra_files:
-  #  - glob: ./capsule-seccomp.json
+  extra_files:
+    - glob: ./capsule-seccomp.json
 checksum:
  name_template: 'checksums.txt'
 changelog:
@@ -74,26 +95,27 @@ changelog:
    - Merge branch
  groups:
    # https://github.com/conventional-changelog/commitlint/tree/master/%40commitlint/config-conventional
-    - title: '🛠 Dependency updates'
-      regexp: '^.*?(feat|fix)\(deps\)!?:.+$'
-      order: 300
-    - title: '✨ New Features'
-      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
-      order: 100
-    - title: '🐛 Bug fixes'
-      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
-      order: 200
-    - title: '📖 Documentation updates'
-      regexp: ^.*?docs(\([[:word:]]+\))??!?:.+$
-      order: 400
-    - title: '🛡️ Security updates'
-      regexp: ^.*?(sec)(\([[:word:]]+\))??!?:.+$
-      order: 500
-    - title: '🚀 Build process updates'
-      regexp: ^.*?(build|ci)(\([[:word:]]+\))??!?:.+$
-      order: 600
-    - title: '📦 Other work'
-      order: 9999
+  - title: '🛠 Dependency updates'
+    regexp: '^fix\(deps\):|^feat\(deps\):'
+    order: 300
+  - title: '✨ New Features'
+    regexp: '^feat(\([^)]*\))?:'
+    order: 100
+  - title: '🐛 Bug fixes'
+    regexp: '^fix(\([^)]*\))?:'
+    order: 200
+  - title: '📖 Documentation updates'
+    regexp: '^docs(\([^)]*\))?:'
+    order: 400
+  - title: '🛡️ Security updates'
+    regexp: '^sec(\([^)]*\))?:'
+    order: 500
+  - title: '🚀 Build process updates'
+    regexp: '^(build|ci)(\([^)]*\))?:'
+    order: 600
+  - title: '📦 Other work'
+    regexp: '^chore(\([^)]*\))?:|^chore:'
+    order: 9999
 sboms:
  - artifacts: archive
 signs:
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -4,6 +4,6 @@ defaultPlatforms:
 - linux/arm
 builds:
 - id: capsule
-  main: ./
+  main: ./cmd/
  ldflags:
  - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'
--- a/.nwa-config
+++ b/.nwa-config
@@ -0,0 +1,14 @@
+nwa:
+  cmd: "update"
+  holder: "Project Capsule Authors"
+  year: "2020-2025"
+  spdxids: "Apache-2.0"
+  path:
+    - "pkg/**/*.go"
+    - "cmd/**/*.go"
+    - "api/**/*.go"
+    - "controllers/**/*.go"
+    - "main.go"
+  mute: false
+  verbose: true
+  fuzzy: true
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -9,12 +9,11 @@ repos:
  rev: v5.0.0
  hooks:
  - id: check-executables-have-shebangs
-  - id: check-yaml
  - id: double-quote-string-fixer
  - id: end-of-file-fixer
  - id: trailing-whitespace
 - repo: https://github.com/adrienverge/yamllint
-  rev: v1.37.0
+  rev: v1.37.1
  hooks:
  - id: yamllint
    args: [-c=.github/configs/lintconf.yaml]
@@ -40,3 +39,8 @@ repos:
    entry: make golint
    language: system
    files: \.go$
+  - id: go-test
+    name: Execute go test
+    entry: make test
+    language: system
+    files: \.go$
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -2,14 +2,13 @@

 This is a list of companies that have adopted Capsule, feel free to open a Pull-Request to get yours listed.

+[See all on the website](https://projectcapsule.dev/adopters/)
+
 ## Adopters list (alphabetically)

 ### [Bedag Informatik AG](https://www.bedag.ch/)
 ![Bedag](https://www.bedag.ch/wGlobal/wGlobal/layout/images/logo.svg)

-### [Begasoft AG](https://www.begasoft.ch)
-![Begasoft](./assets/adopters/begasoft.png)
-
 ### [Department of Defense](https://www.defense.gov/)
 ![United States Department of Defense](https://www.access-board.gov/images/dod-seal.png)

--- a/Dockerfile.tracing
+++ b/Dockerfile.tracing
@@ -5,7 +5,7 @@ FROM ${TARGET_IMAGE} AS target
 # Inject Harpoon Image
 FROM ghcr.io/alegrey91/harpoon:latest
 WORKDIR /
-COPY --from=target /ko-app/capsule ./manager
+COPY --from=target /ko-app/cmd ./manager
 RUN chmod +x ./harpoon
 ENTRYPOINT ["/harpoon", \
 		"capture", \
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -6,6 +6,7 @@ The current Maintainers Group for the [TODO: Projectname] Project consists of:
 |  Dario Tranchitella       | Clastix     |  Maintainer      |
 |  Maksim Fedotov           | Wargaming   |  Maintainer      |
 |  Oliver Bähler            | Peak Scale  |  Maintainer      |
+|  Hristo Hristov           | Vaerolabs   |  Maintainer      |
 |  Massimiliano Giovagnoli  | Proximus    |  Maintainer      |

 This list must be kept in sync with the [CNCF Project Maintainers list](https://github.com/cncf/foundation/blob/master/project-maintainers.csv).
--- a/52
+++ b/52
@@ -19,7 +19,7 @@ CAPSULE_IMG     ?= $(REGISTRY)/$(IMG_BASE)
 CLUSTER_NAME    ?= capsule

 ## Kubernetes Version Support
-KUBERNETES_SUPPORTED_VERSION ?= "v1.31.0"
+KUBERNETES_SUPPORTED_VERSION ?= "v1.33.0"

 ## Tool Binaries
 KUBECTL ?= kubectl
@@ -46,7 +46,7 @@ all: manager
 # Run tests
 .PHONY: test
 test: test-clean generate manifests test-clean
-	@GO111MODULE=on go test -v ./... -coverprofile coverage.out
+	@GO111MODULE=on go test -v $(shell go list ./... | grep -v "e2e") -coverprofile coverage.out

 .PHONY: test-clean
 test-clean: ## Clean tests cache
@@ -68,6 +68,11 @@ manifests: generate
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."

+
+# Generate License Header
+license-headers: nwa
+	$(NWA) config
+
 # Helm
 SRC_ROOT = $(shell git rev-parse --show-toplevel)

@@ -82,7 +87,7 @@ helm-lint: ct
 	@$(CT) lint --config .github/configs/ct.yaml --validate-yaml=false --all --debug

 helm-schema: helm-plugin-schema
-	cd charts/capsule && $(HELM) schema -output values.schema.json
+	cd charts/capsule && $(HELM) schema --use-helm-docs

 helm-test: HELM_KIND_CONFIG ?= ""
 helm-test: kind
@@ -96,6 +101,7 @@ helm-test-exec: ct helm-controller-version ko-build-all
 	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
 	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
 	@$(KUBECTL) create ns capsule-system || true
+	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/v5.18.0/crds.yaml
 	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
 	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
 	@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
@@ -178,7 +184,7 @@ LD_FLAGS        := "-X main.Version=$(VERSION) \
 ko-build-capsule: ko
 	@echo Building Capsule $(KO_TAGS) for $(KO_PLATFORM) >&2
 	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
-		$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)
+		$(KO) build ./cmd/ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)

 .PHONY: ko-build-all
 ko-build-all: ko-build-capsule
@@ -204,7 +210,7 @@ ko-login: ko
 .PHONY: ko-publish-capsule
 ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
 	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
-		$(KO) build ./ --bare --tags=$(KO_TAGS)
+		$(KO) build ./cmd/ --bare --tags=$(KO_TAGS)

 .PHONY: ko-publish-all
 ko-publish-all: ko-publish-capsule
@@ -217,15 +223,27 @@ goimports:
 # Linting code as PR is expecting
 .PHONY: golint
 golint: golangci-lint
-	$(GOLANGCI_LINT) run -c .golangci.yml --verbose --fix
+	$(GOLANGCI_LINT) run -c .golangci.yaml --verbose
+
+.PHONY: golint-fix
+golint-fix: golangci-lint
+	$(GOLANGCI_LINT) run -c .golangci.yaml --verbose --fix
+

 # Running e2e tests in a KinD instance
 .PHONY: e2e
 e2e: ginkgo
 	$(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy

+API_GW         := none
+API_GW_VERSION := v1.3.0
+API_GW_LOOKUP  := kubernetes-sigs/gateway-api/
+e2e-install-deps:
+	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml
+
 e2e-build: kind
 	$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
+	$(MAKE) e2e-install-deps
 	$(MAKE) e2e-install

 .PHONY: e2e-install
@@ -266,6 +284,7 @@ trace-e2e: kind
 	$(KIND) create cluster --wait=60s --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config hack/kind-cluster.yml
 	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-tracing IMAGE=$(CAPSULE_IMG) VERSION=tracing
 	$(MAKE) trace-install
+	$(MAKE) e2e-install-deps
 	$(MAKE) e2e-exec
 	$(KIND) delete cluster --name capsule-tracing

@@ -325,7 +344,7 @@ helm-doc:
 # -- Tools
 ####################
 CONTROLLER_GEN         := $(LOCALBIN)/controller-gen
-CONTROLLER_GEN_VERSION ?= v0.17.3
+CONTROLLER_GEN_VERSION ?= v0.18.0
 CONTROLLER_GEN_LOOKUP  := kubernetes-sigs/controller-tools
 controller-gen:
 	@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
@@ -336,32 +355,39 @@ ginkgo:
 	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)

 CT         := $(LOCALBIN)/ct
-CT_VERSION := v3.12.0
+CT_VERSION := v3.13.0
 CT_LOOKUP  := helm/chart-testing
 ct:
 	@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
 	$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))

 KIND         := $(LOCALBIN)/kind
-KIND_VERSION := v0.27.0
+KIND_VERSION := v0.29.0
 KIND_LOOKUP  := kubernetes-sigs/kind
 kind:
 	@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
 	$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))

 KO           := $(LOCALBIN)/ko
-KO_VERSION   := v0.17.1
+KO_VERSION   := v0.18.0
 KO_LOOKUP    := google/ko
 ko:
 	@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
 	$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))

+NWA           := $(LOCALBIN)/nwa
+NWA_VERSION   := v0.7.4
+NWA_LOOKUP    := B1NARY-GR0UP/nwa
+nwa:
+	@test -s $(NWA) && $(NWA) -h | grep -q $(NWA_VERSION) || \
+	$(call go-install-tool,$(NWA),github.com/$(NWA_LOOKUP)@$(NWA_VERSION))
+
 GOLANGCI_LINT          := $(LOCALBIN)/golangci-lint
-GOLANGCI_LINT_VERSION  := v1.64.5
+GOLANGCI_LINT_VERSION  := v2.2.1
 GOLANGCI_LINT_LOOKUP   := golangci/golangci-lint
 golangci-lint: ## Download golangci-lint locally if necessary.
 	@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/v2/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))

 APIDOCS_GEN         := $(LOCALBIN)/crdoc
 APIDOCS_GEN_VERSION := v0.6.4
@@ -371,7 +397,7 @@ apidocs-gen: ## Download crdoc locally if necessary.
 	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))

 HARPOON         := $(LOCALBIN)/harpoon
-HARPOON_VERSION := v0.9.6
+HARPOON_VERSION := v0.10.2
 HARPOON_LOOKUP  := alegrey91/harpoon
 harpoon:
 	@mkdir $(LOCALBIN)
--- a/22
+++ b/22
@@ -1,6 +1,10 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: clastix.io
 layout:
- go.kubebuilder.io/v3
+- go.kubebuilder.io/v4
 plugins:
  manifests.sdk.operatorframework.io/v2: {}
  scorecard.sdk.operatorframework.io/v2: {}
@@ -44,4 +48,20 @@ resources:
  kind: GlobalTenantResource
  path: github.com/projectcapsule/capsule/api/v1beta2
  version: v1beta2
+- api:
+    crdVersion: v1
+  domain: clastix.io
+  group: capsule
+  kind: ResourcePool
+  path: github.com/projectcapsule/capsule/api/v1beta2
+  version: v1beta2
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: clastix.io
+  group: capsule
+  kind: ResourcePoolClaim
+  path: github.com/projectcapsule/capsule/api/v1beta2
+  version: v1beta2
 version: "3"
--- a/api/v1beta1/custom_resource_quota.go
+++ b/api/v1beta1/custom_resource_quota.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/deny_wildcard.go
+++ b/api/v1beta1/deny_wildcard.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/groupversion_info.go
+++ b/api/v1beta1/groupversion_info.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 // Package v1beta1 contains API Schema definitions for the capsule v1beta1 API group
--- a/api/v1beta1/ingress_options.go
+++ b/api/v1beta1/ingress_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/namespace_options.go
+++ b/api/v1beta1/namespace_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner.go
+++ b/api/v1beta1/owner.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_list.go
+++ b/api/v1beta1/owner_list.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_list_test.go
+++ b/api/v1beta1/owner_list_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_role.go
+++ b/api/v1beta1/owner_role.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/service_allowed_types.go
+++ b/api/v1beta1/service_allowed_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/service_options.go
+++ b/api/v1beta1/service_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/tenant_func.go
+++ b/api/v1beta1/tenant_func.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/tenant_status.go
+++ b/api/v1beta1/tenant_status.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/tenant_types.go
+++ b/api/v1beta1/tenant_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
@@ -65,7 +65,8 @@ func (in *Tenant) Hub() {}
 type TenantList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Tenant `json:"items"`
+
+	Items []Tenant `json:"items"`
 }

 func init() {
--- a/api/v1beta1/tenant_webhook.go
+++ b/api/v1beta1/tenant_webhook.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta2/additional_role_bindings.go
+++ b/api/v1beta2/additional_role_bindings.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/capsuleconfiguration_types.go
+++ b/api/v1beta2/capsuleconfiguration_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -71,7 +71,8 @@ type CapsuleConfiguration struct {
 type CapsuleConfigurationList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []CapsuleConfiguration `json:"items"`
+
+	Items []CapsuleConfiguration `json:"items"`
 }

 func init() {
--- a/api/v1beta2/custom_resource_quota.go
+++ b/api/v1beta2/custom_resource_quota.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/gateway_options.go
+++ b/api/v1beta2/gateway_options.go
@@ -0,0 +1,12 @@
+// Copyright 2020-2025 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+type GatewayOptions struct {
+	AllowedClasses *api.SelectionListWithDefaultSpec `json:"allowedClasses,omitempty"`
+}
--- a/api/v1beta2/groupversion_info.go
+++ b/api/v1beta2/groupversion_info.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 // Package v1beta2 contains API Schema definitions for the capsule v1beta2 API group
--- a/api/v1beta2/ingress_options.go
+++ b/api/v1beta2/ingress_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/namespace_options.go
+++ b/api/v1beta2/namespace_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -13,6 +13,8 @@ type NamespaceOptions struct {
 	Quota *int32 `json:"quota,omitempty"`
 	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
 	AdditionalMetadata *api.AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
+	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional.
+	AdditionalMetadataList []api.AdditionalMetadataSelectorSpec `json:"additionalMetadataList,omitempty"`
 	// Define the labels that a Tenant Owner cannot set for their Namespace resources.
 	ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitempty"`
 	// Define the annotations that a Tenant Owner cannot set for their Namespace resources.
--- a/api/v1beta2/owner.go
+++ b/api/v1beta2/owner.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/owner_list.go
+++ b/api/v1beta2/owner_list.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/owner_list_test.go
+++ b/api/v1beta2/owner_list_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/resourcepool_func.go
+++ b/api/v1beta2/resourcepool_func.go
@@ -0,0 +1,276 @@
+// Copyright 2020-2025 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"errors"
+	"sort"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+func (r *ResourcePool) AssignNamespaces(namespaces []corev1.Namespace) {
+	var l []string
+
+	for _, ns := range namespaces {
+		if ns.Status.Phase == corev1.NamespaceActive && ns.DeletionTimestamp == nil {
+			l = append(l, ns.GetName())
+		}
+	}
+
+	sort.Strings(l)
+
+	r.Status.NamespaceSize = uint(len(l))
+	r.Status.Namespaces = l
+}
+
+func (r *ResourcePool) AssignClaims() {
+	var size uint
+
+	for _, claims := range r.Status.Claims {
+		for range claims {
+			size++
+		}
+	}
+
+	r.Status.ClaimSize = size
+}
+
+func (r *ResourcePool) GetClaimFromStatus(cl *ResourcePoolClaim) *ResourcePoolClaimsItem {
+	ns := cl.Namespace
+
+	claims := r.Status.Claims[ns]
+	if claims == nil {
+		return nil
+	}
+
+	for _, claim := range claims {
+		if claim.UID == cl.UID {
+			return claim
+		}
+	}
+
+	return nil
+}
+
+func (r *ResourcePool) AddClaimToStatus(claim *ResourcePoolClaim) {
+	ns := claim.Namespace
+
+	if r.Status.Claims == nil {
+		r.Status.Claims = ResourcePoolNamespaceClaimsStatus{}
+	}
+
+	if r.Status.Allocation.Claimed == nil {
+		r.Status.Allocation.Claimed = corev1.ResourceList{}
+	}
+
+	claims := r.Status.Claims[ns]
+	if claims == nil {
+		claims = ResourcePoolClaimsList{}
+	}
+
+	scl := &ResourcePoolClaimsItem{
+		StatusNameUID: api.StatusNameUID{
+			UID:  claim.UID,
+			Name: api.Name(claim.Name),
+		},
+		Claims: claim.Spec.ResourceClaims,
+	}
+
+	// Try to update existing entry if UID matches
+	exists := false
+
+	for i, cl := range claims {
+		if cl.UID == claim.UID {
+			claims[i] = scl
+
+			exists = true
+
+			break
+		}
+	}
+
+	if !exists {
+		claims = append(claims, scl)
+	}
+
+	r.Status.Claims[ns] = claims
+
+	r.CalculateClaimedResources()
+}
+
+func (r *ResourcePool) RemoveClaimFromStatus(claim *ResourcePoolClaim) {
+	newClaims := ResourcePoolClaimsList{}
+
+	claims, ok := r.Status.Claims[claim.Namespace]
+	if !ok {
+		return
+	}
+
+	for _, cl := range claims {
+		if cl.UID != claim.UID {
+			newClaims = append(newClaims, cl)
+		}
+	}
+
+	r.Status.Claims[claim.Namespace] = newClaims
+
+	if len(newClaims) == 0 {
+		delete(r.Status.Claims, claim.Namespace)
+	}
+}
+
+func (r *ResourcePool) CalculateClaimedResources() {
+	usage := corev1.ResourceList{}
+
+	for res := range r.Status.Allocation.Hard {
+		usage[res] = resource.MustParse("0")
+	}
+
+	for _, claims := range r.Status.Claims {
+		for _, claim := range claims {
+			for resourceName, qt := range claim.Claims {
+				amount, exists := usage[resourceName]
+				if !exists {
+					amount = resource.MustParse("0")
+				}
+
+				amount.Add(qt)
+				usage[resourceName] = amount
+			}
+		}
+	}
+
+	r.Status.Allocation.Claimed = usage
+
+	r.CalculateAvailableResources()
+}
+
+func (r *ResourcePool) CalculateAvailableResources() {
+	available := corev1.ResourceList{}
+
+	for res, qt := range r.Status.Allocation.Hard {
+		amount, exists := r.Status.Allocation.Claimed[res]
+		if exists {
+			qt.Sub(amount)
+		}
+
+		available[res] = qt
+	}
+
+	r.Status.Allocation.Available = available
+}
+
+func (r *ResourcePool) CanClaimFromPool(claim corev1.ResourceList) []error {
+	claimable := r.GetAvailableClaimableResources()
+	errs := []error{}
+
+	for resourceName, req := range claim {
+		available, exists := claimable[resourceName]
+		if !exists || available.IsZero() || available.Cmp(req) < 0 {
+			errs = append(errs, errors.New("not enough resources"+string(resourceName)+"available"))
+		}
+	}
+
+	return errs
+}
+
+func (r *ResourcePool) GetAvailableClaimableResources() corev1.ResourceList {
+	hard := r.Status.Allocation.Hard.DeepCopy()
+
+	for resourceName, qt := range hard {
+		claimed, exists := r.Status.Allocation.Claimed[resourceName]
+		if !exists {
+			claimed = resource.MustParse("0")
+		}
+
+		qt.Sub(claimed)
+
+		hard[resourceName] = qt
+	}
+
+	return hard
+}
+
+// Gets the Hard specification for the resourcequotas
+// This takes into account the default resources being used. However they don't count towards the claim usage
+// This can be changed in the future, the default is not calculated as usage because this might interrupt the namespace management
+// As we would need to verify if a new namespace with it's defaults still has place in the Pool. Same with attempting to join existing namespaces.
+func (r *ResourcePool) GetResourceQuotaHardResources(namespace string) corev1.ResourceList {
+	_, claimed := r.GetNamespaceClaims(namespace)
+
+	for resourceName, amount := range claimed {
+		if amount.IsZero() {
+			delete(claimed, resourceName)
+		}
+	}
+
+	// Only Consider Default, when enabled
+	for resourceName, amount := range r.Spec.Defaults {
+		usedValue := claimed[resourceName]
+		usedValue.Add(amount)
+
+		claimed[resourceName] = usedValue
+	}
+
+	return claimed
+}
+
+// Gets the total amount of claimed resources for a namespace.
+func (r *ResourcePool) GetNamespaceClaims(namespace string) (claims map[string]*ResourcePoolClaimsItem, claimedResources corev1.ResourceList) {
+	claimedResources = corev1.ResourceList{}
+	claims = map[string]*ResourcePoolClaimsItem{}
+
+	// First, check if quota exists in the status
+	for ns, cl := range r.Status.Claims {
+		if ns != namespace {
+			continue
+		}
+
+		for _, claim := range cl {
+			for resourceName, claimed := range claim.Claims {
+				usedValue, usedExists := claimedResources[resourceName]
+				if !usedExists {
+					usedValue = resource.MustParse("0") // Default to zero if no used value is found
+				}
+
+				// Combine with claim
+				usedValue.Add(claimed)
+				claimedResources[resourceName] = usedValue
+			}
+
+			claims[string(claim.UID)] = claim
+		}
+	}
+
+	return
+}
+
+// Calculate usage for each namespace.
+func (r *ResourcePool) GetClaimedByNamespaceClaims() (claims map[string]corev1.ResourceList) {
+	claims = map[string]corev1.ResourceList{}
+
+	// First, check if quota exists in the status
+	for ns, cl := range r.Status.Claims {
+		claims[ns] = corev1.ResourceList{}
+		nsScope := claims[ns]
+
+		for _, claim := range cl {
+			for resourceName, claimed := range claim.Claims {
+				usedValue, usedExists := nsScope[resourceName]
+				if !usedExists {
+					usedValue = resource.MustParse("0")
+				}
+
+				usedValue.Add(claimed)
+				nsScope[resourceName] = usedValue
+			}
+		}
+	}
+
+	return
+}
--- a/api/v1beta2/resourcepool_func_test.go
+++ b/api/v1beta2/resourcepool_func_test.go
@@ -0,0 +1,295 @@
+// Copyright 2020-2025 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/meta"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetClaimFromStatus(t *testing.T) {
+	ns := "test-namespace"
+	testUID := types.UID("test-uid")
+	otherUID := types.UID("wrong-uid")
+
+	claim := &ResourcePoolClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "claim-a",
+			Namespace: ns,
+			UID:       testUID,
+		},
+	}
+
+	pool := &ResourcePool{
+		Status: ResourcePoolStatus{
+			Claims: ResourcePoolNamespaceClaimsStatus{
+				ns: {
+					&ResourcePoolClaimsItem{
+						StatusNameUID: api.StatusNameUID{
+							UID: testUID,
+						},
+						Claims: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("500m"),
+							corev1.ResourceMemory: resource.MustParse("256Mi"),
+						},
+					},
+				},
+			},
+		},
+	}
+
+	t.Run("returns matching claim", func(t *testing.T) {
+		found := pool.GetClaimFromStatus(claim)
+		assert.NotNil(t, found)
+		assert.Equal(t, testUID, found.UID)
+	})
+
+	t.Run("returns nil if UID doesn't match", func(t *testing.T) {
+		claimWrongUID := *claim
+		claimWrongUID.UID = otherUID
+
+		found := pool.GetClaimFromStatus(&claimWrongUID)
+		assert.Nil(t, found)
+	})
+
+	t.Run("returns nil if namespace has no claims", func(t *testing.T) {
+		claimWrongNS := *claim
+		claimWrongNS.Namespace = "other-ns"
+
+		found := pool.GetClaimFromStatus(&claimWrongNS)
+		assert.Nil(t, found)
+	})
+}
+
+func makeResourceList(cpu, memory string) corev1.ResourceList {
+	return corev1.ResourceList{
+		corev1.ResourceLimitsCPU:    resource.MustParse(cpu),
+		corev1.ResourceLimitsMemory: resource.MustParse(memory),
+	}
+}
+
+func makeClaim(name, ns string, uid types.UID, res corev1.ResourceList) *ResourcePoolClaim {
+	return &ResourcePoolClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: ns,
+			UID:       uid,
+		},
+		Spec: ResourcePoolClaimSpec{
+			ResourceClaims: res,
+		},
+	}
+}
+
+func TestAssignNamespaces(t *testing.T) {
+	pool := &ResourcePool{}
+
+	namespaces := []corev1.Namespace{
+		{ObjectMeta: metav1.ObjectMeta{Name: "active-ns"}, Status: corev1.NamespaceStatus{Phase: corev1.NamespaceActive}},
+		{ObjectMeta: metav1.ObjectMeta{Name: "terminating-ns", DeletionTimestamp: &metav1.Time{}}, Status: corev1.NamespaceStatus{Phase: corev1.NamespaceTerminating}},
+	}
+
+	pool.AssignNamespaces(namespaces)
+
+	assert.Equal(t, uint(1), pool.Status.NamespaceSize)
+	assert.Equal(t, []string{"active-ns"}, pool.Status.Namespaces)
+}
+
+func TestAssignClaims(t *testing.T) {
+	pool := &ResourcePool{
+		Status: ResourcePoolStatus{
+			Claims: ResourcePoolNamespaceClaimsStatus{
+				"ns": {
+					&ResourcePoolClaimsItem{},
+					&ResourcePoolClaimsItem{},
+				},
+			},
+		},
+	}
+	pool.AssignClaims()
+
+	assert.Equal(t, uint(2), pool.Status.ClaimSize)
+}
+
+func TestAddRemoveClaimToStatus(t *testing.T) {
+	pool := &ResourcePool{}
+
+	claim := makeClaim("claim-1", "ns", "uid-1", makeResourceList("1", "1Gi"))
+	pool.AddClaimToStatus(claim)
+
+	stored := pool.GetClaimFromStatus(claim)
+	assert.NotNil(t, stored)
+	assert.Equal(t, api.Name("claim-1"), stored.Name)
+
+	pool.RemoveClaimFromStatus(claim)
+	assert.Nil(t, pool.GetClaimFromStatus(claim))
+}
+
+func TestCalculateResources(t *testing.T) {
+	pool := &ResourcePool{
+		Status: ResourcePoolStatus{
+			Allocation: ResourcePoolQuotaStatus{
+				Hard: corev1.ResourceList{
+					corev1.ResourceLimitsCPU: resource.MustParse("2"),
+				},
+			},
+			Claims: ResourcePoolNamespaceClaimsStatus{
+				"ns": {
+					&ResourcePoolClaimsItem{
+						Claims: corev1.ResourceList{
+							corev1.ResourceLimitsCPU: resource.MustParse("1"),
+						},
+					},
+				},
+			},
+		},
+	}
+
+	pool.CalculateClaimedResources()
+
+	actualClaimed := pool.Status.Allocation.Claimed[corev1.ResourceLimitsCPU]
+	actualAvailable := pool.Status.Allocation.Available[corev1.ResourceLimitsCPU]
+
+	assert.Equal(t, 0, (&actualClaimed).Cmp(resource.MustParse("1")))
+	assert.Equal(t, 0, (&actualAvailable).Cmp(resource.MustParse("1")))
+}
+
+func TestCanClaimFromPool(t *testing.T) {
+	pool := &ResourcePool{
+		Status: ResourcePoolStatus{
+			Allocation: ResourcePoolQuotaStatus{
+				Hard: corev1.ResourceList{
+					corev1.ResourceLimitsMemory: resource.MustParse("1Gi"),
+				},
+				Claimed: corev1.ResourceList{
+					corev1.ResourceLimitsMemory: resource.MustParse("512Mi"),
+				},
+			},
+		},
+	}
+
+	errs := pool.CanClaimFromPool(corev1.ResourceList{
+		corev1.ResourceLimitsMemory: resource.MustParse("1Gi"),
+	})
+	assert.Len(t, errs, 1)
+
+	errs = pool.CanClaimFromPool(corev1.ResourceList{
+		corev1.ResourceLimitsMemory: resource.MustParse("500Mi"),
+	})
+	assert.Len(t, errs, 0)
+}
+
+func TestGetResourceQuotaHardResources(t *testing.T) {
+	pool := &ResourcePool{
+		Spec: ResourcePoolSpec{
+			Defaults: corev1.ResourceList{
+				corev1.ResourceLimitsCPU: resource.MustParse("1"),
+			},
+		},
+		Status: ResourcePoolStatus{
+			Claims: ResourcePoolNamespaceClaimsStatus{
+				"ns": {
+					&ResourcePoolClaimsItem{
+						Claims: corev1.ResourceList{
+							corev1.ResourceLimitsCPU: resource.MustParse("1"),
+						},
+					},
+				},
+			},
+		},
+	}
+
+	res := pool.GetResourceQuotaHardResources("ns")
+	actual := res[corev1.ResourceLimitsCPU]
+	assert.Equal(t, 0, (&actual).Cmp(resource.MustParse("2")))
+}
+
+func TestGetNamespaceClaims(t *testing.T) {
+	pool := &ResourcePool{
+		Status: ResourcePoolStatus{
+			Claims: ResourcePoolNamespaceClaimsStatus{
+				"ns": {
+					&ResourcePoolClaimsItem{
+						StatusNameUID: api.StatusNameUID{UID: "uid1"},
+						Claims: corev1.ResourceList{
+							corev1.ResourceLimitsCPU: resource.MustParse("1"),
+						},
+					},
+				},
+			},
+		},
+	}
+
+	claims, res := pool.GetNamespaceClaims("ns")
+	assert.Contains(t, claims, "uid1")
+	actual := res[corev1.ResourceLimitsCPU]
+	assert.Equal(t, 0, (&actual).Cmp(resource.MustParse("1")))
+}
+
+func TestGetClaimedByNamespaceClaims(t *testing.T) {
+	pool := &ResourcePool{
+		Status: ResourcePoolStatus{
+			Claims: ResourcePoolNamespaceClaimsStatus{
+				"ns1": {
+					&ResourcePoolClaimsItem{
+						Claims: makeResourceList("1", "1Gi"),
+					},
+				},
+			},
+		},
+	}
+
+	result := pool.GetClaimedByNamespaceClaims()
+	actualCPU := result["ns1"][corev1.ResourceLimitsCPU]
+	actualMem := result["ns1"][corev1.ResourceLimitsMemory]
+
+	assert.Equal(t, 0, (&actualCPU).Cmp(resource.MustParse("1")))
+	assert.Equal(t, 0, (&actualMem).Cmp(resource.MustParse("1Gi")))
+}
+
+func TestIsBoundToResourcePool_2(t *testing.T) {
+	t.Run("bound to resource pool (Assigned=True)", func(t *testing.T) {
+		claim := &ResourcePoolClaim{
+			Status: ResourcePoolClaimStatus{
+				Condition: metav1.Condition{
+					Type:   meta.BoundCondition,
+					Status: metav1.ConditionTrue,
+				},
+			},
+		}
+		assert.Equal(t, true, claim.IsBoundToResourcePool())
+	})
+
+	t.Run("not bound - wrong condition type", func(t *testing.T) {
+		claim := &ResourcePoolClaim{
+			Status: ResourcePoolClaimStatus{
+				Condition: metav1.Condition{
+					Type:   "Other",
+					Status: metav1.ConditionTrue,
+				},
+			},
+		}
+		assert.Equal(t, false, claim.IsBoundToResourcePool())
+	})
+
+	t.Run("not bound - condition not true", func(t *testing.T) {
+		claim := &ResourcePoolClaim{
+			Status: ResourcePoolClaimStatus{
+				Condition: metav1.Condition{
+					Type:   meta.BoundCondition,
+					Status: metav1.ConditionFalse,
+				},
+			},
+		}
+		assert.Equal(t, false, claim.IsBoundToResourcePool())
+	})
+}
--- a/api/v1beta2/resourcepool_status.go
+++ b/api/v1beta2/resourcepool_status.go
@@ -0,0 +1,65 @@
+// Copyright 2020-2025 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+// GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.
+type ResourcePoolStatus struct {
+	// How many namespaces are considered
+	// +kubebuilder:default=0
+	NamespaceSize uint `json:"namespaceCount,omitempty"`
+	// Amount of claims
+	// +kubebuilder:default=0
+	ClaimSize uint `json:"claimCount,omitempty"`
+	// Namespaces which are considered for claims
+	Namespaces []string `json:"namespaces,omitempty"`
+	// Tracks the quotas for the Resource.
+	Claims ResourcePoolNamespaceClaimsStatus `json:"claims,omitempty"`
+	// Tracks the Usage from Claimed against what has been granted from the pool
+	Allocation ResourcePoolQuotaStatus `json:"allocation,omitempty"`
+	// Exhaustions from claims associated with the pool
+	Exhaustions map[string]api.PoolExhaustionResource `json:"exhaustions,omitempty"`
+}
+
+type ResourcePoolNamespaceClaimsStatus map[string]ResourcePoolClaimsList
+
+type ResourcePoolQuotaStatus struct {
+	// Hard is the set of enforced hard limits for each named resource.
+	// More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
+	// +optional
+	Hard corev1.ResourceList `json:"hard,omitempty" protobuf:"bytes,1,rep,name=hard,casttype=ResourceList,castkey=ResourceName"`
+	// Used is the current observed total usage of the resource in the namespace.
+	// +optional
+	Claimed corev1.ResourceList `json:"used,omitempty" protobuf:"bytes,2,rep,name=used,casttype=ResourceList,castkey=ResourceName"`
+	// Used to track the usage of the resource in the pool (diff hard - claimed). May be used for further automation
+	// +optional
+	Available corev1.ResourceList `json:"available,omitempty" protobuf:"bytes,2,rep,name=available,casttype=ResourceList,castkey=ResourceName"`
+}
+
+type ResourcePoolClaimsList []*ResourcePoolClaimsItem
+
+func (r *ResourcePoolClaimsList) GetClaimByUID(uid types.UID) *ResourcePoolClaimsItem {
+	for _, claim := range *r {
+		if claim.UID == uid {
+			return claim
+		}
+	}
+
+	return nil
+}
+
+// ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
+type ResourcePoolClaimsItem struct {
+	// Reference to the GlobalQuota being claimed from
+	api.StatusNameUID `json:",inline"`
+
+	// Claimed resources
+	Claims corev1.ResourceList `json:"claims,omitempty"`
+}
--- a/api/v1beta2/resourcepool_types.go
+++ b/api/v1beta2/resourcepool_types.go
@@ -0,0 +1,77 @@
+// Copyright 2020-2025 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+// ResourcePoolSpec.
+type ResourcePoolSpec struct {
+	// Selector to match the namespaces that should be managed by the GlobalResourceQuota
+	Selectors []api.NamespaceSelector `json:"selectors,omitempty"`
+	// Define the resourcequota served by this resourcepool.
+	Quota corev1.ResourceQuotaSpec `json:"quota"`
+	// The Defaults given for each namespace, the default is not counted towards the total allocation
+	// When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources
+	Defaults corev1.ResourceList `json:"defaults,omitempty"`
+	// Additional Configuration
+	//+kubebuilder:default:={}
+	Config ResourcePoolSpecConfiguration `json:"config,omitempty"`
+}
+
+type ResourcePoolSpecConfiguration struct {
+	// With this option all resources which can be allocated are set to 0 for the resourcequota defaults.
+	// +kubebuilder:default=false
+	DefaultsAssignZero *bool `json:"defaultsZero,omitempty"`
+	// Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
+	// creation date. But no matter their creation time, if a claim is requesting too much resources it's put into the queue
+	// but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
+	// it's priority was lower
+	// Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
+	// other claim can claim the same resources with lower priority.
+	// +kubebuilder:default=false
+	OrderedQueue *bool `json:"orderedQueue,omitempty"`
+	// When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
+	// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
+	// +kubebuilder:default=false
+	DeleteBoundResources *bool `json:"deleteBoundResources,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,shortName=quotapool
+// +kubebuilder:printcolumn:name="Claims",type="integer",JSONPath=".status.claimCount",description="The total amount of Claims bound"
+// +kubebuilder:printcolumn:name="Namespaces",type="integer",JSONPath=".status.namespaceCount",description="The total amount of Namespaces considered"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
+
+// Resourcepools allows you to define a set of resources as known from ResoureQuotas. The Resourcepools are defined at cluster-scope an should
+// be administrated by cluster-administrators. However they create an interface, where cluster-administrators can define
+// from which namespaces resources from a Resourcepool can be claimed. The claiming is done via a namespaced CRD called ResourcePoolClaim. Then
+// it's up the group of users within these namespaces, to manage the resources they consume per namespace. Each Resourcepool provisions a ResourceQuotainto all the selected namespaces. Then essentially the ResourcePoolClaims, when they can be assigned to the ResourcePool stack resources on top of that
+// ResourceQuota based on the namspace, where the ResourcePoolClaim was made from.
+type ResourcePool struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ResourcePoolSpec   `json:"spec,omitempty"`
+	Status ResourcePoolStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ResourcePoolList contains a list of ResourcePool.
+type ResourcePoolList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []ResourcePool `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ResourcePool{}, &ResourcePoolList{})
+}
--- a/api/v1beta2/resourcepoolclaim_func.go
+++ b/api/v1beta2/resourcepoolclaim_func.go
@@ -0,0 +1,20 @@
+// Copyright 2020-2025 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/meta"
+)
+
+// Indicate the claim is bound to a resource pool.
+func (r *ResourcePoolClaim) IsBoundToResourcePool() bool {
+	if r.Status.Condition.Type == meta.BoundCondition &&
+		r.Status.Condition.Status == metav1.ConditionTrue {
+		return true
+	}
+
+	return false
+}
--- a/api/v1beta2/resourcepoolclaim_func_test.go
+++ b/api/v1beta2/resourcepoolclaim_func_test.go
@@ -0,0 +1,71 @@
+// Copyright 2020-2025 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"testing"
+
+	"github.com/projectcapsule/capsule/pkg/meta"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestIsBoundToResourcePool(t *testing.T) {
+	tests := []struct {
+		name     string
+		claim    ResourcePoolClaim
+		expected bool
+	}{
+		{
+			name: "bound to resource pool (Assigned=True)",
+			claim: ResourcePoolClaim{
+				Status: ResourcePoolClaimStatus{
+					Condition: metav1.Condition{
+						Type:   meta.BoundCondition,
+						Status: metav1.ConditionTrue,
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "not bound - wrong condition type",
+			claim: ResourcePoolClaim{
+				Status: ResourcePoolClaimStatus{
+					Condition: metav1.Condition{
+						Type:   "SomethingElse",
+						Status: metav1.ConditionTrue,
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "not bound - status not true",
+			claim: ResourcePoolClaim{
+				Status: ResourcePoolClaimStatus{
+					Condition: metav1.Condition{
+						Type:   meta.BoundCondition,
+						Status: metav1.ConditionFalse,
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "not bound - empty condition",
+			claim: ResourcePoolClaim{
+				Status: ResourcePoolClaimStatus{},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := tt.claim.IsBoundToResourcePool()
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}
--- a/api/v1beta2/resourcepoolclaim_types.go
+++ b/api/v1beta2/resourcepoolclaim_types.go
@@ -0,0 +1,59 @@
+// Copyright 2020-2025 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+type ResourcePoolClaimSpec struct {
+	// If there's the possability to claim from multiple global Quotas
+	// You must be specific about which one you want to claim resources from
+	// Once bound to a ResourcePool, this field is immutable
+	Pool string `json:"pool"`
+	// Amount which should be claimed for the resourcequota
+	ResourceClaims corev1.ResourceList `json:"claim"`
+}
+
+// ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
+type ResourcePoolClaimStatus struct {
+	// Reference to the GlobalQuota being claimed from
+	Pool api.StatusNameUID `json:"pool,omitempty"`
+	// Condtion for this resource claim
+	Condition metav1.Condition `json:"condition,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Pool",type="string",JSONPath=".status.pool.name",description="The ResourcePool being claimed from"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.condition.type",description="Status for claim"
+// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.condition.reason",description="Reason for status"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.condition.message",description="Condition Message"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+
+// ResourcePoolClaim is the Schema for the resourcepoolclaims API.
+type ResourcePoolClaim struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ResourcePoolClaimSpec   `json:"spec,omitempty"`
+	Status ResourcePoolClaimStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ResourceQuotaClaimList contains a list of ResourceQuotaClaim.
+type ResourcePoolClaimList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []ResourcePoolClaim `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ResourcePoolClaim{}, &ResourcePoolClaimList{})
+}
--- a/api/v1beta2/tenant_annotations.go
+++ b/api/v1beta2/tenant_annotations.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_conversion_hub.go
+++ b/api/v1beta2/tenant_conversion_hub.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_func.go
+++ b/api/v1beta2/tenant_func.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_func_test.go
+++ b/api/v1beta2/tenant_func_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_labels.go
+++ b/api/v1beta2/tenant_labels.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_status.go
+++ b/api/v1beta2/tenant_status.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_types.go
+++ b/api/v1beta2/tenant_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -49,6 +49,8 @@ type TenantSpec struct {
 	// A default value can be specified, and all the Pod resources created will inherit the declared class.
 	// Optional.
 	PriorityClasses *api.DefaultAllowedListSpec `json:"priorityClasses,omitempty"`
+	// Specifies options for the GatewayClass resources.
+	GatewayOptions GatewayOptions `json:"gatewayOptions,omitempty"`
 	// Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
 	//+kubebuilder:default:=false
 	Cordoned bool `json:"cordoned,omitempty"`
@@ -100,7 +102,8 @@ func (in *Tenant) GetNamespaces() (res []string) {
 type TenantList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Tenant `json:"items"`
+
+	Items []Tenant `json:"items"`
 }

 func init() {
--- a/api/v1beta2/tenantresource_global.go
+++ b/api/v1beta2/tenantresource_global.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -10,9 +10,10 @@ import (

 // GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
 type GlobalTenantResourceSpec struct {
-	// Defines the Tenant selector used target the tenants on which resources must be propagated.
-	TenantSelector     metav1.LabelSelector `json:"tenantSelector,omitempty"`
 	TenantResourceSpec `json:",inline"`
+
+	// Defines the Tenant selector used target the tenants on which resources must be propagated.
+	TenantSelector metav1.LabelSelector `json:"tenantSelector,omitempty"`
 }

 // GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
@@ -54,7 +55,8 @@ type GlobalTenantResource struct {
 type GlobalTenantResourceList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []GlobalTenantResource `json:"items"`
+
+	Items []GlobalTenantResource `json:"items"`
 }

 func init() {
--- a/api/v1beta2/tenantresource_namespaced.go
+++ b/api/v1beta2/tenantresource_namespaced.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -69,7 +69,8 @@ type TenantResource struct {
 type TenantResourceList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []TenantResource `json:"items"`
+
+	Items []TenantResource `json:"items"`
 }

 func init() {
--- a/api/v1beta2/tenantresource_types.go
+++ b/api/v1beta2/tenantresource_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -23,6 +23,7 @@ type ObjectReferenceAbstract struct {

 type ObjectReferenceStatus struct {
 	ObjectReferenceAbstract `json:",inline"`
+
 	// Name of the referent.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 	Name string `json:"name"`
@@ -30,6 +31,7 @@ type ObjectReferenceStatus struct {

 type ObjectReference struct {
 	ObjectReferenceAbstract `json:",inline"`
+
 	// Label selector used to select the given resources in the given Namespace.
 	Selector metav1.LabelSelector `json:"selector"`
 }
--- a/api/v1beta2/zz_generated.deepcopy.go
+++ b/api/v1beta2/zz_generated.deepcopy.go
@@ -9,6 +9,7 @@ package v1beta2

 import (
 	"github.com/projectcapsule/capsule/pkg/api"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -154,6 +155,26 @@ func (in *CapsuleResources) DeepCopy() *CapsuleResources {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GatewayOptions) DeepCopyInto(out *GatewayOptions) {
+	*out = *in
+	if in.AllowedClasses != nil {
+		in, out := &in.AllowedClasses, &out.AllowedClasses
+		*out = new(api.SelectionListWithDefaultSpec)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayOptions.
+func (in *GatewayOptions) DeepCopy() *GatewayOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(GatewayOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GlobalTenantResource) DeepCopyInto(out *GlobalTenantResource) {
 	*out = *in
@@ -216,8 +237,8 @@ func (in *GlobalTenantResourceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GlobalTenantResourceSpec) DeepCopyInto(out *GlobalTenantResourceSpec) {
 	*out = *in
-	in.TenantSelector.DeepCopyInto(&out.TenantSelector)
 	in.TenantResourceSpec.DeepCopyInto(&out.TenantResourceSpec)
+	in.TenantSelector.DeepCopyInto(&out.TenantSelector)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalTenantResourceSpec.
@@ -293,6 +314,13 @@ func (in *NamespaceOptions) DeepCopyInto(out *NamespaceOptions) {
 		*out = new(api.AdditionalMetadataSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.AdditionalMetadataList != nil {
+		in, out := &in.AdditionalMetadataList, &out.AdditionalMetadataList
+		*out = make([]api.AdditionalMetadataSelectorSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	in.ForbiddenLabels.DeepCopyInto(&out.ForbiddenLabels)
 	in.ForbiddenAnnotations.DeepCopyInto(&out.ForbiddenAnnotations)
 }
@@ -490,6 +518,394 @@ func (in *RawExtension) DeepCopy() *RawExtension {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePool) DeepCopyInto(out *ResourcePool) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePool.
+func (in *ResourcePool) DeepCopy() *ResourcePool {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePool)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ResourcePool) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolClaim) DeepCopyInto(out *ResourcePoolClaim) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaim.
+func (in *ResourcePoolClaim) DeepCopy() *ResourcePoolClaim {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolClaim)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ResourcePoolClaim) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolClaimList) DeepCopyInto(out *ResourcePoolClaimList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ResourcePoolClaim, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimList.
+func (in *ResourcePoolClaimList) DeepCopy() *ResourcePoolClaimList {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolClaimList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ResourcePoolClaimList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolClaimSpec) DeepCopyInto(out *ResourcePoolClaimSpec) {
+	*out = *in
+	if in.ResourceClaims != nil {
+		in, out := &in.ResourceClaims, &out.ResourceClaims
+		*out = make(corev1.ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimSpec.
+func (in *ResourcePoolClaimSpec) DeepCopy() *ResourcePoolClaimSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolClaimSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolClaimStatus) DeepCopyInto(out *ResourcePoolClaimStatus) {
+	*out = *in
+	out.Pool = in.Pool
+	in.Condition.DeepCopyInto(&out.Condition)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimStatus.
+func (in *ResourcePoolClaimStatus) DeepCopy() *ResourcePoolClaimStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolClaimStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolClaimsItem) DeepCopyInto(out *ResourcePoolClaimsItem) {
+	*out = *in
+	out.StatusNameUID = in.StatusNameUID
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make(corev1.ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimsItem.
+func (in *ResourcePoolClaimsItem) DeepCopy() *ResourcePoolClaimsItem {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolClaimsItem)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in ResourcePoolClaimsList) DeepCopyInto(out *ResourcePoolClaimsList) {
+	{
+		in := &in
+		*out = make(ResourcePoolClaimsList, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(ResourcePoolClaimsItem)
+				(*in).DeepCopyInto(*out)
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimsList.
+func (in ResourcePoolClaimsList) DeepCopy() ResourcePoolClaimsList {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolClaimsList)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolList) DeepCopyInto(out *ResourcePoolList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ResourcePool, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolList.
+func (in *ResourcePoolList) DeepCopy() *ResourcePoolList {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ResourcePoolList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in ResourcePoolNamespaceClaimsStatus) DeepCopyInto(out *ResourcePoolNamespaceClaimsStatus) {
+	{
+		in := &in
+		*out = make(ResourcePoolNamespaceClaimsStatus, len(*in))
+		for key, val := range *in {
+			var outVal []*ResourcePoolClaimsItem
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
+				*out = make(ResourcePoolClaimsList, len(*in))
+				for i := range *in {
+					if (*in)[i] != nil {
+						in, out := &(*in)[i], &(*out)[i]
+						*out = new(ResourcePoolClaimsItem)
+						(*in).DeepCopyInto(*out)
+					}
+				}
+			}
+			(*out)[key] = outVal
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolNamespaceClaimsStatus.
+func (in ResourcePoolNamespaceClaimsStatus) DeepCopy() ResourcePoolNamespaceClaimsStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolNamespaceClaimsStatus)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolQuotaStatus) DeepCopyInto(out *ResourcePoolQuotaStatus) {
+	*out = *in
+	if in.Hard != nil {
+		in, out := &in.Hard, &out.Hard
+		*out = make(corev1.ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Claimed != nil {
+		in, out := &in.Claimed, &out.Claimed
+		*out = make(corev1.ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Available != nil {
+		in, out := &in.Available, &out.Available
+		*out = make(corev1.ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolQuotaStatus.
+func (in *ResourcePoolQuotaStatus) DeepCopy() *ResourcePoolQuotaStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolQuotaStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolSpec) DeepCopyInto(out *ResourcePoolSpec) {
+	*out = *in
+	if in.Selectors != nil {
+		in, out := &in.Selectors, &out.Selectors
+		*out = make([]api.NamespaceSelector, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.Quota.DeepCopyInto(&out.Quota)
+	if in.Defaults != nil {
+		in, out := &in.Defaults, &out.Defaults
+		*out = make(corev1.ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	in.Config.DeepCopyInto(&out.Config)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolSpec.
+func (in *ResourcePoolSpec) DeepCopy() *ResourcePoolSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolSpecConfiguration) DeepCopyInto(out *ResourcePoolSpecConfiguration) {
+	*out = *in
+	if in.DefaultsAssignZero != nil {
+		in, out := &in.DefaultsAssignZero, &out.DefaultsAssignZero
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OrderedQueue != nil {
+		in, out := &in.OrderedQueue, &out.OrderedQueue
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeleteBoundResources != nil {
+		in, out := &in.DeleteBoundResources, &out.DeleteBoundResources
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolSpecConfiguration.
+func (in *ResourcePoolSpecConfiguration) DeepCopy() *ResourcePoolSpecConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolSpecConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePoolStatus) DeepCopyInto(out *ResourcePoolStatus) {
+	*out = *in
+	if in.Namespaces != nil {
+		in, out := &in.Namespaces, &out.Namespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make(ResourcePoolNamespaceClaimsStatus, len(*in))
+		for key, val := range *in {
+			var outVal []*ResourcePoolClaimsItem
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
+				*out = make(ResourcePoolClaimsList, len(*in))
+				for i := range *in {
+					if (*in)[i] != nil {
+						in, out := &(*in)[i], &(*out)[i]
+						*out = new(ResourcePoolClaimsItem)
+						(*in).DeepCopyInto(*out)
+					}
+				}
+			}
+			(*out)[key] = outVal
+		}
+	}
+	in.Allocation.DeepCopyInto(&out.Allocation)
+	if in.Exhaustions != nil {
+		in, out := &in.Exhaustions, &out.Exhaustions
+		*out = make(map[string]api.PoolExhaustionResource, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolStatus.
+func (in *ResourcePoolStatus) DeepCopy() *ResourcePoolStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePoolStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceSpec) DeepCopyInto(out *ResourceSpec) {
 	*out = *in
@@ -763,6 +1179,7 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(api.DefaultAllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	in.GatewayOptions.DeepCopyInto(&out.GatewayOptions)
 	if in.ForceTenantPrefix != nil {
 		in, out := &in.ForceTenantPrefix, &out.ForceTenantPrefix
 		*out = new(bool)
--- a/assets/adopters/begasoft.png
+++ b/assets/adopters/begasoft.png
--- a/charts/capsule/Chart.lock
+++ b/charts/capsule/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: capsule-proxy
  repository: oci://ghcr.io/projectcapsule/charts
-  version: 0.9.3
-digest: sha256:057afc3b971a7ffe5ada7d358d759ab3383ffca61aed07e224f3f6c4338568ee
-generated: "2025-04-26T05:29:13.486605681Z"
+  version: 0.9.8
+digest: sha256:95e04d5bd4b131bdd65a58cf4e10fd3dc75ec8e6862f872ca52991a5f586ef57
+generated: "2025-06-13T10:12:25.24140194Z"
--- a/charts/capsule/Chart.yaml
+++ b/charts/capsule/Chart.yaml
@@ -6,7 +6,7 @@ home: https://github.com/projectcapsule/capsule
 icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
 dependencies:
  - name: capsule-proxy
-    version: 0.9.3
+    version: 0.9.8
    repository: "oci://ghcr.io/projectcapsule/charts"
    condition: proxy.enabled
    alias: proxy
--- a/charts/capsule/README.md
+++ b/charts/capsule/README.md
@@ -134,6 +134,10 @@ Here the values you can override:
 | ports | list | `[]` | Set additional ports for the deployment |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
 | proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy |
+| rbac.resourcepoolclaims.create | bool | `false` |  |
+| rbac.resourcepoolclaims.labels."rbac.authorization.k8s.io/aggregate-to-admin" | string | `"true"` |  |
+| rbac.resources.create | bool | `false` |  |
+| rbac.resources.labels."rbac.authorization.k8s.io/aggregate-to-admin" | string | `"true"` |  |
 | replicaCount | int | `1` | Set the replica count for capsule pod |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
@@ -174,20 +178,29 @@ Here the values you can override:
 | manager.volumes | list | `[]` | Set the additional volumes needed for the Capsule manager container |
 | manager.webhookPort | int | `9443` | Set an alternative to the default container port.  Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side |

-### ServiceMonitor Parameters
+### Monitoring Parameters

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| serviceMonitor.annotations | object | `{}` | Assign additional Annotations |
-| serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor |
-| serviceMonitor.endpoint.interval | string | `"15s"` | Set the scrape interval for the endpoint of the serviceMonitor |
-| serviceMonitor.endpoint.metricRelabelings | list | `[]` | Set metricRelabelings for the endpoint of the serviceMonitor |
-| serviceMonitor.endpoint.relabelings | list | `[]` | Set relabelings for the endpoint of the serviceMonitor |
-| serviceMonitor.endpoint.scrapeTimeout | string | `""` | Set the scrape timeout for the endpoint of the serviceMonitor |
-| serviceMonitor.labels | object | `{}` | Assign additional labels according to Prometheus' serviceMonitorSelector matching labels |
-| serviceMonitor.matchLabels | object | `{}` | Change matching labels |
-| serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
-| serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
+| monitoring.dashboards.annotations | object | `{}` | Annotations for dashboard configmaps |
+| monitoring.dashboards.enabled | bool | `false` | Enable Dashboards to be deployed |
+| monitoring.dashboards.labels | object | `{}` | Labels for dashboard configmaps |
+| monitoring.dashboards.namespace | string | `""` | Custom namespace for dashboard configmaps |
+| monitoring.dashboards.operator.allowCrossNamespaceImport | bool | `true` | Allow the Operator to match this resource with Grafanas outside the current namespace |
+| monitoring.dashboards.operator.enabled | bool | `true` | Enable Operator Resources (GrafanaDashboard) |
+| monitoring.dashboards.operator.folder | string | `""` | folder assignment for dashboard |
+| monitoring.dashboards.operator.instanceSelector | object | `{}` | Selects Grafana instances for import |
+| monitoring.dashboards.operator.resyncPeriod | string | `"10m"` | How often the resource is synced, defaults to 10m0s if not set |
+| monitoring.serviceMonitor.annotations | object | `{}` | Assign additional Annotations |
+| monitoring.serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor |
+| monitoring.serviceMonitor.endpoint.interval | string | `"15s"` | Set the scrape interval for the endpoint of the serviceMonitor |
+| monitoring.serviceMonitor.endpoint.metricRelabelings | list | `[]` | Set metricRelabelings for the endpoint of the serviceMonitor |
+| monitoring.serviceMonitor.endpoint.relabelings | list | `[]` | Set relabelings for the endpoint of the serviceMonitor |
+| monitoring.serviceMonitor.endpoint.scrapeTimeout | string | `""` | Set the scrape timeout for the endpoint of the serviceMonitor |
+| monitoring.serviceMonitor.labels | object | `{}` | Assign additional labels according to Prometheus' serviceMonitorSelector matching labels |
+| monitoring.serviceMonitor.matchLabels | object | `{}` | Change matching labels |
+| monitoring.serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
+| monitoring.serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |

 ### Webhooks Parameters

@@ -197,6 +210,12 @@ Here the values you can override:
 | webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
 | webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[1].key | string | `"projectcapsule.dev/cordoned"` |  |
+| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[1].operator | string | `"Exists"` |  |
+| webhooks.hooks.customresources.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.customresources.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.customresources.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.customresources.objectSelector | object | `{}` |  |
 | webhooks.hooks.defaults.ingress.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
 | webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
@@ -206,9 +225,16 @@ Here the values you can override:
 | webhooks.hooks.defaults.pvc.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
 | webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.gateways.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.gateways.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.gateways.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
 | webhooks.hooks.ingresses.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
 | webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.namespace.mutation.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.namespace.mutation.namespaceSelector | object | `{}` |  |
+| webhooks.hooks.namespace.mutation.objectSelector | object | `{}` |  |
+| webhooks.hooks.namespace.validation.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` |  |
@@ -221,6 +247,16 @@ Here the values you can override:
 | webhooks.hooks.pods.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
 | webhooks.hooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.resourcepools.claims.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.resourcepools.claims.matchPolicy | string | `"Equivalent"` |  |
+| webhooks.hooks.resourcepools.claims.namespaceSelector | object | `{}` |  |
+| webhooks.hooks.resourcepools.claims.objectSelector | object | `{}` |  |
+| webhooks.hooks.resourcepools.claims.reinvocationPolicy | string | `"Never"` |  |
+| webhooks.hooks.resourcepools.pools.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.resourcepools.pools.matchPolicy | string | `"Equivalent"` |  |
+| webhooks.hooks.resourcepools.pools.namespaceSelector | object | `{}` |  |
+| webhooks.hooks.resourcepools.pools.objectSelector | object | `{}` |  |
+| webhooks.hooks.resourcepools.pools.reinvocationPolicy | string | `"Never"` |  |
 | webhooks.hooks.services.failurePolicy | string | `"Fail"` |  |
 | webhooks.hooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
 | webhooks.hooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
--- a/charts/capsule/README.md.gotmpl
+++ b/charts/capsule/README.md.gotmpl
@@ -112,7 +112,7 @@ Here the values you can override:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if not (or (hasPrefix "global" .Key) (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
+  {{- if not (or (hasPrefix "global" .Key) (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "monitoring" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
  {{- end }}
 {{- end }}
@@ -127,12 +127,12 @@ Here the values you can override:
  {{- end }}
 {{- end }}

-### ServiceMonitor Parameters
+### Monitoring Parameters

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if hasPrefix "serviceMonitor" .Key }}
+  {{- if hasPrefix "monitoring" .Key }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
  {{- end }}
 {{- end }}
--- a/charts/capsule/ci/monitoring-values.yaml
+++ b/charts/capsule/ci/monitoring-values.yaml
@@ -0,0 +1,9 @@
+monitoring:
+  dashboards:
+    enabled: true
+    annotations:
+      k8s-sidecar-target-directory: /tmp/dashboards/Capsule
+    labels:
+      grafana_dashboard: "1"
+    operator:
+      enabled: true
--- a/charts/capsule/ci/tracing-values.yaml
+++ b/charts/capsule/ci/tracing-values.yaml
--- a/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.18.0
  name: capsuleconfigurations.capsule.clastix.io
 spec:
  group: capsule.clastix.io
--- a/charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.18.0
  name: globaltenantresources.capsule.clastix.io
 spec:
  group: capsule.clastix.io
--- a/charts/capsule/crds/capsule.clastix.io_resourcepoolclaims.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_resourcepoolclaims.yaml
@@ -0,0 +1,158 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: resourcepoolclaims.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: ResourcePoolClaim
+    listKind: ResourcePoolClaimList
+    plural: resourcepoolclaims
+    singular: resourcepoolclaim
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: The ResourcePool being claimed from
+      jsonPath: .status.pool.name
+      name: Pool
+      type: string
+    - description: Status for claim
+      jsonPath: .status.condition.type
+      name: Status
+      type: string
+    - description: Reason for status
+      jsonPath: .status.condition.reason
+      name: Reason
+      type: string
+    - description: Condition Message
+      jsonPath: .status.condition.message
+      name: Message
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: ResourcePoolClaim is the Schema for the resourcepoolclaims API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              claim:
+                additionalProperties:
+                  anyOf:
+                  - type: integer
+                  - type: string
+                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                  x-kubernetes-int-or-string: true
+                description: Amount which should be claimed for the resourcequota
+                type: object
+              pool:
+                description: |-
+                  If there's the possability to claim from multiple global Quotas
+                  You must be specific about which one you want to claim resources from
+                  Once bound to a ResourcePool, this field is immutable
+                type: string
+            required:
+            - claim
+            - pool
+            type: object
+          status:
+            description: ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
+            properties:
+              condition:
+                description: Condtion for this resource claim
+                properties:
+                  lastTransitionTime:
+                    description: |-
+                      lastTransitionTime is the last time the condition transitioned from one status to another.
+                      This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                    format: date-time
+                    type: string
+                  message:
+                    description: |-
+                      message is a human readable message indicating details about the transition.
+                      This may be an empty string.
+                    maxLength: 32768
+                    type: string
+                  observedGeneration:
+                    description: |-
+                      observedGeneration represents the .metadata.generation that the condition was set based upon.
+                      For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                      with respect to the current state of the instance.
+                    format: int64
+                    minimum: 0
+                    type: integer
+                  reason:
+                    description: |-
+                      reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                      Producers of specific condition types may define expected values and meanings for this field,
+                      and whether the values are considered a guaranteed API.
+                      The value should be a CamelCase string.
+                      This field may not be empty.
+                    maxLength: 1024
+                    minLength: 1
+                    pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                    type: string
+                  status:
+                    description: status of the condition, one of True, False, Unknown.
+                    enum:
+                    - "True"
+                    - "False"
+                    - Unknown
+                    type: string
+                  type:
+                    description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                    maxLength: 316
+                    pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                    type: string
+                required:
+                - lastTransitionTime
+                - message
+                - reason
+                - status
+                - type
+                type: object
+              pool:
+                description: Reference to the GlobalQuota being claimed from
+                properties:
+                  name:
+                    description: Name
+                    maxLength: 253
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  namespace:
+                    description: Namespace
+                    maxLength: 253
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  uid:
+                    description: UID of the tracked Tenant to pin point tracking
+                    type: string
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
--- a/charts/capsule/crds/capsule.clastix.io_resourcepools.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_resourcepools.yaml
@@ -0,0 +1,328 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: resourcepools.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: ResourcePool
+    listKind: ResourcePoolList
+    plural: resourcepools
+    shortNames:
+    - quotapool
+    singular: resourcepool
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: The total amount of Claims bound
+      jsonPath: .status.claimCount
+      name: Claims
+      type: integer
+    - description: The total amount of Namespaces considered
+      jsonPath: .status.namespaceCount
+      name: Namespaces
+      type: integer
+    - description: Age
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          Resourcepools allows you to define a set of resources as known from ResoureQuotas. The Resourcepools are defined at cluster-scope an should
+          be administrated by cluster-administrators. However they create an interface, where cluster-administrators can define
+          from which namespaces resources from a Resourcepool can be claimed. The claiming is done via a namespaced CRD called ResourcePoolClaim. Then
+          it's up the group of users within these namespaces, to manage the resources they consume per namespace. Each Resourcepool provisions a ResourceQuotainto all the selected namespaces. Then essentially the ResourcePoolClaims, when they can be assigned to the ResourcePool stack resources on top of that
+          ResourceQuota based on the namspace, where the ResourcePoolClaim was made from.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ResourcePoolSpec.
+            properties:
+              config:
+                default: {}
+                description: Additional Configuration
+                properties:
+                  defaultsZero:
+                    default: false
+                    description: With this option all resources which can be allocated
+                      are set to 0 for the resourcequota defaults.
+                    type: boolean
+                  deleteBoundResources:
+                    default: false
+                    description: |-
+                      When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
+                      By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
+                    type: boolean
+                  orderedQueue:
+                    default: false
+                    description: |-
+                      Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
+                      creation date. But no matter their creation time, if a claim is requesting too much resources it's put into the queue
+                      but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
+                      it's priority was lower
+                      Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
+                      other claim can claim the same resources with lower priority.
+                    type: boolean
+                type: object
+              defaults:
+                additionalProperties:
+                  anyOf:
+                  - type: integer
+                  - type: string
+                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                  x-kubernetes-int-or-string: true
+                description: |-
+                  The Defaults given for each namespace, the default is not counted towards the total allocation
+                  When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources
+                type: object
+              quota:
+                description: Define the resourcequota served by this resourcepool.
+                properties:
+                  hard:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: |-
+                      hard is the set of desired hard limits for each named resource.
+                      More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
+                    type: object
+                  scopeSelector:
+                    description: |-
+                      scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota
+                      but expressed using ScopeSelectorOperator in combination with possible values.
+                      For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
+                    properties:
+                      matchExpressions:
+                        description: A list of scope selector requirements by scope
+                          of the resources.
+                        items:
+                          description: |-
+                            A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator
+                            that relates the scope name and values.
+                          properties:
+                            operator:
+                              description: |-
+                                Represents a scope's relationship to a set of values.
+                                Valid operators are In, NotIn, Exists, DoesNotExist.
+                              type: string
+                            scopeName:
+                              description: The name of the scope that the selector
+                                applies to.
+                              type: string
+                            values:
+                              description: |-
+                                An array of string values. If the operator is In or NotIn,
+                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty.
+                                This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: atomic
+                          required:
+                          - operator
+                          - scopeName
+                          type: object
+                        type: array
+                        x-kubernetes-list-type: atomic
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  scopes:
+                    description: |-
+                      A collection of filters that must match each object tracked by a quota.
+                      If not specified, the quota matches all objects.
+                    items:
+                      description: A ResourceQuotaScope defines a filter that must
+                        match each object tracked by a quota
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                type: object
+              selectors:
+                description: Selector to match the namespaces that should be managed
+                  by the GlobalResourceQuota
+                items:
+                  description: Selector for resources and their labels or selecting
+                    origin namespaces
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: |-
+                          A label selector requirement is a selector that contains values, a key, and an operator that
+                          relates the key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: |-
+                              operator represents a key's relationship to a set of values.
+                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                            type: string
+                          values:
+                            description: |-
+                              values is an array of string values. If the operator is In or NotIn,
+                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                              the values array must be empty. This array is replaced during a strategic
+                              merge patch.
+                            items:
+                              type: string
+                            type: array
+                            x-kubernetes-list-type: atomic
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: |-
+                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                      type: object
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
+            required:
+            - quota
+            type: object
+          status:
+            description: GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.
+            properties:
+              allocation:
+                description: Tracks the Usage from Claimed against what has been granted
+                  from the pool
+                properties:
+                  available:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: Used to track the usage of the resource in the pool
+                      (diff hard - claimed). May be used for further automation
+                    type: object
+                  hard:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: |-
+                      Hard is the set of enforced hard limits for each named resource.
+                      More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
+                    type: object
+                  used:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: Used is the current observed total usage of the resource
+                      in the namespace.
+                    type: object
+                type: object
+              claimCount:
+                default: 0
+                description: Amount of claims
+                type: integer
+              claims:
+                additionalProperties:
+                  items:
+                    description: ResourceQuotaClaimStatus defines the observed state
+                      of ResourceQuotaClaim.
+                    properties:
+                      claims:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: Claimed resources
+                        type: object
+                      name:
+                        description: Name
+                        maxLength: 253
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                      namespace:
+                        description: Namespace
+                        maxLength: 253
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                      uid:
+                        description: UID of the tracked Tenant to pin point tracking
+                        type: string
+                    type: object
+                  type: array
+                description: Tracks the quotas for the Resource.
+                type: object
+              exhaustions:
+                additionalProperties:
+                  properties:
+                    available:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Available Resources to be claimed
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    requesting:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Requesting Resources
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                  type: object
+                description: Exhaustions from claims associated with the pool
+                type: object
+              namespaceCount:
+                default: 0
+                description: How many namespaces are considered
+                type: integer
+              namespaces:
+                description: Namespaces which are considered for claims
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
--- a/charts/capsule/crds/capsule.clastix.io_tenantresources.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_tenantresources.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.18.0
  name: tenantresources.capsule.clastix.io
 spec:
  group: capsule.clastix.io
--- a/charts/capsule/crds/capsule.clastix.io_tenants.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_tenants.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.18.0
  name: tenants.capsule.clastix.io
 spec:
  group: capsule.clastix.io
@@ -1160,6 +1160,57 @@ spec:
                  If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
                  Optional
                type: boolean
+              gatewayOptions:
+                description: Specifies options for the GatewayClass resources.
+                properties:
+                  allowedClasses:
+                    properties:
+                      default:
+                        type: string
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector
+                          requirements. The requirements are ANDed.
+                        items:
+                          description: |-
+                            A label selector requirement is a selector that contains values, a key, and an operator that
+                            relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector
+                                applies to.
+                              type: string
+                            operator:
+                              description: |-
+                                operator represents a key's relationship to a set of values.
+                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: |-
+                                values is an array of string values. If the operator is In or NotIn,
+                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced during a strategic
+                                merge patch.
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: atomic
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
              imagePullPolicies:
                description: Specify the allowed values for the imagePullPolicies
                  option in Pod resources. Capsule assures that all Pod resources
@@ -1373,6 +1424,71 @@ spec:
                          type: string
                        type: object
                    type: object
+                  additionalMetadataList:
+                    description: Specifies additional labels and annotations the Capsule
+                      operator places on any Namespace resource in the Tenant via
+                      a list. Optional.
+                    items:
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        namespaceSelector:
+                          description: |-
+                            A label selector is a label query over a set of resources. The result of matchLabels and
+                            matchExpressions are ANDed. An empty label selector matches all objects. A null
+                            label selector matches no objects.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                      type: object
+                    type: array
                  forbiddenAnnotations:
                    description: Define the annotations that a Tenant Owner cannot
                      set for their Namespace resources.
--- a/charts/capsule/dashboards/resourcepools-dashboard.json
+++ b/charts/capsule/dashboards/resourcepools-dashboard.json
--- a/charts/capsule/templates/crd-lifecycle/job.yaml
+++ b/charts/capsule/templates/crd-lifecycle/job.yaml
@@ -19,9 +19,7 @@ metadata:
    {{- include "capsule.labels" . | nindent 4 }}
 spec:
  backoffLimit: {{ $Values.backoffLimit }}
-  {{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
  ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
-  {{- end }}
  template:
    metadata:
      name: "{{ include "capsule.crds.name" . }}"
--- a/charts/capsule/templates/daemonset.yaml
+++ b/charts/capsule/templates/daemonset.yaml
@@ -58,8 +58,6 @@ spec:
            secretName: {{ include "capsule.secretTlsName" . }}
      containers:
        - name: manager
-          command:
-          - /manager
          args:
          - --webhook-port={{ .Values.manager.webhookPort }}
          - --enable-leader-election
--- a/charts/capsule/templates/dashboards.yaml
+++ b/charts/capsule/templates/dashboards.yaml
@@ -0,0 +1,51 @@
+
+{{- if $.Values.monitoring.dashboards.enabled }}
+  {{ range $path, $_ :=  .Files.Glob "dashboards/**-dashboard.json" }}
+    {{- with $ }}
+      {{- $content := (.Files.Get $path) }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "capsule.fullname" . }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$"  }}-dashboard
+  namespace: {{ default $.Release.Namespace $.Values.monitoring.dashboards.namespace | quote }}
+  annotations:
+    {{- with $.Values.monitoring.dashboards.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+    {{- with $.Values.monitoring.dashboards.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  {{ base $path }}: |-
+    {{- $content | nindent 4 }}
+
+  {{- if $.Values.monitoring.dashboards.operator.enabled }}
+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: {{ include "capsule.fullname" . }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$"  }}
+  namespace: {{ default $.Release.Namespace $.Values.monitoring.dashboards.namespace | quote }}
+  annotations:
+    {{- with $.Values.monitoring.dashboards.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+    {{- with $.Values.monitoring.dashboards.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  configMapRef:
+    name: {{ include "capsule.fullname" . }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$"  }}-dashboard
+    key: {{ base $path }}
+    {{- with (omit $.Values.monitoring.dashboards.operator "enabled") }}
+      {{- toYaml . | nindent 2 }}
+    {{- end }}
+  {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/charts/capsule/templates/mutatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/mutatingwebhookconfiguration.yaml
@@ -81,30 +81,111 @@ webhooks:
  sideEffects: None
  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
 {{- end }}
-{{- with .Values.webhooks.hooks.namespaceOwnerReference }}
+{{- with .Values.webhooks.hooks.gateways }}
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  name: gateway.defaults.projectcapsule.dev
+  rules:
+  - apiGroups:
+    - gateway.networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - gateways
+    scope: "Namespaced"
+  namespaceSelector:
+  {{- toYaml .namespaceSelector | nindent 4}}
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with (mergeOverwrite .Values.webhooks.hooks.namespace.mutation .Values.webhooks.hooks.namespaceOwnerReference) }}
 - admissionReviewVersions:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/namespace-owner-reference" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/namespace-patch" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: Equivalent
-  name: owner.namespace.projectcapsule.dev
-  namespaceSelector: {}
-  objectSelector: {}
+  name: namespace-patching.tenants.projectcapsule.dev
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
  reinvocationPolicy: Never
  rules:
    - apiGroups:
-      - ""
+        - ""
      apiVersions:
-      - v1
+        - v1
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - namespaces
+      scope: '*'
+  sideEffects: NoneOnDryRun
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+  {{- end }}
+  {{- with .Values.webhooks.hooks.resourcepools.pools }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/mutating" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  matchPolicy: {{ .matchPolicy }}
+  name: resourcepools.projectcapsule.dev
+  namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
+  objectSelector: {{ toYaml .objectSelector | nindent 4 }}
+  reinvocationPolicy: {{ .reinvocationPolicy }}
+  rules:
+    - apiGroups:
+      - "capsule.clastix.io"
+      apiVersions:
+      - "*"
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+      - resourcepools
+      scope: '*'
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+  {{- end }}
+  {{- with .Values.webhooks.hooks.resourcepools.claims }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/mutating" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  matchPolicy: {{ .matchPolicy }}
+  name: resourcepoolclaims.projectcapsule.dev
+  namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
+  objectSelector: {{ toYaml .objectSelector | nindent 4 }}
+  reinvocationPolicy: {{ .reinvocationPolicy }}
+  rules:
+    - apiGroups:
+      - "capsule.clastix.io"
+      apiVersions:
+      - "*"
      operations:
      - CREATE
      - UPDATE
      resources:
-      - namespaces
+      - resourcepoolclaims
      scope: '*'
-  sideEffects: NoneOnDryRun
+  sideEffects: None
  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
-{{- end }}
+  {{- end }}
 {{- end }}
--- a/charts/capsule/templates/post-install/job.yaml
+++ b/charts/capsule/templates/post-install/job.yaml
@@ -17,9 +17,7 @@ metadata:
    {{- end }}
 spec:
  backoffLimit: {{ $Values.backoffLimit }}
-  {{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
  ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
-  {{- end }}
  template:
    metadata:
      labels:
--- a/charts/capsule/templates/pre-delete/job.yaml
+++ b/charts/capsule/templates/pre-delete/job.yaml
@@ -17,9 +17,7 @@ metadata:
    {{- end }}
 spec:
  backoffLimit: {{ $Values.backoffLimit }}
-  {{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
  ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
-  {{- end }}
  template:
    metadata:
      labels:
--- a/charts/capsule/templates/rbac-tenants.yaml
+++ b/charts/capsule/templates/rbac-tenants.yaml
@@ -0,0 +1,24 @@
+{{- if $.Values.rbac.resourcepoolclaims.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "capsule.fullname" $ }}-resourcepoolclaims
+  labels:
+    {{- toYaml $.Values.rbac.resourcepoolclaims.labels | nindent 4 }}
+rules:
+- apiGroups: ["capsule.clastix.io"]
+  resources: ["resourcepoolclaims"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+{{- end }}
+{{- if $.Values.rbac.resources.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "capsule.fullname" $ }}-resources
+  labels:
+    {{- toYaml $.Values.rbac.resources.labels | nindent 4 }}
+rules:
+- apiGroups: ["capsule.clastix.io"]
+  resources: ["tenantresources"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+{{- end }}
--- a/charts/capsule/templates/servicemonitor.yaml
+++ b/charts/capsule/templates/servicemonitor.yaml
@@ -1,22 +1,23 @@
 {{- if not $.Values.crds.exclusive }}
-  {{- if .Values.serviceMonitor.enabled }}
+  {{- with (mergeOverwrite .Values.monitoring.serviceMonitor (default dict .Values.serviceMonitor)) -}}
+    {{- if .enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: {{ include "capsule.fullname" . }}-monitor
-  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
+  name: {{ include "capsule.fullname" $ }}
+  namespace: {{ .namespace | default $.Release.Namespace }}
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
-    {{- with .Values.serviceMonitor.labels }}
+    {{- with .labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
-  {{- with .Values.serviceMonitor.annotations }}
+  {{- with .annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  endpoints:
-  {{- with .Values.serviceMonitor.endpoint }}
+  {{- with .endpoint }}
  - interval: {{ .interval }}
    port: metrics
    path: /metrics
@@ -31,18 +32,19 @@ spec:
    {{- end }}
  {{- end }}
  jobLabel: app.kubernetes.io/name
-  {{- with .Values.serviceMonitor.targetLabels }}
+  {{- with .targetLabels }}
  targetLabels: {{- toYaml . | nindent 4 }}
  {{- end }}
  selector:
    matchLabels:
-    {{- if .Values.serviceMonitor.matchLabels }}
-      {{- toYaml .Values.serviceMonitor.matchLabels | nindent 6 }}
+    {{- if .matchLabels }}
+      {{- toYaml .matchLabels | nindent 6 }}
    {{- else }}
-      {{- include "capsule.labels" . | nindent 6 }}
+      {{- include "capsule.selectorLabels" $ | nindent 6 }}
    {{- end }}
  namespaceSelector:
    matchNames:
-      - {{ .Release.Namespace }}
+      - {{ $.Release.Namespace }}
+    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/capsule/templates/validatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/validatingwebhookconfiguration.yaml
@@ -40,6 +40,32 @@ webhooks:
  sideEffects: None
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
 {{- end }}
+{{- with .Values.webhooks.hooks.gateways }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/gateways" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  matchPolicy: Equivalent
+  name: gateway.projectcapsule.dev
+  namespaceSelector:
+  {{- toYaml .namespaceSelector | nindent 4}}
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - gateway.networking.k8s.io
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - gateways
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
 {{- with .Values.webhooks.hooks.ingresses }}
 - admissionReviewVersions:
    - v1
@@ -248,7 +274,7 @@ webhooks:
  sideEffects: None
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
 {{- end }}
-{{- with .Values.webhooks.hooks.tenants }}
+  {{- with .Values.webhooks.hooks.tenants }}
 - admissionReviewVersions:
    - v1
    - v1beta1
@@ -273,5 +299,87 @@ webhooks:
      scope: '*'
  sideEffects: None
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+  {{- end }}
+  {{- with .Values.webhooks.hooks.resourcepools.pools }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/validating" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  matchPolicy: {{ .matchPolicy }}
+  name: resourcepools.projectcapsule.dev
+  namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
+  objectSelector: {{ toYaml .objectSelector | nindent 4 }}
+  rules:
+    - apiGroups:
+      - "capsule.clastix.io"
+      apiVersions:
+      - "*"
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - resourcepools
+      scope: '*'
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+  {{- end }}
+  {{- with .Values.webhooks.hooks.resourcepools.pools }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/validating" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  matchPolicy: {{ .matchPolicy }}
+  name: resourcepoolclaims.projectcapsule.dev
+  namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
+  objectSelector: {{ toYaml .objectSelector | nindent 4 }}
+  rules:
+    - apiGroups:
+      - "capsule.clastix.io"
+      apiVersions:
+      - "*"
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - resourcepoolclaims
+      scope: '*'
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+  {{- end }}
+{{- with .Values.webhooks.hooks.customresources }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/customresources" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  matchPolicy: Equivalent
+  name: customresources.tenant.projectcapsule.dev
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  rules:
+    - apiGroups:
+        - '*'
+      apiVersions:
+        - '*'
+      operations:
+        - CREATE
+        - UPDATE
+        - DELETE
+      resources:
+        - '*'
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
 {{- end }}
 {{- end }}
--- a/charts/capsule/values.schema.json
+++ b/charts/capsule/values.schema.json
--- a/charts/capsule/values.yaml
+++ b/charts/capsule/values.yaml
@@ -76,6 +76,17 @@ proxy:
  # -- Enable Installation of Capsule Proxy
  enabled: false

+# These are ClusterRoles which grant permissions for Capsule CRDs to Tenant Owners
+rbac:
+  resources:
+    create: false
+    labels:
+      rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  resourcepoolclaims:
+    create: false
+    labels:
+      rbac.authorization.k8s.io/aggregate-to-admin: "true"
+
 # Manager Options
 manager:

@@ -265,9 +276,44 @@ webhooks:

  # Hook Configuration
  hooks:
+    resourcepools:
+      pools:
+        namespaceSelector: {}
+        objectSelector: {}
+        reinvocationPolicy: Never
+        matchPolicy: Equivalent
+        failurePolicy: Fail
+      claims:
+        namespaceSelector: {}
+        objectSelector: {}
+        reinvocationPolicy: Never
+        matchPolicy: Equivalent
+        failurePolicy: Fail
    namespaceOwnerReference:
      failurePolicy: Fail
+    customresources:
+      failurePolicy: Fail
+      namespaceSelector:
+        matchExpressions:
+          - key: capsule.clastix.io/tenant
+            operator: Exists
+      objectSelector: {}
+    namespace:
+      validation:
+        failurePolicy: Fail
+      mutation:
+        failurePolicy: Fail
+        namespaceSelector: {}
+        objectSelector: {}
    cordoning:
+      failurePolicy: Fail
+      namespaceSelector:
+        matchExpressions:
+          - key: capsule.clastix.io/tenant
+            operator: Exists
+          - key: projectcapsule.dev/cordoned
+            operator: Exists
+    gateways:
      failurePolicy: Fail
      namespaceSelector:
        matchExpressions:
@@ -331,26 +377,52 @@ webhooks:
            - key: capsule.clastix.io/tenant
              operator: Exists

-# ServiceMonitor
-serviceMonitor:
-  # -- Enable ServiceMonitor
-  enabled: false
-  # -- Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
-  namespace: ''
-  # -- Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
-  labels: {}
-  # -- Assign additional Annotations
-  annotations: {}
-  # -- Change matching labels
-  matchLabels: {}
-  # -- Set targetLabels for the serviceMonitor
-  targetLabels: []
-  endpoint:
-    # -- Set the scrape interval for the endpoint of the serviceMonitor
-    interval: "15s"
-    # -- Set the scrape timeout for the endpoint of the serviceMonitor
-    scrapeTimeout: ""
-    # -- Set metricRelabelings for the endpoint of the serviceMonitor
-    metricRelabelings: []
-    # -- Set relabelings for the endpoint of the serviceMonitor
-    relabelings: []
+# Monitoring Settings
+monitoring:
+
+  dashboards:
+    # -- Enable Dashboards to be deployed
+    enabled: false
+    # -- Annotations for dashboard configmaps
+    annotations: {}
+    # -- Labels for dashboard configmaps
+    labels: {}
+    # grafana_dashboard: "1"
+    # -- Custom namespace for dashboard configmaps
+    namespace: ""
+    # Grafana Operator
+    operator:
+      # -- Enable Operator Resources (GrafanaDashboard)
+      enabled: true
+      # -- Allow the Operator to match this resource with Grafanas outside the current namespace
+      allowCrossNamespaceImport: true
+      # -- How often the resource is synced, defaults to 10m0s if not set
+      resyncPeriod: "10m"
+      # -- Selects Grafana instances for import
+      instanceSelector: {}
+      # -- folder assignment for dashboard
+      folder: ""
+
+  # ServiceMonitor
+  serviceMonitor:
+    # -- Enable ServiceMonitor
+    enabled: false
+    # -- Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
+    namespace: ''
+    # -- Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
+    labels: {}
+    # -- Assign additional Annotations
+    annotations: {}
+    # -- Change matching labels
+    matchLabels: {}
+    # -- Set targetLabels for the serviceMonitor
+    targetLabels: []
+    endpoint:
+      # -- Set the scrape interval for the endpoint of the serviceMonitor
+      interval: "15s"
+      # -- Set the scrape timeout for the endpoint of the serviceMonitor
+      scrapeTimeout: ""
+      # -- Set metricRelabelings for the endpoint of the serviceMonitor
+      metricRelabelings: []
+      # -- Set relabelings for the endpoint of the serviceMonitor
+      relabelings: []
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package main
@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"

 	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
@@ -34,21 +35,25 @@ import (
 	podlabelscontroller "github.com/projectcapsule/capsule/controllers/pod"
 	"github.com/projectcapsule/capsule/controllers/pv"
 	rbaccontroller "github.com/projectcapsule/capsule/controllers/rbac"
+	"github.com/projectcapsule/capsule/controllers/resourcepools"
 	"github.com/projectcapsule/capsule/controllers/resources"
 	servicelabelscontroller "github.com/projectcapsule/capsule/controllers/servicelabels"
 	tenantcontroller "github.com/projectcapsule/capsule/controllers/tenant"
 	tlscontroller "github.com/projectcapsule/capsule/controllers/tls"
 	"github.com/projectcapsule/capsule/pkg/configuration"
 	"github.com/projectcapsule/capsule/pkg/indexer"
+	"github.com/projectcapsule/capsule/pkg/metrics"
 	"github.com/projectcapsule/capsule/pkg/webhook"
 	"github.com/projectcapsule/capsule/pkg/webhook/defaults"
+	"github.com/projectcapsule/capsule/pkg/webhook/gateway"
 	"github.com/projectcapsule/capsule/pkg/webhook/ingress"
-	namespacewebhook "github.com/projectcapsule/capsule/pkg/webhook/namespace"
+	namespacemutation "github.com/projectcapsule/capsule/pkg/webhook/namespace/mutation"
+	namespacevalidation "github.com/projectcapsule/capsule/pkg/webhook/namespace/validation"
 	"github.com/projectcapsule/capsule/pkg/webhook/networkpolicy"
 	"github.com/projectcapsule/capsule/pkg/webhook/node"
-	"github.com/projectcapsule/capsule/pkg/webhook/ownerreference"
 	"github.com/projectcapsule/capsule/pkg/webhook/pod"
 	"github.com/projectcapsule/capsule/pkg/webhook/pvc"
+	"github.com/projectcapsule/capsule/pkg/webhook/resourcepool"
 	"github.com/projectcapsule/capsule/pkg/webhook/route"
 	"github.com/projectcapsule/capsule/pkg/webhook/service"
 	"github.com/projectcapsule/capsule/pkg/webhook/tenant"
@@ -67,6 +72,7 @@ func init() {
 	utilruntime.Must(capsulev1beta1.AddToScheme(scheme))
 	utilruntime.Must(capsulev1beta2.AddToScheme(scheme))
 	utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
+	utilruntime.Must(gatewayv1.Install(scheme))
 }

 func printVersion() {
@@ -192,6 +198,7 @@ func main() {
 	if err = (&tenantcontroller.Manager{
 		RESTConfig: manager.GetConfig(),
 		Client:     manager.GetClient(),
+		Metrics:    metrics.MustMakeTenantRecorder(),
 		Log:        ctrl.Log.WithName("controllers").WithName("Tenant"),
 		Recorder:   manager.GetEventRecorderFor("tenant-controller"),
 	}).SetupWithManager(manager); err != nil {
@@ -220,17 +227,23 @@ func main() {
 	webhooksList := append(
 		make([]webhook.Webhook, 0),
 		route.Pod(pod.ImagePullPolicy(), pod.ContainerRegistry(), pod.PriorityClass(), pod.RuntimeClass()),
-		route.Namespace(utils.InCapsuleGroups(cfg, namespacewebhook.PatchHandler(), namespacewebhook.QuotaHandler(), namespacewebhook.FreezeHandler(cfg), namespacewebhook.PrefixHandler(cfg), namespacewebhook.UserMetadataHandler())),
+		route.Namespace(utils.InCapsuleGroups(cfg, namespacevalidation.PatchHandler(), namespacevalidation.QuotaHandler(), namespacevalidation.FreezeHandler(cfg), namespacevalidation.PrefixHandler(cfg), namespacevalidation.UserMetadataHandler())),
 		route.Ingress(ingress.Class(cfg, kubeVersion), ingress.Hostnames(cfg), ingress.Collision(cfg), ingress.Wildcard()),
 		route.PVC(pvc.Validating(), pvc.PersistentVolumeReuse()),
 		route.Service(service.Handler()),
 		route.TenantResourceObjects(utils.InCapsuleGroups(cfg, tntresource.WriteOpsHandler())),
 		route.NetworkPolicy(utils.InCapsuleGroups(cfg, networkpolicy.Handler())),
 		route.Tenant(tenant.NameHandler(), tenant.RoleBindingRegexHandler(), tenant.IngressClassRegexHandler(), tenant.StorageClassRegexHandler(), tenant.ContainerRegistryRegexHandler(), tenant.HostnameRegexHandler(), tenant.FreezedEmitter(), tenant.ServiceAccountNameHandler(), tenant.ForbiddenAnnotationsRegexHandler(), tenant.ProtectedHandler(), tenant.MetaHandler()),
-		route.OwnerReference(utils.InCapsuleGroups(cfg, ownerreference.Handler(cfg))),
-		route.Cordoning(tenant.CordoningHandler(cfg), tenant.ResourceCounterHandler(manager.GetClient())),
+		route.Cordoning(tenant.CordoningHandler(cfg)),
 		route.Node(utils.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),
+		route.NamespacePatch(utils.InCapsuleGroups(cfg, namespacemutation.CordoningLabelHandler(cfg), namespacemutation.OwnerReferenceHandler(cfg), namespacemutation.MetadataHandler(cfg))),
+		route.CustomResources(tenant.ResourceCounterHandler(manager.GetClient())),
+		route.Gateway(gateway.Class(cfg)),
 		route.Defaults(defaults.Handler(cfg, kubeVersion)),
+		route.ResourcePoolMutation((resourcepool.PoolMutationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepool")))),
+		route.ResourcePoolValidation((resourcepool.PoolValidationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepool")))),
+		route.ResourcePoolClaimMutation((resourcepool.ClaimMutationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepoolclaims")))),
+		route.ResourcePoolClaimValidation((resourcepool.ClaimValidationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepoolclaims")))),
 	)

 	nodeWebhookSupported, _ := utils.NodeWebhookSupported(kubeVersion)
@@ -266,17 +279,8 @@ func main() {
 		os.Exit(1)
 	}

-	if err = (&servicelabelscontroller.EndpointsLabelsReconciler{
-		Log: ctrl.Log.WithName("controllers").WithName("EndpointLabels"),
-	}).SetupWithManager(ctx, manager); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "EndpointLabels")
-		os.Exit(1)
-	}
-
 	if err = (&servicelabelscontroller.EndpointSlicesLabelsReconciler{
-		Log:          ctrl.Log.WithName("controllers").WithName("EndpointSliceLabels"),
-		VersionMinor: kubeVersion.Minor(),
-		VersionMajor: kubeVersion.Major(),
+		Log: ctrl.Log.WithName("controllers").WithName("EndpointSliceLabels"),
 	}).SetupWithManager(ctx, manager); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "EndpointSliceLabels")
 	}
@@ -308,6 +312,15 @@ func main() {
 		os.Exit(1)
 	}

+	if err := resourcepools.Add(
+		ctrl.Log.WithName("controllers").WithName("ResourcePools"),
+		manager,
+		manager.GetEventRecorderFor("pools-ctrl"),
+	); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "resourcepools")
+		os.Exit(1)
+	}
+
 	setupLog.Info("starting manager")

 	if err = manager.Start(ctx); err != nil {
--- a/cmd/version.go
+++ b/cmd/version.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package main
--- a/controllers/config/manager.go
+++ b/controllers/config/manager.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package config
--- a/controllers/pod/errors.go
+++ b/controllers/pod/errors.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package pod
--- a/controllers/pod/metadata.go
+++ b/controllers/pod/metadata.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package pod
@@ -28,6 +28,12 @@ type MetadataReconciler struct {
 	Client client.Client
 }

+func (m *MetadataReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.Pod{}, m.forOptionPerInstanceName(ctx)).
+		Complete(m)
+}
+
 func (m *MetadataReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
 	var pod corev1.Pod

@@ -36,8 +42,8 @@ func (m *MetadataReconciler) Reconcile(ctx context.Context, request ctrl.Request
 	tenant, err := m.getTenant(ctx, request.NamespacedName, m.Client)
 	if err != nil {
 		noTenantObjError := &NonTenantObjectError{}
-		noPodMetaError := &NoPodMetadataError{}

+		noPodMetaError := &NoPodMetadataError{}
 		if errors.As(err, &noTenantObjError) || errors.As(err, &noPodMetaError) {
 			return reconcile.Result{}, nil
 		}
@@ -122,9 +128,3 @@ func (m *MetadataReconciler) isNamespaceInTenant(ctx context.Context, namespace

 	return len(tl.Items) > 0
 }
-
-func (m *MetadataReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Pod{}, m.forOptionPerInstanceName(ctx)).
-		Complete(m)
-}
--- a/controllers/pv/controller.go
+++ b/controllers/pv/controller.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package pv
--- a/controllers/rbac/const.go
+++ b/controllers/rbac/const.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package rbac
--- a/controllers/rbac/manager.go
+++ b/controllers/rbac/manager.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2025 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package rbac
@@ -53,7 +53,6 @@ func (r *Manager) SetupWithManager(ctx context.Context, mgr ctrl.Manager, config
 				}
 			},
 		}).Complete(r)
-
 	if crbErr != nil {
 		err = errors.Join(err, crbErr)
 	}
--- a/Show More
+++ b/Show More