github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-02-19 20:39:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:main
Branches Tags
github:main github:renovate/kubernetes-go github:renovate/anchore-sbom-action-digest github:renovate/all-ci-updates github:renovate/github-codeql-action-digest github:renovate/major-all-ci-updates github:renovate/golangci-golangci-lint-2.x github:renovate/sigs.k8s.io-cluster-api-1.x github:renovate/kubernetes-sigs-controller-tools-0.x github:renovate/amannn-action-semantic-pull-request-digest github:renovate/norwoodj-helm-docs-1.x github:renovate/github.com-onsi-ginkgo-v2-2.x github:renovate/prometheus-operator-prometheus-operator-0.x github:renovate/norwoodj-helm-docs-0.x github:renovate/grafana-grafana-operator-5.x github:renovate/sigs.k8s.io-controller-runtime-0.x github:renovate/github.com-onsi-gomega-1.x github:renovate/capsule-proxy-0.x github:renovate/k8s.io-utils-digest github:issues/1628 github:fix/remove-harpoon github:backports/v0.2.2 github:maxgio92/feat/gitops-ready-rbac github:issues/451
github:v0.12.4 github:v0.12.3 github:v0.12.2 github:v0.12.1 github:v0.12.0 github:v0.11.1 github:v0.11.2 github:v0.11.0 github:v0.10.9 github:v0.10.8 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.0 github:v0.8.1 github:v0.8.0 github:v0.7.4 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.7.0-rc.1 github:v0.6.2 github:v0.6.1 github:v0.6.0 github:v0.6.0-rc0 github:helm-v0.6.0 github:v0.5.0 github:v0.4.2 github:helm-v0.5.3 github:helm-v0.5.2 github:v0.4.1 github:helm-v0.5.1 github:helm-v0.4.7 github:v0.4.0 github:v0.4.0-rc.3 github:helm-v0.5.0 github:v0.4.0-rc.2 github:v0.4.0-rc.1 github:helm-v0.4.8 github:helm-v0.4.6 github:v0.3.3 github:helm-v0.4.5 github:helm-v0.4.4 github:helm-v0.4.3 github:v0.3.2 github:helm-v0.4.2 github:helm-v0.4.1 github:v0.3.1 github:helm-v0.4.0 github:v0.3.0 github:helm-v0.3.6 github:v0.2.2 github:helm-v0.3.5 github:helm-v0.3.4 github:helm-v0.3.3 github:helm-v0.3.2 github:v0.2.1 github:helm-v0.3.1 github:v0.2.0 github:helm-v0.3.0 github:helm-v0.2.0 github:v0.1.3 github:helm-v0.1.12 github:helm-v0.1.11 github:v0.1.2 github:helm-v0.1.10 github:v0.1.2-rc1 github:v0.1.2-rc0 github:helm-v0.1.8 github:helm-v0.1.7 github:helm-v0.1.6 github:v0.1.1 github:helm-v0.1.5 github:helm-v0.1.4 github:v0.1.1-rc1 github:helm-v0.1.3 github:helm-v0.1.2 github:helm-v0.1.1 github:helm-v0.1.1-rc0 github:v0.1.1-rc0 github:v0.1.0 github:helm-v0.1.0 github:v0.1.0-rc6 github:v0.1.0-rc5 github:v0.1.0-rc4 github:v0.1.0-rc3 github:v0.1.0-rc2 github:v0.1.0-rc1 github:v0.0.5 github:v0.0.5-rc2 github:v0.0.5-rc1 github:v0.0.4 github:v0.0.3 github:0.2.0-rc1 github:v0.0.2 github:0.0.1 github:v0.0.1
..
compare: github:issues/1628
Branches Tags
github:renovate/kubernetes-go github:renovate/anchore-sbom-action-digest github:renovate/all-ci-updates github:renovate/github-codeql-action-digest github:renovate/major-all-ci-updates github:renovate/golangci-golangci-lint-2.x github:renovate/sigs.k8s.io-cluster-api-1.x github:renovate/kubernetes-sigs-controller-tools-0.x github:renovate/amannn-action-semantic-pull-request-digest github:main github:renovate/norwoodj-helm-docs-1.x github:renovate/github.com-onsi-ginkgo-v2-2.x github:renovate/prometheus-operator-prometheus-operator-0.x github:renovate/norwoodj-helm-docs-0.x github:renovate/grafana-grafana-operator-5.x github:renovate/sigs.k8s.io-controller-runtime-0.x github:renovate/github.com-onsi-gomega-1.x github:renovate/capsule-proxy-0.x github:renovate/k8s.io-utils-digest github:issues/1628 github:fix/remove-harpoon github:backports/v0.2.2 github:maxgio92/feat/gitops-ready-rbac github:issues/451
github:v0.12.4 github:v0.12.3 github:v0.12.2 github:v0.12.1 github:v0.12.0 github:v0.11.1 github:v0.11.2 github:v0.11.0 github:v0.10.9 github:v0.10.8 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.0 github:v0.8.1 github:v0.8.0 github:v0.7.4 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.7.0-rc.1 github:v0.6.2 github:v0.6.1 github:v0.6.0 github:v0.6.0-rc0 github:helm-v0.6.0 github:v0.5.0 github:v0.4.2 github:helm-v0.5.3 github:helm-v0.5.2 github:v0.4.1 github:helm-v0.5.1 github:helm-v0.4.7 github:v0.4.0 github:v0.4.0-rc.3 github:helm-v0.5.0 github:v0.4.0-rc.2 github:v0.4.0-rc.1 github:helm-v0.4.8 github:helm-v0.4.6 github:v0.3.3 github:helm-v0.4.5 github:helm-v0.4.4 github:helm-v0.4.3 github:v0.3.2 github:helm-v0.4.2 github:helm-v0.4.1 github:v0.3.1 github:helm-v0.4.0 github:v0.3.0 github:helm-v0.3.6 github:v0.2.2 github:helm-v0.3.5 github:helm-v0.3.4 github:helm-v0.3.3 github:helm-v0.3.2 github:v0.2.1 github:helm-v0.3.1 github:v0.2.0 github:helm-v0.3.0 github:helm-v0.2.0 github:v0.1.3 github:helm-v0.1.12 github:helm-v0.1.11 github:v0.1.2 github:helm-v0.1.10 github:v0.1.2-rc1 github:v0.1.2-rc0 github:helm-v0.1.8 github:helm-v0.1.7 github:helm-v0.1.6 github:v0.1.1 github:helm-v0.1.5 github:helm-v0.1.4 github:v0.1.1-rc1 github:helm-v0.1.3 github:helm-v0.1.2 github:helm-v0.1.1 github:helm-v0.1.1-rc0 github:v0.1.1-rc0 github:v0.1.0 github:helm-v0.1.0 github:v0.1.0-rc6 github:v0.1.0-rc5 github:v0.1.0-rc4 github:v0.1.0-rc3 github:v0.1.0-rc2 github:v0.1.0-rc1 github:v0.0.5 github:v0.0.5-rc2 github:v0.0.5-rc1 github:v0.0.4 github:v0.0.3 github:0.2.0-rc1 github:v0.0.2 github:0.0.1 github:v0.0.1

2 Commits
main ... issues/162

Author SHA1 Message Date
Dario Tranchitella
80b92a93a7 fix: avoid nil pointer dereference upon deepValueEqual in apimachinery 
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
 2026-02-03 09:49:51 +01:00
Dario Tranchitella
00a268f6c3 fix: avoid nil pointer dereference upon resourceQuotasUpdate 
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
 2026-01-06 14:15:54 +01:00
555 changed files with 8029 additions and 38333 deletions
Expand all files Collapse all files

4
.github/actions/setup-caches/action.yaml vendored
View File

@@ -9,11 +9,11 @@ inputs:
runs:
using: composite
steps:
- uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
- uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
if: ${{ inputs.build-cache-key }}
with:
path: ~/.cache/go-build

4
.github/workflows/check-actions.yml vendored
View File

@@ -15,9 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@d5d20e15f2736816ee0e001ba8b24b54d9ffcff4 # v5.0.0
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0
with:
# slsa-github-generator requires using a semver tag for reusable workflows.
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators

2
.github/workflows/check-commit.yml vendored
View File

@@ -16,7 +16,7 @@ jobs:
commit_lint:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1

2
.github/workflows/check-pr.yml vendored
View File

@@ -15,7 +15,7 @@ jobs:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@b439535a8eb2122b748ed2b45d1693aaabe5b0aa
- uses: amannn/action-semantic-pull-request@e49f57ce06c1747542fce2243c7a98682384bc0e
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:

16
.github/workflows/coverage.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: "Checkout Code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
@@ -47,16 +47,16 @@ jobs:
contents: read
steps:
- name: Checkout Source
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: 'go.mod'
- name: Run Gosec Security Scanner
uses: securego/gosec@424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f # v2.22.11
uses: securego/gosec@6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@8aac4e47ac8ace7d9e0e0b4ef7407aff0ceb5e87
uses: github/codeql-action/upload-sarif@ae78991f558bb4195cb8a727cb6679c362b9cf24
with:
sarif_file: gosec.sarif
unit_tests:
@@ -64,8 +64,8 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: 'go.mod'
- name: Unit Test
@@ -77,7 +77,7 @@ jobs:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Upload Report to Codecov
if: ${{ steps.checksecret.outputs.result == 'true' }}
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: projectcapsule/capsule

4
.github/workflows/docker-build.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: ko build
run: VERSION=${{ github.sha }} make ko-build-all
- name: Trivy Scan Image
@@ -40,6 +40,6 @@ jobs:
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@8aac4e47ac8ace7d9e0e0b4ef7407aff0ceb5e87
uses: github/codeql-action/upload-sarif@ae78991f558bb4195cb8a727cb6679c362b9cf24
with:
sarif_file: 'trivy-results.sarif'

2
.github/workflows/docker-publish.yml vendored
View File

@@ -20,7 +20,7 @@ jobs:
capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5

38
.github/workflows/e2e.yml vendored
View File

@@ -9,7 +9,6 @@ on:
- '.github/workflows/e2e.yml'
- 'api/**'
- 'controllers/**'
- 'internal/**'
- 'pkg/**'
- 'e2e/*'
- 'Dockerfile'
@@ -23,45 +22,18 @@ concurrency:
jobs:
e2e:
name: E2E Testing (CE)
name: E2E Testing
runs-on:
labels: ubuntu-latest-8-cores
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: 'go.mod'
- uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
with:
version: v3.14.2
- name: e2e
run: sudo make e2e
run-e2e:
name: E2E Testing
strategy:
fail-fast: false
matrix:
k8s-version:
- 'v1.31.0'
- 'v1.32.0'
- 'v1.33.0'
- 'v1.34.0'
runs-on:
labels: ubuntu-latest-8-cores
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: ${{ github.event.client_payload.repo }}
ref: ${{ github.event.client_payload.sha }}
- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: 'go.mod'
- uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
- name: e2e (Enterprise)
run: sudo KUBERNETES_SUPPORTED_VERSION=${{ matrix.k8s-version }} make e2e

4
.github/workflows/helm-publish.yml vendored
View File

@@ -16,7 +16,7 @@ jobs:
if: github.repository_owner == 'projectcapsule'
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: "Extract Version"
id: extract_version
run: |
@@ -45,7 +45,7 @@ jobs:
outputs:
chart-digest: ${{ steps.helm_publish.outputs.digest }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: "Extract Version"
id: extract_version

4
.github/workflows/helm-test.yml vendored
View File

@@ -23,14 +23,14 @@ jobs:
options: --user root
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run ah lint
working-directory: ./charts/
run: ah lint
lint:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4

11
.github/workflows/lint.yml vendored
View File

@@ -15,15 +15,14 @@ jobs:
name: diff
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: 'go.mod'
- name: Generate manifests
run: |
make generate
make manifests
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mManifests outdated! (Run make manifests locally and commit)\033[0m ❌'
@@ -36,7 +35,7 @@ jobs:
name: yamllint
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install yamllint
run: pip install yamllint
- name: Lint YAML files
@@ -45,8 +44,8 @@ jobs:
name: lint
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: 'go.mod'
- name: Run golangci-lint

6
.github/workflows/releaser.yml vendored
View File

@@ -18,11 +18,11 @@ jobs:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: 'go.mod'
- name: Setup caches
@@ -30,7 +30,7 @@ jobs:
timeout-minutes: 5
continue-on-error: true
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
- uses: anchore/sbom-action/download-syft@5620efe7f17de3b70cbc020fc49ce9048f1bbacf
- uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84
- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Run GoReleaser

6
.github/workflows/scorecard.yml vendored
View File

@@ -20,7 +20,7 @@ jobs:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Run analysis
@@ -31,12 +31,12 @@ jobs:
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
publish_results: true
- name: Upload artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
with:
sarif_file: results.sarif

2
.github/workflows/stale.yml vendored
View File

@@ -15,7 +15,7 @@ jobs:
pull-requests: write
steps:
- name: Close stale pull requests
uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
uses: actions/stale@e46bbabb3ede15841d25946157759558dd16306e
with:
stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
stale-pr-message: 'This pull request has been marked as stale because it has been inactive for more than 30 days. Please update this pull request or it will be automatically closed in 30 days.'

1
.gitignore vendored
View File

@@ -8,7 +8,6 @@
bin
dist/
config/
builds/
# Test binary, build with `go test -c`
*.test

2
.golangci.yaml
View File

@@ -39,7 +39,7 @@ linters:
min-occurrences: 2
goheader:
template: |-
Copyright 2020-2026 Project Capsule Authors
Copyright 2020-2025 Project Capsule Authors
SPDX-License-Identifier: Apache-2.0
inamedparam:
skip-single-param: true

4
.goreleaser.yml
View File

@@ -54,8 +54,6 @@ release:
footer: |
**Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
[Check out what's new in this release](https://projectcapsule.dev/docs/whats-new/)
**Docker Images**
- `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Version }}`
- `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
@@ -75,7 +73,7 @@ release:
>
> | Kubernetes version | Minimum required |
> |--------------------|------------------|
> | `v1.35` | `>= 1.35.0` |
> | `v1.34` | `>= 1.34.0` |
Thanks to all the contributors! 🚀 🦄

3
.nwa-config
View File

@@ -1,13 +1,12 @@
nwa:
cmd: "update"
holder: "Project Capsule Authors"
year: "2020-2026"
year: "2020-2025"
spdxids: "Apache-2.0"
path:
- "pkg/**/*.go"
- "cmd/**/*.go"
- "api/**/*.go"
- "internal/**/*.go"
- "controllers/**/*.go"
- "main.go"
mute: false

4
.pre-commit-config.yaml
View File

@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
rev: v9.24.0
rev: v9.23.0
hooks:
- id: commitlint
stages: [commit-msg]
@@ -13,7 +13,7 @@ repos:
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/adrienverge/yamllint
rev: v1.38.0
rev: v1.37.1
hooks:
- id: yamllint
args: [-c=.github/configs/lintconf.yaml]

11
DEVELOPMENT.md
View File

@@ -63,19 +63,16 @@ So the TL;DR answer is:
**Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup.
```bash
# Create a KinD cluster if not already created
$ make dev-cluster
# If you haven't installed or run `make deploy` before, do it first
# Note: please retry if you saw errors
$ make deploy
# To retrieve your laptop's IP and execute `make dev-setup` to setup dev env
# For example: LAPTOP_HOST_IP=192.168.10.101 make dev-setup
$ LAPTOP_HOST_IP="<YOUR_LAPTOP_IP>" make dev-setup
# Monitoring Setup (Grafana/Prometheus/Pyroscope)
$ LAPTOP_HOST_IP="<YOUR_LAPTOP_IP>" make dev-setup-monitoring
```
### Setup
### Explenation
We recommend to setup the development environment with the make `dev-setup` target. However here is a step by step guide to setup the development environment for understanding.

163
Makefile
View File

@@ -19,7 +19,7 @@ CAPSULE_IMG ?= $(REGISTRY)/$(IMG_BASE)
CLUSTER_NAME ?= capsule
## Kubernetes Version Support
KUBERNETES_SUPPORTED_VERSION ?= "v1.35.0"
KUBERNETES_SUPPORTED_VERSION ?= "v1.34.0"
## Tool Binaries
KUBECTL ?= kubectl
@@ -46,7 +46,7 @@ all: manager
# Run tests
.PHONY: test
test: test-clean generate manifests test-clean
@GO111MODULE=on go test -race -v $(shell go list ./... | grep -v "e2e") -coverprofile coverage.out
@GO111MODULE=on go test -v $(shell go list ./... | grep -v "e2e") -coverprofile coverage.out
.PHONY: test-clean
test-clean: ## Clean tests cache
@@ -92,47 +92,21 @@ helm-schema: helm-plugin-schema
helm-test: HELM_KIND_CONFIG ?= ""
helm-test: kind
@mkdir -p /tmp/results || true
@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config ./hack/kind-cluster.yaml
@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config $(HELM_KIND_CONFIG)
@make helm-test-exec
@$(KIND) delete cluster --name capsule-charts
helm-test-exec: ct helm-controller-version ko-build-all
$(MAKE) docker-build-capsule-trace
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
@$(KUBECTL) create ns capsule-system || true
$(MAKE) dev-install-deps
$(MAKE) dev-install-grafana-operator-crds
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/v5.18.0/crds.yaml
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
# Setup development env
dev-build: kind
$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config ./hack/kind-cluster.yaml
$(MAKE) dev-install-deps
.PHONY: dev-destroy
dev-destroy: kind
$(KIND) delete cluster --name capsule
dev-install-deps: dev-setup-fluxcd dev-setup-cert-manager dev-install-gw-api-crds wait-for-helmreleases
API_GW := none
API_GW_VERSION := v1.3.0
API_GW_LOOKUP := kubernetes-sigs/gateway-api
dev-install-gw-api-crds:
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml
GRAFANA := none
GRAFANA_VERSION := v5.18.0
GRAFANA_LOOKUP := grafana/grafana-operator
dev-install-grafana-operator-crds:
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/$(GRAFANA_VERSION)/crds.yaml
PROMETHEUS := none
PROMETHEUS_VERSION := v0.88.0
PROMETHEUS_LOOKUP := prometheus-operator/prometheus-operator
dev-install-prometheus-crds:
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/$(PROMETHEUS_VERSION)/bundle.yaml
# Usage:
# LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
# For example:
@@ -155,7 +129,6 @@ IP.1 = $(LAPTOP_HOST_IP)
endef
export TLS_CNF
dev-setup:
$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
mkdir -p /tmp/k8s-webhook-server/serving-certs
echo "$${TLS_CNF}" > _tls.cnf
openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
@@ -172,7 +145,6 @@ dev-setup:
export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
$(HELM) upgrade \
--dependency-update \
--force-conflicts \
--debug \
--install \
--namespace capsule-system \
@@ -180,99 +152,12 @@ dev-setup:
--set 'crds.install=true' \
--set 'crds.exclusive=true'\
--set 'crds.createConfig=true'\
--set "tls.enableController=false"\
--set "webhooks.exclusive=true"\
--set "webhooks.hooks.nodes.enabled=true"\
--set "webhooks.service.url=$${WEBHOOK_URL}" \
--set "webhooks.service.caBundle=$${CA_BUNDLE}" \
capsule \
./charts/capsule || true
setup-monitoring: dev-setup-fluxcd
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/monitoring | envsubst | kubectl apply -f -
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/monitoring/dashboards | kubectl apply -f -
@$(MAKE) wait-for-helmreleases
@printf "\n\033[32mAccess Grafana:\033[0m\n\n"
@printf " \033[1mkubectl port-forward svc/kube-prometheus-stack-grafana 9090:80 -n monitoring-system\033[0m\n\n"
dev-setup-monitoring: setup-monitoring
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/host-proxy | envsubst | kubectl apply -f -
dev-setup-argocd: dev-setup-fluxcd
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/argocd | envsubst | kubectl apply -f -
@$(MAKE) wait-for-helmreleases
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/argocd/application | envsubst | kubectl apply -f -
@printf "\n\033[32mAccess ArgoCD:\033[0m\n\n"
@printf " \033[1mkubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d\033[0m\n\n"
@printf " \033[1mkubectl port-forward svc/argocd-server 9091:80 -n argocd\033[0m\n\n"
dev-setup-cert-manager:
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/cert-manager | envsubst | kubectl apply -f -
dev-setup-fluxcd:
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f -
# Here to setup the current capsule version
# Intended to test updates to new version
dev-setup-capsule: dev-setup-fluxcd
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/capsule | envsubst | kubectl apply -f -
@$(MAKE) wait-for-helmreleases
@$(MAKE) dev-setup-capsule-example
dev-setup-capsule-example: dev-setup-fluxcd
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/capsule/example-setup | envsubst | kubectl apply -f -
@$(KUBECTL) create ns wind-test --as joe --as-group projectcapsule.dev || true
@$(KUBECTL) create ns wind-prod --as joe --as-group projectcapsule.dev || true
@$(KUBECTL) create ns green-test --as bob --as-group projectcapsule.dev || true
@$(KUBECTL) create ns green-prod --as bob --as-group projectcapsule.dev || true
@$(KUBECTL) create ns solar-test --as alice --as-group projectcapsule.dev || true
@$(KUBECTL) create ns solar-prod --as alice --as-group projectcapsule.dev || true
@$(KUBECTL) apply -f hack/distro/capsule/example-setup/claims.yaml
wait-for-helmreleases:
@ echo "Waiting for all HelmReleases to have observedGeneration >= 0..."
@while [ "$$($(KUBECTL) get helmrelease -A -o jsonpath='{range .items[?(@.status.observedGeneration<0)]}{.metadata.namespace}{" "}{.metadata.name}{"\n"}{end}' | wc -l)" -ne 0 ]; do \
sleep 5; \
done
ENTERPRISE_VERSION ?= "0.13.0-rc.2"
ENTERPRISE_REGISTRY ?= "oci.peakscale.ch"
enterprise-prerelease:
mkdir -p ./builds
$(MAKE) CAPSULE_IMG=$(ENTERPRISE_REGISTRY)/prereleases/images/capsule VERSION=$(ENTERPRISE_VERSION) ko-publish-capsule
$(HELM) package ./charts/capsule --app-version=$(ENTERPRISE_VERSION) --version=$(ENTERPRISE_VERSION) --destination ./builds/
$(HELM) push ./builds/capsule-$(ENTERPRISE_VERSION).tgz oci://$(ENTERPRISE_REGISTRY)/prereleases/charts/
$(MAKE) deploy-enterprise
rm -rf ./builds
deploy-enterprise:
@echo ""
@echo "Deploying Capsule Prerelease (Enterprise) $(ENTERPRISE_VERSION)"
@echo ""
@echo "1) Create image pull secret (Change the credentials with the ones provided to you):"
@echo ""
@echo "kubectl create secret docker-registry capsule-enterprise -n capsule-system \\"
@echo " --docker-username='robot\$$name' \\"
@echo " --docker-password='serviceaccount-password' \\"
@echo " --docker-server='$(ENTERPRISE_REGISTRY)'"
@echo ""
@echo "2) Deploy Capsule:"
@echo ""
@echo "helm upgrade --install capsule \\"
@echo " oci://$(ENTERPRISE_REGISTRY)/prereleases/charts/capsule \\"
@echo " --namespace capsule-system \\"
@echo " --version $(ENTERPRISE_VERSION) \\"
@echo " --reuse-values \\"
@echo " --set manager.image.registry=$(ENTERPRISE_REGISTRY) \\"
@echo " --set manager.image.repository=prereleases/images/capsule \\"
@echo " --set manager.image.tag=$(ENTERPRISE_VERSION) \\"
@echo " --set manager.image.pullPolicy=Always \\"
@echo " --set 'serviceAccount.imagePullSecrets={capsule-enterprise}'"
@echo ""
./charts/capsule
$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
####################
# -- Docker
@@ -351,12 +236,19 @@ golint-fix: golangci-lint
e2e: ginkgo
$(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
API_GW := none
API_GW_VERSION := v1.3.0
API_GW_LOOKUP := kubernetes-sigs/gateway-api/
e2e-install-deps:
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml
e2e-build: kind
$(MAKE) dev-build
$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
$(MAKE) e2e-install-deps
$(MAKE) e2e-install
.PHONY: e2e-install
e2e-install: helm-controller-version ko-build-all
e2e-install: ko-build-all
$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
$(HELM) upgrade \
--dependency-update \
@@ -364,14 +256,12 @@ e2e-install: helm-controller-version ko-build-all
--install \
--namespace capsule-system \
--create-namespace \
--set 'replicaCount=2'\
--set 'manager.image.pullPolicy=Never' \
--set 'manager.resources=null'\
--set "manager.image.tag=$(VERSION)" \
--set 'manager.livenessProbe.failureThreshold=10' \
--set 'webhooks.hooks.nodes.enabled=true' \
--set "webhooks.exclusive=true"\
--set "manager.options.logLevel=debug"\
capsule \
./charts/capsule
@@ -418,7 +308,8 @@ e2e-exec: ginkgo
$(GINKGO) -v -tags e2e ./e2e
.PHONY: e2e-destroy
e2e-destroy: dev-destroy
e2e-destroy: kind
$(KIND) delete cluster --name capsule
SPELL_CHECKER = npx spellchecker-cli
docs-lint:
@@ -442,7 +333,7 @@ $(LOCALBIN):
HELM_SCHEMA_VERSION := ""
helm-plugin-schema:
@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) --verify=false || true
@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
HELM_DOCS := $(LOCALBIN)/helm-docs
HELM_DOCS_VERSION := v1.14.1
@@ -455,7 +346,7 @@ helm-doc:
# -- Tools
####################
CONTROLLER_GEN := $(LOCALBIN)/controller-gen
CONTROLLER_GEN_VERSION ?= v0.20.0
CONTROLLER_GEN_VERSION ?= v0.19.0
CONTROLLER_GEN_LOOKUP := kubernetes-sigs/controller-tools
controller-gen:
@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
@@ -473,28 +364,28 @@ ct:
$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
KIND := $(LOCALBIN)/kind
KIND_VERSION := v0.31.0
KIND_VERSION := v0.30.0
KIND_LOOKUP := kubernetes-sigs/kind
kind:
@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
KO := $(LOCALBIN)/ko
KO_VERSION := v0.18.1
KO_VERSION := v0.18.0
KO_LOOKUP := google/ko
ko:
@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))
NWA := $(LOCALBIN)/nwa
NWA_VERSION := v0.7.7
NWA_VERSION := v0.7.6
NWA_LOOKUP := B1NARY-GR0UP/nwa
nwa:
@test -s $(NWA) && $(NWA) -h | grep -q $(NWA_VERSION) || \
$(call go-install-tool,$(NWA),github.com/$(NWA_LOOKUP)@$(NWA_VERSION))
GOLANGCI_LINT := $(LOCALBIN)/golangci-lint
GOLANGCI_LINT_VERSION := v2.8.0
GOLANGCI_LINT_VERSION := v2.5.0
GOLANGCI_LINT_LOOKUP := golangci/golangci-lint
golangci-lint: ## Download golangci-lint locally if necessary.
@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \

7
PROJECT
View File

@@ -64,11 +64,4 @@ resources:
kind: ResourcePoolClaim
path: github.com/projectcapsule/capsule/api/v1beta2
version: v1beta2
- api:
crdVersion: v1
domain: clastix.io
group: capsule
kind: TenantOwner
path: github.com/projectcapsule/capsule/api/v1beta2
version: v1beta2
version: "3"

2
api/v1beta1/custom_resource_quota.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/deny_wildcard.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/groupversion_info.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
// Package v1beta1 contains API Schema definitions for the capsule v1beta1 API group

2
api/v1beta1/ingress_options.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

19
api/v1beta1/namespace_options.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1
@@ -7,7 +7,6 @@ import (
"strings"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/api/meta"
)
type NamespaceOptions struct {
@@ -19,11 +18,11 @@ type NamespaceOptions struct {
}
func (in *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
if _, ok := in.Annotations[meta.ForbiddenNamespaceLabelsAnnotation]; ok {
if _, ok := in.Annotations[api.ForbiddenNamespaceLabelsAnnotation]; ok {
return true
}
if _, ok := in.Annotations[meta.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
if _, ok := in.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
return true
}
@@ -31,11 +30,11 @@ func (in *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
}
func (in *Tenant) hasForbiddenNamespaceAnnotationsAnnotations() bool {
if _, ok := in.Annotations[meta.ForbiddenNamespaceAnnotationsAnnotation]; ok {
if _, ok := in.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; ok {
return true
}
if _, ok := in.Annotations[meta.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
if _, ok := in.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
return true
}
@@ -48,8 +47,8 @@ func (in *Tenant) ForbiddenUserNamespaceLabels() *api.ForbiddenListSpec {
}
return &api.ForbiddenListSpec{
Exact: strings.Split(in.Annotations[meta.ForbiddenNamespaceLabelsAnnotation], ","),
Regex: in.Annotations[meta.ForbiddenNamespaceLabelsRegexpAnnotation],
Exact: strings.Split(in.Annotations[api.ForbiddenNamespaceLabelsAnnotation], ","),
Regex: in.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation],
}
}
@@ -59,7 +58,7 @@ func (in *Tenant) ForbiddenUserNamespaceAnnotations() *api.ForbiddenListSpec {
}
return &api.ForbiddenListSpec{
Exact: strings.Split(in.Annotations[meta.ForbiddenNamespaceAnnotationsAnnotation], ","),
Regex: in.Annotations[meta.ForbiddenNamespaceAnnotationsRegexpAnnotation],
Exact: strings.Split(in.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation], ","),
Regex: in.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation],
}
}

2
api/v1beta1/owner.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/owner_list.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/owner_list_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/owner_role.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/service_allowed_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/service_options.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/tenant_func.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/tenant_status.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1

27
api/v1beta1/tenant_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1
@@ -20,21 +20,17 @@ type TenantSpec struct {
// Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.
StorageClasses *api.AllowedListSpec `json:"storageClasses,omitempty"`
// Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
// +optional
IngressOptions IngressOptions `json:"ingressOptions,omitzero"`
IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
// +optional
NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitzero"`
NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitempty"`
// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
// +optional
LimitRanges api.LimitRangesSpec `json:"limitRanges,omitzero"`
LimitRanges api.LimitRangesSpec `json:"limitRanges,omitempty"`
// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
// +optional
ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitzero"`
ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
AdditionalRoleBindings []api.AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
@@ -54,13 +50,11 @@ type TenantSpec struct {
// Tenant is the Schema for the tenants API.
type Tenant struct {
metav1.TypeMeta `json:",inline"`
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec TenantSpec `json:"spec"`
// +optional
Status TenantStatus `json:"status,omitzero"`
Spec TenantSpec `json:"spec,omitempty"`
Status TenantStatus `json:"status,omitempty"`
}
func (in *Tenant) Hub() {}
@@ -70,8 +64,7 @@ func (in *Tenant) Hub() {}
// TenantList contains a list of Tenant.
type TenantList struct {
metav1.TypeMeta `json:",inline"`
// +optional
metav1.ListMeta `json:"metadata,omitzero"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Tenant `json:"items"`
}

5
api/v1beta1/tenant_webhook.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta1
@@ -15,6 +15,7 @@ func (in *Tenant) SetupWebhookWithManager(mgr ctrl.Manager) error {
return nil
}
return ctrl.NewWebhookManagedBy(mgr, in).
return ctrl.NewWebhookManagedBy(mgr).
For(in).
Complete()
}

2
api/v1beta2/additional_role_bindings.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2

19
api/v1beta2/capsuleconfiguration_status.go
View File

@@ -1,19 +0,0 @@
// Copyright 2020-2026 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
)
// CapsuleConfigurationStatus defines the Capsule configuration status.
type CapsuleConfigurationStatus struct {
// Last time all caches were invalided
LastCacheInvalidation metav1.Time `json:"lastCacheInvalidation,omitempty"`
// Users which are considered Capsule Users and are bound to the Capsule Tenant construct.
Users api.UserListSpec `json:"users,omitempty"`
}

86
api/v1beta2/capsuleconfiguration_types.go
View File

@@ -1,28 +1,20 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/api/meta"
)
// CapsuleConfigurationSpec defines the Capsule configuration.
type CapsuleConfigurationSpec struct {
// Define entities which are considered part of the Capsule construct
// Users not mentioned here will be ignored by Capsule
Users api.UserListSpec `json:"users,omitempty"`
// Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)
//
// Names of the users considered as Capsule users.
UserNames []string `json:"userNames,omitempty"`
// Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)
//
// Names of the groups considered as Capsule users.
// +kubebuilder:default={capsule.clastix.io}
UserGroups []string `json:"userGroups,omitempty"`
// Define groups which when found in the request of a user will be ignored by the Capsule
// this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.
@@ -41,73 +33,21 @@ type CapsuleConfigurationSpec struct {
// Allows to set different name rather than the canonical one for the Capsule configuration objects,
// such as webhook secret or configurations.
// +kubebuilder:default={TLSSecretName:"capsule-tls",mutatingWebhookConfigurationName:"capsule-mutating-webhook-configuration",validatingWebhookConfigurationName:"capsule-validating-webhook-configuration"}
// +optional
CapsuleResources CapsuleResources `json:"overrides,omitzero"`
CapsuleResources CapsuleResources `json:"overrides,omitempty"`
// Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
// This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
NodeMetadata *NodeMetadata `json:"nodeMetadata,omitempty"`
// Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
// when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
// +kubebuilder:default=false
// +kubebuilder:default=true
EnableTLSReconciler bool `json:"enableTLSReconciler"` //nolint:tagliatelle
// Define entities which can act as Administrators in the capsule construct
// These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label
// for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor
// be ignored by capsule.
Administrators api.UserListSpec `json:"administrators,omitempty"`
// Configuration for dynamic Validating and Mutating Admission webhooks managed by Capsule.
Admission DynamicAdmission `json:"admission,omitempty"`
// Define Properties for managed ClusterRoles by Capsule
// +kubebuilder:default={}
RBAC *RBACConfiguration `json:"rbac"`
// Define the period of time upon a cache invalidation is executed for all caches.
// +kubebuilder:default="24h"
CacheInvalidation metav1.Duration `json:"cacheInvalidation"`
}
type RBACConfiguration struct {
// The ClusterRoles applied for Administrators
// +kubebuilder:default={capsule-namespace-deleter}
AdministrationClusterRoles []string `json:"administrationClusterRoles,omitempty"`
// The ClusterRoles applied for ServiceAccounts which had owner Promotion
// +kubebuilder:default={capsule-namespace-provisioner,capsule-namespace-deleter}
PromotionClusterRoles []string `json:"promotionClusterRoles,omitempty"`
// Name for the ClusterRole required to grant Namespace Deletion permissions.
// +kubebuilder:default=capsule-namespace-deleter
DeleterClusterRole string `json:"deleter,omitempty"`
// Name for the ClusterRole required to grant Namespace Provision permissions.
// +kubebuilder:default=capsule-namespace-provisioner
ProvisionerClusterRole string `json:"provisioner,omitempty"`
}
type DynamicAdmission struct {
// Configure dynamic Mutating Admission for Capsule
Mutating DynamicAdmissionConfig `json:"mutating,omitempty"`
// Configure dynamic Validating Admission for Capsule
Validating DynamicAdmissionConfig `json:"validating,omitempty"`
}
type DynamicAdmissionConfig struct {
// Name the Admission Webhook
Name meta.RFC1123Name `json:"name,omitempty"`
// Labels added to the Admission Webhook
// +optional
Labels map[string]string `json:"labels,omitempty"`
// Annotations added to the Admission Webhook
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
// From the upstram struct
Client admissionregistrationv1.WebhookClientConfig `json:"client"`
}
type NodeMetadata struct {
// Define the labels that a Tenant Owner cannot set for their nodes.
// +optional
ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitzero"`
ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels"`
// Define the annotations that a Tenant Owner cannot set for their nodes.
// +optional
ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations,omitzero"`
ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations"`
}
type CapsuleResources struct {
@@ -124,21 +64,15 @@ type CapsuleResources struct {
}
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Cluster
// +kubebuilder:storageversion
// CapsuleConfiguration is the Schema for the Capsule configuration API.
type CapsuleConfiguration struct {
metav1.TypeMeta `json:",inline"`
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
Spec CapsuleConfigurationSpec `json:"spec"`
// +optional
Status CapsuleConfigurationStatus `json:"status,omitzero"`
Spec CapsuleConfigurationSpec `json:"spec,omitempty"`
}
// +kubebuilder:object:root=true
@@ -146,7 +80,7 @@ type CapsuleConfiguration struct {
// CapsuleConfigurationList contains a list of CapsuleConfiguration.
type CapsuleConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitzero"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []CapsuleConfiguration `json:"items"`
}

2
api/v1beta2/custom_resource_quota.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2

4
api/v1beta2/gateway_options.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -8,5 +8,5 @@ import (
)
type GatewayOptions struct {
AllowedClasses *api.DefaultAllowedListSpec `json:"allowedClasses,omitempty"`
AllowedClasses *api.SelectionListWithDefaultSpec `json:"allowedClasses,omitempty"`
}

2
api/v1beta2/groupversion_info.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
// Package v1beta2 contains API Schema definitions for the capsule v1beta2 API group

2
api/v1beta2/ingress_options.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2

24
api/v1beta2/namespace_options.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -11,32 +11,16 @@ type NamespaceOptions struct {
// +kubebuilder:validation:Minimum=1
// Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
Quota *int32 `json:"quota,omitempty"`
// Deprecated: Use additionalMetadataList instead (https://projectcapsule.dev/docs/tenants/metadata/#additionalmetadatalist)
//
// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
// Deprecated: Use additionalMetadataList instead
AdditionalMetadata *api.AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional.
AdditionalMetadataList []api.AdditionalMetadataSelectorSpec `json:"additionalMetadataList,omitempty"`
// Required Metadata for namespace within this tenant
// +optional
RequiredMetadata *RequiredMetadata `json:"requiredMetadata,omitzero"`
// Define the labels that a Tenant Owner cannot set for their Namespace resources.
// +optional
ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitzero"`
ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitempty"`
// Define the annotations that a Tenant Owner cannot set for their Namespace resources.
// +optional
ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations,omitzero"`
ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations,omitempty"`
// If enabled only metadata from additionalMetadata is reconciled to the namespaces.
//+kubebuilder:default:=false
ManagedMetadataOnly bool `json:"managedMetadataOnly,omitempty"`
}
type RequiredMetadata struct {
// Labels that must be defined for each namespace
// +optional
Labels map[string]string `json:"labels,omitzero"`
// Annotations that must be defined for each namespace
// +optional
Annotations map[string]string `json:"annotations,omitzero"`
}

33
api/v1beta2/namespace_rule_type.go
View File

@@ -1,33 +0,0 @@
// Copyright 2020-2026 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
)
// +kubebuilder:object:generate=true
type NamespaceRule struct {
// Enforce these properties via Rules
NamespaceRuleBody `json:",inline"`
// Select namespaces which are going to usese
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
}
// +kubebuilder:object:generate=true
type NamespaceRuleBody struct {
// Enforcement Rules applied
//+optional
Enforce NamespaceRuleEnforceBody `json:"enforce,omitzero"`
}
// +kubebuilder:object:generate=true
type NamespaceRuleEnforceBody struct {
// Define registries which are allowed to be used within this tenant
// The rules are aggregated, since you can use Regular Expressions the match registry endpoints
Registries []api.OCIRegistry `json:"registries,omitempty"`
}

46
pkg/api/owner.go → api/v1beta2/owner.go
View File

@@ -1,17 +1,16 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package api
import (
rbacv1 "k8s.io/api/rbac/v1"
)
// +kubebuilder:object:generate=true
package v1beta2
type OwnerSpec struct {
CoreOwnerSpec `json:",inline"`
// Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
Kind OwnerKind `json:"kind"`
// Name of tenant owner.
Name string `json:"name"`
// Defines additional cluster-roles for the specific Owner.
// +kubebuilder:default={admin,capsule-namespace-deleter}
ClusterRoles []string `json:"clusterRoles,omitempty"`
// Proxy settings for tenant owner.
ProxyOperations []ProxySettings `json:"proxySettings,omitempty"`
// Additional Labels for the synchronized rolebindings
@@ -20,31 +19,6 @@ type OwnerSpec struct {
Annotations map[string]string `json:"annotations,omitempty"`
}
// +kubebuilder:object:generate=true
type CoreOwnerSpec struct {
UserSpec `json:",inline"`
// Defines additional cluster-roles for the specific Owner.
// +kubebuilder:default={admin,capsule-namespace-deleter}
ClusterRoles []string `json:"clusterRoles,omitempty"`
}
func (o CoreOwnerSpec) ToAdditionalRolebindings() []AdditionalRoleBindingsSpec {
bindings := make([]AdditionalRoleBindingsSpec, 0, len(o.ClusterRoles))
for _, clusterRoleName := range o.ClusterRoles {
bindings = append(bindings, AdditionalRoleBindingsSpec{
ClusterRoleName: clusterRoleName,
Subjects: []rbacv1.Subject{
o.Subject(),
},
})
}
return bindings
}
// +kubebuilder:validation:Enum=User;Group;ServiceAccount
type OwnerKind string
@@ -52,8 +26,6 @@ func (k OwnerKind) String() string {
return string(k)
}
// +kubebuilder:object:generate=true
type ProxySettings struct {
Kind ProxyServiceKind `json:"kind"`
Operations []ProxyOperation `json:"operations"`

33
pkg/api/owner_list.go → api/v1beta2/owner_list.go
View File

@@ -1,43 +1,14 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package api
package v1beta2
import (
"slices"
"sort"
)
// +kubebuilder:object:generate=true
type OwnerListSpec []OwnerSpec
func (o OwnerListSpec) IsOwner(name string, groups []string) bool {
for _, owner := range o {
switch owner.Kind {
case UserOwner, ServiceAccountOwner:
if name == owner.Name {
return true
}
case GroupOwner:
if slices.Contains(groups, owner.Name) {
return true
}
}
}
return false
}
func (o OwnerListSpec) ToStatusOwners() OwnerStatusListSpec {
list := OwnerStatusListSpec{}
for _, owner := range o {
list = append(list, owner.CoreOwnerSpec)
}
return list
}
func (o OwnerListSpec) FindOwner(name string, kind OwnerKind) (owner OwnerSpec) {
sort.Sort(ByKindAndName(o))
i := sort.Search(len(o), func(i int) bool {

86
api/v1beta2/owner_list_test.go Normal file
View File

@@ -0,0 +1,86 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestOwnerListSpec_FindOwner(t *testing.T) {
bla := OwnerSpec{
Kind: UserOwner,
Name: "bla",
ProxyOperations: []ProxySettings{
{
Kind: IngressClassesProxy,
Operations: []ProxyOperation{"Delete"},
},
},
}
bar := OwnerSpec{
Kind: GroupOwner,
Name: "bar",
ProxyOperations: []ProxySettings{
{
Kind: StorageClassesProxy,
Operations: []ProxyOperation{"Delete"},
},
},
}
baz := OwnerSpec{
Kind: UserOwner,
Name: "baz",
ProxyOperations: []ProxySettings{
{
Kind: StorageClassesProxy,
Operations: []ProxyOperation{"Update"},
},
},
}
fim := OwnerSpec{
Kind: ServiceAccountOwner,
Name: "fim",
ProxyOperations: []ProxySettings{
{
Kind: NodesProxy,
Operations: []ProxyOperation{"List"},
},
},
}
bom := OwnerSpec{
Kind: GroupOwner,
Name: "bom",
ProxyOperations: []ProxySettings{
{
Kind: StorageClassesProxy,
Operations: []ProxyOperation{"Delete"},
},
{
Kind: NodesProxy,
Operations: []ProxyOperation{"Delete"},
},
},
}
qip := OwnerSpec{
Kind: ServiceAccountOwner,
Name: "qip",
ProxyOperations: []ProxySettings{
{
Kind: StorageClassesProxy,
Operations: []ProxyOperation{"List", "Delete"},
},
},
}
owners := OwnerListSpec{bom, qip, bla, bar, baz, fim}
assert.Equal(t, owners.FindOwner("bom", GroupOwner), bom)
assert.Equal(t, owners.FindOwner("qip", ServiceAccountOwner), qip)
assert.Equal(t, owners.FindOwner("bla", UserOwner), bla)
assert.Equal(t, owners.FindOwner("bar", GroupOwner), bar)
assert.Equal(t, owners.FindOwner("baz", UserOwner), baz)
assert.Equal(t, owners.FindOwner("fim", ServiceAccountOwner), fim)
assert.Equal(t, owners.FindOwner("notfound", ServiceAccountOwner), OwnerSpec{})
}

16
api/v1beta2/resourcepool_func.go
View File

@@ -1,23 +1,18 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"errors"
"fmt"
"sort"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
"github.com/projectcapsule/capsule/pkg/api/meta"
"github.com/projectcapsule/capsule/pkg/api"
)
func (r *ResourcePool) GetQuotaName() string {
return fmt.Sprintf("capsule-pool-%s", r.GetName())
}
func (r *ResourcePool) AssignNamespaces(namespaces []corev1.Namespace) {
var l []string
@@ -79,10 +74,9 @@ func (r *ResourcePool) AddClaimToStatus(claim *ResourcePoolClaim) {
}
scl := &ResourcePoolClaimsItem{
NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{
UID: claim.UID,
Name: meta.RFC1123Name(claim.Name),
Namespace: meta.RFC1123SubdomainName(claim.Namespace),
StatusNameUID: api.StatusNameUID{
UID: claim.UID,
Name: api.Name(claim.Name),
},
Claims: claim.Spec.ResourceClaims,
}

61
api/v1beta2/resourcepool_func_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -11,7 +11,8 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"github.com/projectcapsule/capsule/pkg/api/meta"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/meta"
"github.com/stretchr/testify/assert"
)
@@ -33,7 +34,7 @@ func TestGetClaimFromStatus(t *testing.T) {
Claims: ResourcePoolNamespaceClaimsStatus{
ns: {
&ResourcePoolClaimsItem{
NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{
StatusNameUID: api.StatusNameUID{
UID: testUID,
},
Claims: corev1.ResourceList{
@@ -126,9 +127,8 @@ func TestAddRemoveClaimToStatus(t *testing.T) {
pool.AddClaimToStatus(claim)
stored := pool.GetClaimFromStatus(claim)
assert.NotNil(t, stored)
assert.Equal(t, meta.RFC1123Name("claim-1"), stored.Name)
assert.Equal(t, api.Name("claim-1"), stored.Name)
pool.RemoveClaimFromStatus(claim)
assert.Nil(t, pool.GetClaimFromStatus(claim))
@@ -219,7 +219,7 @@ func TestGetNamespaceClaims(t *testing.T) {
Claims: ResourcePoolNamespaceClaimsStatus{
"ns": {
&ResourcePoolClaimsItem{
NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{UID: "uid1"},
StatusNameUID: api.StatusNameUID{UID: "uid1"},
Claims: corev1.ResourceList{
corev1.ResourceLimitsCPU: resource.MustParse("1"),
},
@@ -260,59 +260,36 @@ func TestIsBoundToResourcePool_2(t *testing.T) {
t.Run("bound to resource pool (Assigned=True)", func(t *testing.T) {
claim := &ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Conditions: meta.ConditionList{},
Condition: metav1.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionTrue,
},
},
}
assert.Equal(t, false, claim.IsBoundInResourcePool())
assert.Equal(t, true, claim.IsBoundToResourcePool())
})
t.Run("not bound - wrong condition type", func(t *testing.T) {
claim := &ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Conditions: meta.ConditionList{
meta.Condition{},
Condition: metav1.Condition{
Type: "Other",
Status: metav1.ConditionTrue,
},
},
}
cond := meta.NewAssignedCondition(claim)
cond.Status = metav1.ConditionFalse
claim.Status.Conditions.UpdateConditionByType(cond)
assert.Equal(t, false, claim.IsBoundInResourcePool())
assert.Equal(t, false, claim.IsBoundToResourcePool())
})
t.Run("not bound - condition not true", func(t *testing.T) {
claim := &ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Conditions: meta.ConditionList{
meta.Condition{},
Condition: metav1.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionFalse,
},
},
}
cond := meta.NewBoundCondition(claim)
cond.Status = metav1.ConditionFalse
claim.Status.Conditions.UpdateConditionByType(cond)
assert.Equal(t, false, claim.IsBoundInResourcePool())
assert.Equal(t, false, claim.IsBoundToResourcePool())
})
t.Run("not bound - condition not true", func(t *testing.T) {
claim := &ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Conditions: meta.ConditionList{
meta.Condition{},
},
},
}
cond := meta.NewBoundCondition(claim)
cond.Status = metav1.ConditionTrue
claim.Status.Conditions.UpdateConditionByType(cond)
assert.Equal(t, true, claim.IsBoundInResourcePool())
})
}

13
api/v1beta2/resourcepool_status.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -8,7 +8,6 @@ import (
"k8s.io/apimachinery/pkg/types"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/api/meta"
)
// GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.
@@ -22,15 +21,11 @@ type ResourcePoolStatus struct {
// Namespaces which are considered for claims
Namespaces []string `json:"namespaces,omitempty"`
// Tracks the quotas for the Resource.
// +optional
Claims ResourcePoolNamespaceClaimsStatus `json:"claims,omitzero"`
Claims ResourcePoolNamespaceClaimsStatus `json:"claims,omitempty"`
// Tracks the Usage from Claimed against what has been granted from the pool
// +optional
Allocation ResourcePoolQuotaStatus `json:"allocation,omitzero"`
Allocation ResourcePoolQuotaStatus `json:"allocation,omitempty"`
// Exhaustions from claims associated with the pool
Exhaustions map[string]api.PoolExhaustionResource `json:"exhaustions,omitempty"`
// Conditions for the resource claim
Conditions meta.ConditionList `json:"conditions,omitzero"`
}
type ResourcePoolNamespaceClaimsStatus map[string]ResourcePoolClaimsList
@@ -63,7 +58,7 @@ func (r *ResourcePoolClaimsList) GetClaimByUID(uid types.UID) *ResourcePoolClaim
// ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
type ResourcePoolClaimsItem struct {
// Reference to the GlobalQuota being claimed from
meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID `json:",inline"`
api.StatusNameUID `json:",inline"`
// Claimed resources
Claims corev1.ResourceList `json:"claims,omitempty"`

36
api/v1beta2/resourcepool_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -7,27 +7,25 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/runtime/selectors"
"github.com/projectcapsule/capsule/pkg/api"
)
// ResourcePoolSpec.
type ResourcePoolSpec struct {
// Selector to match the namespaces that should be managed by the GlobalResourceQuota
Selectors []selectors.NamespaceSelector `json:"selectors,omitempty"`
Selectors []api.NamespaceSelector `json:"selectors,omitempty"`
// Define the resourcequota served by this resourcepool.
Quota corev1.ResourceQuotaSpec `json:"quota"`
// The Defaults given for each namespace, the default is not counted towards the total allocation
// When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources
// +optional
Defaults corev1.ResourceList `json:"defaults,omitzero"`
Defaults corev1.ResourceList `json:"defaults,omitempty"`
// Additional Configuration
//+kubebuilder:default:={}
// +optional
Config ResourcePoolSpecConfiguration `json:"config,omitzero"`
Config ResourcePoolSpecConfiguration `json:"config,omitempty"`
}
type ResourcePoolSpecConfiguration struct {
// With this option all resources which can be allocated are set to 0 for the resourcequota defaults. (Default false)
// With this option all resources which can be allocated are set to 0 for the resourcequota defaults.
// +kubebuilder:default=false
DefaultsAssignZero *bool `json:"defaultsZero,omitempty"`
// Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
@@ -35,11 +33,11 @@ type ResourcePoolSpecConfiguration struct {
// but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
// it's priority was lower
// Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
// other claim can claim the same resources with lower priority. (Default false)
// other claim can claim the same resources with lower priority.
// +kubebuilder:default=false
OrderedQueue *bool `json:"orderedQueue,omitempty"`
// When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state. (Default false)
// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
// +kubebuilder:default=false
DeleteBoundResources *bool `json:"deleteBoundResources,omitempty"`
}
@@ -49,8 +47,6 @@ type ResourcePoolSpecConfiguration struct {
// +kubebuilder:resource:scope=Cluster,shortName=quotapool
// +kubebuilder:printcolumn:name="Claims",type="integer",JSONPath=".status.claimCount",description="The total amount of Claims bound"
// +kubebuilder:printcolumn:name="Namespaces",type="integer",JSONPath=".status.namespaceCount",description="The total amount of Namespaces considered"
// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Reconcile Status"
// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description="Reconcile Message"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
// Resourcepools allows you to define a set of resources as known from ResoureQuotas. The Resourcepools are defined at cluster-scope an should
@@ -59,15 +55,11 @@ type ResourcePoolSpecConfiguration struct {
// it's up the group of users within these namespaces, to manage the resources they consume per namespace. Each Resourcepool provisions a ResourceQuotainto all the selected namespaces. Then essentially the ResourcePoolClaims, when they can be assigned to the ResourcePool stack resources on top of that
// ResourceQuota based on the namspace, where the ResourcePoolClaim was made from.
type ResourcePool struct {
metav1.TypeMeta `json:",inline"`
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
Spec ResourcePoolSpec `json:"spec"`
// +optional
Status ResourcePoolStatus `json:"status,omitzero"`
Spec ResourcePoolSpec `json:"spec,omitempty"`
Status ResourcePoolStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
@@ -75,9 +67,7 @@ type ResourcePool struct {
// ResourcePoolList contains a list of ResourcePool.
type ResourcePoolList struct {
metav1.TypeMeta `json:",inline"`
// +optional
metav1.ListMeta `json:"metadata,omitzero"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ResourcePool `json:"items"`
}

51
api/v1beta2/resourcepoolclaim_func.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -6,56 +6,15 @@ package v1beta2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api/meta"
"github.com/projectcapsule/capsule/pkg/meta"
)
// Indicate the claim is bound to a resource pool.
func (r *ResourcePoolClaim) IsExhaustedInResourcePool() bool {
condition := r.Status.Conditions.GetConditionByType(meta.ExhaustedCondition)
if condition == nil {
return false
}
if condition.Status == metav1.ConditionTrue {
func (r *ResourcePoolClaim) IsBoundToResourcePool() bool {
if r.Status.Condition.Type == meta.BoundCondition &&
r.Status.Condition.Status == metav1.ConditionTrue {
return true
}
return false
}
func (r *ResourcePoolClaim) IsAssignedInResourcePool() bool {
condition := r.Status.Conditions.GetConditionByType(meta.AssignedCondition)
if condition == nil {
return false
}
if condition.Status == metav1.ConditionTrue {
return true
}
return false
}
func (r *ResourcePoolClaim) IsBoundInResourcePool() bool {
condition := r.Status.Conditions.GetConditionByType(meta.BoundCondition)
if condition == nil {
return false
}
if condition.Status == metav1.ConditionTrue {
return true
}
return false
}
func (r *ResourcePoolClaim) GetPool() string {
if name := string(r.Status.Pool.Name); name != "" {
return name
}
return r.Spec.Pool
}

124
api/v1beta2/resourcepoolclaim_func_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -6,10 +6,9 @@ package v1beta2
import (
"testing"
"github.com/projectcapsule/capsule/pkg/meta"
"github.com/stretchr/testify/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api/meta"
)
func TestIsBoundToResourcePool(t *testing.T) {
@@ -22,14 +21,9 @@ func TestIsBoundToResourcePool(t *testing.T) {
name: "bound to resource pool (Assigned=True)",
claim: ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Conditions: meta.ConditionList{
meta.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionTrue,
Reason: meta.SucceededReason,
Message: "reconciled",
LastTransitionTime: metav1.Now(),
},
Condition: metav1.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionTrue,
},
},
},
@@ -39,14 +33,9 @@ func TestIsBoundToResourcePool(t *testing.T) {
name: "not bound - wrong condition type",
claim: ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Conditions: meta.ConditionList{
meta.Condition{
Type: meta.AssignedCondition,
Status: metav1.ConditionTrue,
Reason: meta.SucceededReason,
Message: "reconciled",
LastTransitionTime: metav1.Now(),
},
Condition: metav1.Condition{
Type: "SomethingElse",
Status: metav1.ConditionTrue,
},
},
},
@@ -56,14 +45,9 @@ func TestIsBoundToResourcePool(t *testing.T) {
name: "not bound - status not true",
claim: ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Conditions: meta.ConditionList{
meta.Condition{
Type: meta.AssignedCondition,
Status: metav1.ConditionTrue,
Reason: meta.SucceededReason,
Message: "reconciled",
LastTransitionTime: metav1.Now(),
},
Condition: metav1.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionFalse,
},
},
},
@@ -80,91 +64,7 @@ func TestIsBoundToResourcePool(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
actual := tt.claim.IsBoundInResourcePool()
assert.Equal(t, tt.expected, actual)
})
}
}
func TestGetPool(t *testing.T) {
tests := []struct {
name string
claim ResourcePoolClaim
expected string
}{
{
name: "returns status pool name when set",
claim: ResourcePoolClaim{
Spec: ResourcePoolClaimSpec{
Pool: "spec-pool",
},
Status: ResourcePoolClaimStatus{
Pool: meta.LocalRFC1123ObjectReferenceWithUID{
Name: meta.RFC1123Name("status-pool"),
},
},
},
expected: "status-pool",
},
{
name: "falls back to spec pool when status pool name is empty",
claim: ResourcePoolClaim{
Spec: ResourcePoolClaimSpec{
Pool: "spec-pool",
},
Status: ResourcePoolClaimStatus{
Pool: meta.LocalRFC1123ObjectReferenceWithUID{
Name: meta.RFC1123Name(""),
},
},
},
expected: "spec-pool",
},
{
name: "falls back to spec pool when status pool struct is zero-value",
claim: ResourcePoolClaim{
Spec: ResourcePoolClaimSpec{
Pool: "spec-pool",
},
Status: ResourcePoolClaimStatus{
Pool: meta.LocalRFC1123ObjectReferenceWithUID{},
},
},
expected: "spec-pool",
},
{
name: "returns empty when both status and spec are empty",
claim: ResourcePoolClaim{
Spec: ResourcePoolClaimSpec{
Pool: "",
},
Status: ResourcePoolClaimStatus{
Pool: meta.LocalRFC1123ObjectReferenceWithUID{
Name: meta.RFC1123Name(""),
},
},
},
expected: "",
},
{
name: "status wins even if spec differs",
claim: ResourcePoolClaim{
Spec: ResourcePoolClaimSpec{
Pool: "spec-pool",
},
Status: ResourcePoolClaimStatus{
Pool: meta.LocalRFC1123ObjectReferenceWithUID{
Name: meta.RFC1123Name("status-pool"),
},
},
},
expected: "status-pool",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
actual := tt.claim.GetPool()
actual := tt.claim.IsBoundToResourcePool()
assert.Equal(t, tt.expected, actual)
})
}

43
api/v1beta2/resourcepoolclaim_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -7,7 +7,7 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api/meta"
"github.com/projectcapsule/capsule/pkg/api"
)
type ResourcePoolClaimSpec struct {
@@ -22,47 +22,34 @@ type ResourcePoolClaimSpec struct {
// ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
type ResourcePoolClaimStatus struct {
// Reference to the GlobalQuota being claimed from
// +optional
Pool meta.LocalRFC1123ObjectReferenceWithUID `json:"pool,omitzero"`
// Deprecated: Use Conditions
//
// +optional
Condition metav1.Condition `json:"condition,omitzero"`
// Conditions for the resource claim
Conditions meta.ConditionList `json:"conditions,omitzero"`
// Tracks the Usage from Claimed from this claim and available resources
// +optional
Allocation ResourcePoolQuotaStatus `json:"allocation,omitzero"`
Pool api.StatusNameUID `json:"pool,omitempty"`
// Condtion for this resource claim
Condition metav1.Condition `json:"condition,omitempty"`
}
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Pool",type="string",JSONPath=".status.pool.name",description="The ResourcePool being claimed from"
// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Ready Status"
// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description="Ready Message"
// +kubebuilder:printcolumn:name="Bound",type="string",JSONPath=".status.conditions[?(@.type==\"Bound\")].status",description="Bound Status"
// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.conditions[?(@.type==\"Bound\")].message",description="Bound Message"
// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.condition.type",description="Status for claim"
// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.condition.reason",description="Reason for status"
// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.condition.message",description="Condition Message"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
// ResourcePoolClaim is the Schema for the resourcepoolclaims API.
type ResourcePoolClaim struct {
metav1.TypeMeta `json:",inline"`
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
Spec ResourcePoolClaimSpec `json:"spec"`
// +optional
Status ResourcePoolClaimStatus `json:"status,omitzero"`
Spec ResourcePoolClaimSpec `json:"spec,omitempty"`
Status ResourcePoolClaimStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// ResourceQuotaClaimList contains a list of ResourceQuotaClaim.
type ResourcePoolClaimList struct {
metav1.TypeMeta `json:",inline"`
// +optional
metav1.ListMeta `json:"metadata,omitzero"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ResourcePoolClaim `json:"items"`
}

44
api/v1beta2/rule_status_type.go
View File

@@ -1,44 +0,0 @@
// Copyright 2020-2026 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:object:root=true
// +kubebuilder:storageversion
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
type RuleStatus struct {
metav1.TypeMeta `json:",inline"`
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
// +optional
Status RuleStatusSpec `json:"status,omitzero"`
}
// +kubebuilder:object:root=true
// RuleStatusList contains a list of RuleStatus.
type RuleStatusList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitzero"`
Items []RuleStatus `json:"items"`
}
func init() {
SchemeBuilder.Register(&RuleStatus{}, &RuleStatusList{})
}
// RuleStatus contains the accumulated rules applying to namespace it's deployed in.
// +kubebuilder:object:generate=true
type RuleStatusSpec struct {
// Managed Enforcement properties per Namespace (aggregated from rules)
//+optional
Rule NamespaceRuleBody `json:"rule,omitzero"`
}

2
api/v1beta2/tenant_annotations.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2

57
api/v1beta2/tenant_conversion_hub.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -12,7 +12,6 @@ import (
capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/api/meta"
)
func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
@@ -27,32 +26,28 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
}
in.ObjectMeta = src.ObjectMeta
in.Spec.Owners = make(api.OwnerListSpec, 0, len(src.Spec.Owners))
in.Spec.Owners = make(OwnerListSpec, 0, len(src.Spec.Owners))
for index, owner := range src.Spec.Owners {
proxySettings := make([]api.ProxySettings, 0, len(owner.ProxyOperations))
proxySettings := make([]ProxySettings, 0, len(owner.ProxyOperations))
for _, proxyOp := range owner.ProxyOperations {
ops := make([]api.ProxyOperation, 0, len(proxyOp.Operations))
ops := make([]ProxyOperation, 0, len(proxyOp.Operations))
for _, op := range proxyOp.Operations {
ops = append(ops, api.ProxyOperation(op))
ops = append(ops, ProxyOperation(op))
}
proxySettings = append(proxySettings, api.ProxySettings{
Kind: api.ProxyServiceKind(proxyOp.Kind),
proxySettings = append(proxySettings, ProxySettings{
Kind: ProxyServiceKind(proxyOp.Kind),
Operations: ops,
})
}
in.Spec.Owners = append(in.Spec.Owners, api.OwnerSpec{
CoreOwnerSpec: api.CoreOwnerSpec{
UserSpec: api.UserSpec{
Kind: api.OwnerKind(owner.Kind),
Name: owner.Name,
},
ClusterRoles: owner.GetRoles(*src, index),
},
in.Spec.Owners = append(in.Spec.Owners, OwnerSpec{
Kind: OwnerKind(owner.Kind),
Name: owner.Name,
ClusterRoles: owner.GetRoles(*src, index),
ProxyOperations: proxySettings,
})
}
@@ -64,28 +59,28 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
in.Spec.NamespaceOptions.AdditionalMetadata = nsOpts.AdditionalMetadata
if value, found := annotations[meta.ForbiddenNamespaceLabelsAnnotation]; found {
if value, found := annotations[api.ForbiddenNamespaceLabelsAnnotation]; found {
in.Spec.NamespaceOptions.ForbiddenLabels.Exact = strings.Split(value, ",")
delete(annotations, meta.ForbiddenNamespaceLabelsAnnotation)
delete(annotations, api.ForbiddenNamespaceLabelsAnnotation)
}
if value, found := annotations[meta.ForbiddenNamespaceLabelsRegexpAnnotation]; found {
if value, found := annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; found {
in.Spec.NamespaceOptions.ForbiddenLabels.Regex = value
delete(annotations, meta.ForbiddenNamespaceLabelsRegexpAnnotation)
delete(annotations, api.ForbiddenNamespaceLabelsRegexpAnnotation)
}
if value, found := annotations[meta.ForbiddenNamespaceAnnotationsAnnotation]; found {
if value, found := annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; found {
in.Spec.NamespaceOptions.ForbiddenAnnotations.Exact = strings.Split(value, ",")
delete(annotations, meta.ForbiddenNamespaceAnnotationsAnnotation)
delete(annotations, api.ForbiddenNamespaceAnnotationsAnnotation)
}
if value, found := annotations[meta.ForbiddenNamespaceAnnotationsRegexpAnnotation]; found {
if value, found := annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; found {
in.Spec.NamespaceOptions.ForbiddenAnnotations.Regex = value
delete(annotations, meta.ForbiddenNamespaceAnnotationsRegexpAnnotation)
delete(annotations, api.ForbiddenNamespaceAnnotationsRegexpAnnotation)
}
}
@@ -149,10 +144,10 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
in.Spec.Cordoned = value
}
if _, found := annotations[meta.ProtectedTenantAnnotation]; found {
if _, found := annotations[api.ProtectedTenantAnnotation]; found {
in.Spec.PreventDeletion = true
delete(annotations, meta.ProtectedTenantAnnotation)
delete(annotations, api.ProtectedTenantAnnotation)
}
in.SetAnnotations(annotations)
@@ -220,19 +215,19 @@ func (in *Tenant) ConvertTo(raw conversion.Hub) error {
dst.Spec.NamespaceOptions.AdditionalMetadata = nsOpts.AdditionalMetadata
if exact := nsOpts.ForbiddenAnnotations.Exact; len(exact) > 0 {
annotations[meta.ForbiddenNamespaceAnnotationsAnnotation] = strings.Join(exact, ",")
annotations[api.ForbiddenNamespaceAnnotationsAnnotation] = strings.Join(exact, ",")
}
if regex := nsOpts.ForbiddenAnnotations.Regex; len(regex) > 0 {
annotations[meta.ForbiddenNamespaceAnnotationsRegexpAnnotation] = regex
annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation] = regex
}
if exact := nsOpts.ForbiddenLabels.Exact; len(exact) > 0 {
annotations[meta.ForbiddenNamespaceLabelsAnnotation] = strings.Join(exact, ",")
annotations[api.ForbiddenNamespaceLabelsAnnotation] = strings.Join(exact, ",")
}
if regex := nsOpts.ForbiddenLabels.Regex; len(regex) > 0 {
annotations[meta.ForbiddenNamespaceLabelsRegexpAnnotation] = regex
annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation] = regex
}
}
@@ -269,7 +264,7 @@ func (in *Tenant) ConvertTo(raw conversion.Hub) error {
}
if in.Spec.PreventDeletion {
annotations[meta.ProtectedTenantAnnotation] = "true" //nolint:goconst
annotations[api.ProtectedTenantAnnotation] = "true" //nolint:goconst
}
if in.Spec.Cordoned {

20
api/v1beta2/tenant_func.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -13,18 +13,6 @@ import (
"github.com/projectcapsule/capsule/pkg/api"
)
func (in *Tenant) GetRoleBindings() []api.AdditionalRoleBindingsSpec {
roleBindings := make([]api.AdditionalRoleBindingsSpec, 0, len(in.Spec.AdditionalRoleBindings))
for _, owner := range in.Status.Owners {
roleBindings = append(roleBindings, owner.ToAdditionalRolebindings()...)
}
roleBindings = append(roleBindings, in.Spec.AdditionalRoleBindings...)
return roleBindings
}
func (in *Tenant) IsFull() bool {
// we don't have limits on assigned Namespaces
if in.Spec.NamespaceOptions == nil || in.Spec.NamespaceOptions.Quota == nil {
@@ -49,14 +37,14 @@ func (in *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
in.Status.Size = uint(len(l))
}
func (in *Tenant) GetOwnerProxySettings(name string, kind api.OwnerKind) []api.ProxySettings {
func (in *Tenant) GetOwnerProxySettings(name string, kind OwnerKind) []ProxySettings {
return in.Spec.Owners.FindOwner(name, kind).ProxyOperations
}
// GetClusterRolePermissions returns a map where the clusterRole is the key
// and the value is a list of permission subjects (kind and name) that reference that role.
// These mappings are gathered from the owners and additionalRolebindings spec.
func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []api.OwnerKind) (rolePerms map[string][]rbacv1.Subject) {
func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []OwnerKind) (rolePerms map[string][]rbacv1.Subject) {
rolePerms = make(map[string][]rbacv1.Subject)
// Helper to add permissions for a given clusterRole
@@ -109,7 +97,7 @@ func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []api.OwnerKind) (ro
}
// Get the permissions for a tenant ordered by groups and users.
func (in *Tenant) GetClusterRolesBySubject(ignoreOwnerKind []api.OwnerKind) (maps map[string]map[string]api.TenantSubjectRoles) {
func (in *Tenant) GetClusterRolesBySubject(ignoreOwnerKind []OwnerKind) (maps map[string]map[string]api.TenantSubjectRoles) {
maps = make(map[string]map[string]api.TenantSubjectRoles)
// Initialize a nested map for kind ("User", "Group") and name

38
api/v1beta2/tenant_func_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -13,33 +13,21 @@ import (
var tenant = &Tenant{
Spec: TenantSpec{
Owners: []api.OwnerSpec{
Owners: []OwnerSpec{
{
CoreOwnerSpec: api.CoreOwnerSpec{
UserSpec: api.UserSpec{
Kind: "User",
Name: "user1",
},
ClusterRoles: []string{"cluster-admin", "read-only"},
},
Kind: "User",
Name: "user1",
ClusterRoles: []string{"cluster-admin", "read-only"},
},
{
CoreOwnerSpec: api.CoreOwnerSpec{
UserSpec: api.UserSpec{
Kind: "Group",
Name: "group1",
},
ClusterRoles: []string{"edit"},
},
Kind: "Group",
Name: "group1",
ClusterRoles: []string{"edit"},
},
{
CoreOwnerSpec: api.CoreOwnerSpec{
UserSpec: api.UserSpec{
Kind: api.ServiceAccountOwner,
Name: "service",
},
ClusterRoles: []string{"read-only"},
},
Kind: ServiceAccountOwner,
Name: "service",
ClusterRoles: []string{"read-only"},
},
},
AdditionalRoleBindings: []api.AdditionalRoleBindingsSpec{
@@ -108,7 +96,7 @@ func TestGetSubjectsByClusterRoles(t *testing.T) {
}
// Ignore SubjectTypes (Ignores ServiceAccounts)
ignored := tenant.GetSubjectsByClusterRoles([]api.OwnerKind{"ServiceAccount"})
ignored := tenant.GetSubjectsByClusterRoles([]OwnerKind{"ServiceAccount"})
expectedIgnored := map[string][]rbacv1.Subject{
"cluster-admin": {
{Kind: "User", Name: "user1"},
@@ -168,7 +156,7 @@ func TestGetClusterRolesBySubject(t *testing.T) {
}
delete(expected, "ServiceAccount")
ignored := tenant.GetClusterRolesBySubject([]api.OwnerKind{"ServiceAccount"})
ignored := tenant.GetClusterRolesBySubject([]OwnerKind{"ServiceAccount"})
if !reflect.DeepEqual(ignored, expected) {
t.Errorf("Expected %v, but got %v", expected, ignored)

2
api/v1beta2/tenant_labels.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2

37
api/v1beta2/tenant_status.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -6,8 +6,7 @@ package v1beta2
import (
k8stypes "k8s.io/apimachinery/pkg/types"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/api/meta"
"github.com/projectcapsule/capsule/pkg/meta"
)
// +kubebuilder:validation:Enum=Cordoned;Active
@@ -20,11 +19,6 @@ const (
// Returns the observed state of the Tenant.
type TenantStatus struct {
// Allowed Cluster Objects within Tenant
TenantAvailableStatus `json:",inline"`
// Collected owners for this tenant
Owners api.OwnerStatusListSpec `json:"owners,omitempty"`
// +kubebuilder:default=Active
// The operational state of the Tenant. Possible values are "Active", "Cordoned".
State tenantState `json:"state"`
@@ -47,14 +41,6 @@ type TenantStatusNamespaceItem struct {
UID k8stypes.UID `json:"uid,omitempty"`
// Managed Metadata
Metadata *TenantStatusNamespaceMetadata `json:"metadata,omitempty"`
// Managed Metadata
//+optional
Enforce TenantStatusNamespaceEnforcement `json:"enforce,omitzero"`
}
type TenantStatusNamespaceEnforcement struct {
// Registries which are allowed within this namespace
Registries []api.OCIRegistry `json:"registry,omitempty"`
}
type TenantStatusNamespaceMetadata struct {
@@ -64,25 +50,6 @@ type TenantStatusNamespaceMetadata struct {
Annotations map[string]string `json:"annotations,omitempty"`
}
type TenantAvailableStatus struct {
// Available Class Types within Tenant
// +optional
Classes TenantAvailableClassesStatus `json:"classes,omitzero"`
}
type TenantAvailableClassesStatus struct {
// Available Storageclasses (Only collected if any matching condition is specified)
StorageClasses []string `json:"storage,omitempty"`
// Available PriorityClasses
PriorityClasses []string `json:"priority,omitempty"`
// Available StorageClasses
RuntimeClasses []string `json:"runtime,omitempty"`
// Available GatewayClasses
GatewayClasses []string `json:"gateway,omitempty"`
// Available DeviceClasses
DeviceClasses []string `json:"device,omitempty"`
}
func (ms *TenantStatus) GetInstance(stat *TenantStatusNamespaceItem) *TenantStatusNamespaceItem {
for _, source := range ms.Spaces {
if ms.instancequal(source, stat) {

104
api/v1beta2/tenant_types.go
View File

@@ -1,35 +1,19 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"context"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/api/meta"
"github.com/projectcapsule/capsule/pkg/runtime/selectors"
)
// TenantSpec defines the desired state of Tenant.
type TenantSpec struct {
// Specify Permissions for the Tenant.
// +optional
Permissions Permissions `json:"permissions,omitzero"`
// Specify enforcement specifications for the scope of the Tenant.
// We are moving all configuration enforcement. per namespace into a rule construct.
// It's currently not final.
//
// Read More: https://projectcapsule.dev/docs/tenants/rules/
//+optional
Rules []*NamespaceRule `json:"rules,omitzero"`
// Specifies the owners of the Tenant.
// Optional
Owners api.OwnerListSpec `json:"owners,omitempty"`
Owners OwnerListSpec `json:"owners,omitempty"`
// Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
NamespaceOptions *NamespaceOptions `json:"namespaceOptions,omitempty"`
// Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
@@ -42,15 +26,23 @@ type TenantSpec struct {
// Optional.
StorageClasses *api.DefaultAllowedListSpec `json:"storageClasses,omitempty"`
// Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
// +optional
IngressOptions IngressOptions `json:"ingressOptions,omitzero"`
IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitempty"`
// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
LimitRanges api.LimitRangesSpec `json:"limitRanges,omitempty"`
// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
// +optional
ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitzero"`
ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
AdditionalRoleBindings []api.AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
// Specifies the allowed RuntimeClasses assigned to the Tenant.
// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
// Optional.
@@ -60,11 +52,8 @@ type TenantSpec struct {
// A default value can be specified, and all the Pod resources created will inherit the declared class.
// Optional.
PriorityClasses *api.DefaultAllowedListSpec `json:"priorityClasses,omitempty"`
// Specifies options for the DeviceClass resources.
DeviceClasses *api.SelectorAllowedListSpec `json:"deviceClasses,omitempty"`
// Specifies options for the GatewayClass resources.
// +optional
GatewayOptions GatewayOptions `json:"gatewayOptions,omitzero"`
GatewayOptions GatewayOptions `json:"gatewayOptions,omitempty"`
// Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
//+kubebuilder:default:=false
Cordoned bool `json:"cordoned,omitempty"`
@@ -81,48 +70,6 @@ type TenantSpec struct {
// If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
// Optional
ForceTenantPrefix *bool `json:"forceTenantPrefix,omitempty"`
// Deprecated: Use Enforcement.Registries instead
//
// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
// Deprecated: Use Enforcement.Registries instead
//
// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
//
// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
// +optional
NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitzero"`
// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
//
// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
// +optional
LimitRanges api.LimitRangesSpec `json:"limitRanges,omitzero"`
}
type Permissions struct {
// Matches TenantOwner objects which are promoted to owners of this tenant
// The elements are OR operations and independent. You can see the resulting Tenant Owners
// in the Status.Owners specification of the Tenant.
MatchOwners []*metav1.LabelSelector `json:"matchOwners,omitempty"`
}
func (p *Permissions) ListMatchingOwners(
ctx context.Context,
c client.Client,
tnt string,
opts ...client.ListOption,
) ([]*TenantOwner, error) {
defaultSelector := &metav1.LabelSelector{
MatchLabels: map[string]string{
meta.NewTenantLabel: tnt,
},
}
return selectors.ListBySelectors[*TenantOwner](ctx, c, &TenantOwnerList{}, append(p.MatchOwners, defaultSelector))
}
// +kubebuilder:object:root=true
@@ -138,20 +85,19 @@ func (p *Permissions) ListMatchingOwners(
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
// Tenant is the Schema for the tenants API.
type Tenant struct {
metav1.TypeMeta `json:",inline"`
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
// +optional
Spec TenantSpec `json:"spec,omitzero"`
// +optional
Status TenantStatus `json:"status,omitzero"`
Spec TenantSpec `json:"spec,omitempty"`
Status TenantStatus `json:"status,omitempty"`
}
func (in *Tenant) GetNamespaces() (res []string) {
return in.Status.Namespaces
res = make([]string, 0, len(in.Status.Namespaces))
res = append(res, in.Status.Namespaces...)
return res
}
// +kubebuilder:object:root=true
@@ -159,7 +105,7 @@ func (in *Tenant) GetNamespaces() (res []string) {
// TenantList contains a list of Tenant.
type TenantList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitzero"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Tenant `json:"items"`
}

60
api/v1beta2/tenantowner_types.go
View File

@@ -1,60 +0,0 @@
// Copyright 2020-2026 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
)
// TenantOwnerSpec defines the desired state of TenantOwner.
type TenantOwnerSpec struct {
// Subject
api.CoreOwnerSpec `json:",inline"`
// Adds the given subject as capsule user. When enabled this subject does not have to be
// mentioned in the CapsuleConfiguration as Capsule User. In almost all scenarios Tenant Owners
// must be Capsule Users.
//+kubebuilder:default:=true
Aggregate bool `json:"aggregate"`
}
// TenantOwnerStatus defines the observed state of TenantOwner.
type TenantOwnerStatus struct{}
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Cluster
// TenantOwner is the Schema for the tenantowners API.
type TenantOwner struct {
metav1.TypeMeta `json:",inline"`
// metadata is a standard object metadata.
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
// spec defines the desired state of TenantOwner.
// +required
Spec TenantOwnerSpec `json:"spec"`
// status defines the observed state of TenantOwner.
// +optional
Status TenantOwnerStatus `json:"status,omitzero"`
}
// +kubebuilder:object:root=true
// TenantOwnerList contains a list of TenantOwner.
type TenantOwnerList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitzero"`
Items []TenantOwner `json:"items"`
}
func init() {
SchemeBuilder.Register(&TenantOwner{}, &TenantOwnerList{})
}

21
api/v1beta2/tenantresource_global.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -13,8 +13,7 @@ type GlobalTenantResourceSpec struct {
TenantResourceSpec `json:",inline"`
// Defines the Tenant selector used target the tenants on which resources must be propagated.
// +optional
TenantSelector metav1.LabelSelector `json:"tenantSelector,omitzero"`
TenantSelector metav1.LabelSelector `json:"tenantSelector,omitempty"`
}
// GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
@@ -22,7 +21,7 @@ type GlobalTenantResourceStatus struct {
// List of Tenants addressed by the GlobalTenantResource.
SelectedTenants []string `json:"selectedTenants"`
// List of the replicated resources for the given TenantResource.
ProcessedItems ProcessedItems `json:"processedItems,omitzero"`
ProcessedItems ProcessedItems `json:"processedItems"`
}
type ProcessedItems []ObjectReferenceStatus
@@ -43,15 +42,11 @@ func (p *ProcessedItems) AsSet() sets.Set[string] {
// GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.
type GlobalTenantResource struct {
metav1.TypeMeta `json:",inline"`
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
Spec GlobalTenantResourceSpec `json:"spec"`
// +optional
Status GlobalTenantResourceStatus `json:"status,omitzero"`
Spec GlobalTenantResourceSpec `json:"spec,omitempty"`
Status GlobalTenantResourceStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
@@ -59,7 +54,7 @@ type GlobalTenantResource struct {
// GlobalTenantResourceList contains a list of GlobalTenantResource.
type GlobalTenantResourceList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitzero"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GlobalTenantResource `json:"items"`
}

16
api/v1beta2/tenantresource_namespaced.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -56,15 +56,11 @@ type TenantResourceStatus struct {
// The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
// For such cases, the GlobalTenantResource must be used.
type TenantResource struct {
metav1.TypeMeta `json:",inline"`
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
Spec TenantResourceSpec `json:"spec"`
// +optional
Status TenantResourceStatus `json:"status,omitzero"`
Spec TenantResourceSpec `json:"spec,omitempty"`
Status TenantResourceStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
@@ -72,7 +68,7 @@ type TenantResource struct {
// TenantResourceList contains a list of TenantResource.
type TenantResourceList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitzero"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []TenantResource `json:"items"`
}

2
api/v1beta2/tenantresource_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2

599
api/v1beta2/zz_generated.deepcopy.go
View File

@@ -9,8 +9,7 @@ package v1beta2
import (
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/api/meta"
"github.com/projectcapsule/capsule/pkg/runtime/selectors"
"github.com/projectcapsule/capsule/pkg/meta"
corev1 "k8s.io/api/core/v1"
"k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -37,13 +36,33 @@ func (in *AdditionalRoleBindingsSpec) DeepCopy() *AdditionalRoleBindingsSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in ByKindAndName) DeepCopyInto(out *ByKindAndName) {
{
in := &in
*out = make(ByKindAndName, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ByKindAndName.
func (in ByKindAndName) DeepCopy() ByKindAndName {
if in == nil {
return nil
}
out := new(ByKindAndName)
in.DeepCopyInto(out)
return *out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CapsuleConfiguration) DeepCopyInto(out *CapsuleConfiguration) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfiguration.
@@ -99,11 +118,6 @@ func (in *CapsuleConfigurationList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CapsuleConfigurationSpec) DeepCopyInto(out *CapsuleConfigurationSpec) {
*out = *in
if in.Users != nil {
in, out := &in.Users, &out.Users
*out = make(api.UserListSpec, len(*in))
copy(*out, *in)
}
if in.UserNames != nil {
in, out := &in.UserNames, &out.UserNames
*out = make([]string, len(*in))
@@ -125,18 +139,6 @@ func (in *CapsuleConfigurationSpec) DeepCopyInto(out *CapsuleConfigurationSpec)
*out = new(NodeMetadata)
(*in).DeepCopyInto(*out)
}
if in.Administrators != nil {
in, out := &in.Administrators, &out.Administrators
*out = make(api.UserListSpec, len(*in))
copy(*out, *in)
}
in.Admission.DeepCopyInto(&out.Admission)
if in.RBAC != nil {
in, out := &in.RBAC, &out.RBAC
*out = new(RBACConfiguration)
(*in).DeepCopyInto(*out)
}
out.CacheInvalidation = in.CacheInvalidation
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationSpec.
@@ -149,27 +151,6 @@ func (in *CapsuleConfigurationSpec) DeepCopy() *CapsuleConfigurationSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CapsuleConfigurationStatus) DeepCopyInto(out *CapsuleConfigurationStatus) {
*out = *in
in.LastCacheInvalidation.DeepCopyInto(&out.LastCacheInvalidation)
if in.Users != nil {
in, out := &in.Users, &out.Users
*out = make(api.UserListSpec, len(*in))
copy(*out, *in)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationStatus.
func (in *CapsuleConfigurationStatus) DeepCopy() *CapsuleConfigurationStatus {
if in == nil {
return nil
}
out := new(CapsuleConfigurationStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CapsuleResources) DeepCopyInto(out *CapsuleResources) {
*out = *in
@@ -185,59 +166,12 @@ func (in *CapsuleResources) DeepCopy() *CapsuleResources {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *DynamicAdmission) DeepCopyInto(out *DynamicAdmission) {
*out = *in
in.Mutating.DeepCopyInto(&out.Mutating)
in.Validating.DeepCopyInto(&out.Validating)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicAdmission.
func (in *DynamicAdmission) DeepCopy() *DynamicAdmission {
if in == nil {
return nil
}
out := new(DynamicAdmission)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *DynamicAdmissionConfig) DeepCopyInto(out *DynamicAdmissionConfig) {
*out = *in
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
in.Client.DeepCopyInto(&out.Client)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicAdmissionConfig.
func (in *DynamicAdmissionConfig) DeepCopy() *DynamicAdmissionConfig {
if in == nil {
return nil
}
out := new(DynamicAdmissionConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GatewayOptions) DeepCopyInto(out *GatewayOptions) {
*out = *in
if in.AllowedClasses != nil {
in, out := &in.AllowedClasses, &out.AllowedClasses
*out = new(api.DefaultAllowedListSpec)
*out = new(api.SelectionListWithDefaultSpec)
(*in).DeepCopyInto(*out)
}
}
@@ -398,11 +332,6 @@ func (in *NamespaceOptions) DeepCopyInto(out *NamespaceOptions) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.RequiredMetadata != nil {
in, out := &in.RequiredMetadata, &out.RequiredMetadata
*out = new(RequiredMetadata)
(*in).DeepCopyInto(*out)
}
in.ForbiddenLabels.DeepCopyInto(&out.ForbiddenLabels)
in.ForbiddenAnnotations.DeepCopyInto(&out.ForbiddenAnnotations)
}
@@ -417,65 +346,6 @@ func (in *NamespaceOptions) DeepCopy() *NamespaceOptions {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NamespaceRule) DeepCopyInto(out *NamespaceRule) {
*out = *in
in.NamespaceRuleBody.DeepCopyInto(&out.NamespaceRuleBody)
if in.NamespaceSelector != nil {
in, out := &in.NamespaceSelector, &out.NamespaceSelector
*out = new(metav1.LabelSelector)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRule.
func (in *NamespaceRule) DeepCopy() *NamespaceRule {
if in == nil {
return nil
}
out := new(NamespaceRule)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NamespaceRuleBody) DeepCopyInto(out *NamespaceRuleBody) {
*out = *in
in.Enforce.DeepCopyInto(&out.Enforce)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRuleBody.
func (in *NamespaceRuleBody) DeepCopy() *NamespaceRuleBody {
if in == nil {
return nil
}
out := new(NamespaceRuleBody)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NamespaceRuleEnforceBody) DeepCopyInto(out *NamespaceRuleEnforceBody) {
*out = *in
if in.Registries != nil {
in, out := &in.Registries, &out.Registries
*out = make([]api.OCIRegistry, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRuleEnforceBody.
func (in *NamespaceRuleEnforceBody) DeepCopy() *NamespaceRuleEnforceBody {
if in == nil {
return nil
}
out := new(NamespaceRuleEnforceBody)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NodeMetadata) DeepCopyInto(out *NodeMetadata) {
*out = *in
@@ -557,27 +427,63 @@ func (in *ObjectReferenceStatus) DeepCopy() *ObjectReferenceStatus {
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Permissions) DeepCopyInto(out *Permissions) {
*out = *in
if in.MatchOwners != nil {
in, out := &in.MatchOwners, &out.MatchOwners
*out = make([]*metav1.LabelSelector, len(*in))
func (in OwnerListSpec) DeepCopyInto(out *OwnerListSpec) {
{
in := &in
*out = make(OwnerListSpec, len(*in))
for i := range *in {
if (*in)[i] != nil {
in, out := &(*in)[i], &(*out)[i]
*out = new(metav1.LabelSelector)
(*in).DeepCopyInto(*out)
}
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Permissions.
func (in *Permissions) DeepCopy() *Permissions {
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerListSpec.
func (in OwnerListSpec) DeepCopy() OwnerListSpec {
if in == nil {
return nil
}
out := new(Permissions)
out := new(OwnerListSpec)
in.DeepCopyInto(out)
return *out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OwnerSpec) DeepCopyInto(out *OwnerSpec) {
*out = *in
if in.ClusterRoles != nil {
in, out := &in.ClusterRoles, &out.ClusterRoles
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.ProxyOperations != nil {
in, out := &in.ProxyOperations, &out.ProxyOperations
*out = make([]ProxySettings, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerSpec.
func (in *OwnerSpec) DeepCopy() *OwnerSpec {
if in == nil {
return nil
}
out := new(OwnerSpec)
in.DeepCopyInto(out)
return out
}
@@ -602,26 +508,21 @@ func (in ProcessedItems) DeepCopy() ProcessedItems {
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RBACConfiguration) DeepCopyInto(out *RBACConfiguration) {
func (in *ProxySettings) DeepCopyInto(out *ProxySettings) {
*out = *in
if in.AdministrationClusterRoles != nil {
in, out := &in.AdministrationClusterRoles, &out.AdministrationClusterRoles
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.PromotionClusterRoles != nil {
in, out := &in.PromotionClusterRoles, &out.PromotionClusterRoles
*out = make([]string, len(*in))
if in.Operations != nil {
in, out := &in.Operations, &out.Operations
*out = make([]ProxyOperation, len(*in))
copy(*out, *in)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RBACConfiguration.
func (in *RBACConfiguration) DeepCopy() *RBACConfiguration {
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxySettings.
func (in *ProxySettings) DeepCopy() *ProxySettings {
if in == nil {
return nil
}
out := new(RBACConfiguration)
out := new(ProxySettings)
in.DeepCopyInto(out)
return out
}
@@ -642,35 +543,6 @@ func (in *RawExtension) DeepCopy() *RawExtension {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RequiredMetadata) DeepCopyInto(out *RequiredMetadata) {
*out = *in
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequiredMetadata.
func (in *RequiredMetadata) DeepCopy() *RequiredMetadata {
if in == nil {
return nil
}
out := new(RequiredMetadata)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePool) DeepCopyInto(out *ResourcePool) {
*out = *in
@@ -784,14 +656,6 @@ func (in *ResourcePoolClaimStatus) DeepCopyInto(out *ResourcePoolClaimStatus) {
*out = *in
out.Pool = in.Pool
in.Condition.DeepCopyInto(&out.Condition)
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make(meta.ConditionList, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
in.Allocation.DeepCopyInto(&out.Allocation)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimStatus.
@@ -807,7 +671,7 @@ func (in *ResourcePoolClaimStatus) DeepCopy() *ResourcePoolClaimStatus {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolClaimsItem) DeepCopyInto(out *ResourcePoolClaimsItem) {
*out = *in
out.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID = in.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID
out.StatusNameUID = in.StatusNameUID
if in.Claims != nil {
in, out := &in.Claims, &out.Claims
*out = make(corev1.ResourceList, len(*in))
@@ -961,7 +825,7 @@ func (in *ResourcePoolSpec) DeepCopyInto(out *ResourcePoolSpec) {
*out = *in
if in.Selectors != nil {
in, out := &in.Selectors, &out.Selectors
*out = make([]selectors.NamespaceSelector, len(*in))
*out = make([]api.NamespaceSelector, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
@@ -1055,13 +919,6 @@ func (in *ResourcePoolStatus) DeepCopyInto(out *ResourcePoolStatus) {
(*out)[key] = *val.DeepCopy()
}
}
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make(meta.ConditionList, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolStatus.
@@ -1113,80 +970,6 @@ func (in *ResourceSpec) DeepCopy() *ResourceSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RuleStatus) DeepCopyInto(out *RuleStatus) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatus.
func (in *RuleStatus) DeepCopy() *RuleStatus {
if in == nil {
return nil
}
out := new(RuleStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *RuleStatus) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RuleStatusList) DeepCopyInto(out *RuleStatusList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]RuleStatus, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatusList.
func (in *RuleStatusList) DeepCopy() *RuleStatusList {
if in == nil {
return nil
}
out := new(RuleStatusList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *RuleStatusList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RuleStatusSpec) DeepCopyInto(out *RuleStatusSpec) {
*out = *in
in.Rule.DeepCopyInto(&out.Rule)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatusSpec.
func (in *RuleStatusSpec) DeepCopy() *RuleStatusSpec {
if in == nil {
return nil
}
out := new(RuleStatusSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Tenant) DeepCopyInto(out *Tenant) {
*out = *in
@@ -1214,62 +997,6 @@ func (in *Tenant) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantAvailableClassesStatus) DeepCopyInto(out *TenantAvailableClassesStatus) {
*out = *in
if in.StorageClasses != nil {
in, out := &in.StorageClasses, &out.StorageClasses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.PriorityClasses != nil {
in, out := &in.PriorityClasses, &out.PriorityClasses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.RuntimeClasses != nil {
in, out := &in.RuntimeClasses, &out.RuntimeClasses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.GatewayClasses != nil {
in, out := &in.GatewayClasses, &out.GatewayClasses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.DeviceClasses != nil {
in, out := &in.DeviceClasses, &out.DeviceClasses
*out = make([]string, len(*in))
copy(*out, *in)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantAvailableClassesStatus.
func (in *TenantAvailableClassesStatus) DeepCopy() *TenantAvailableClassesStatus {
if in == nil {
return nil
}
out := new(TenantAvailableClassesStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantAvailableStatus) DeepCopyInto(out *TenantAvailableStatus) {
*out = *in
in.Classes.DeepCopyInto(&out.Classes)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantAvailableStatus.
func (in *TenantAvailableStatus) DeepCopy() *TenantAvailableStatus {
if in == nil {
return nil
}
out := new(TenantAvailableStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantList) DeepCopyInto(out *TenantList) {
*out = *in
@@ -1302,96 +1029,6 @@ func (in *TenantList) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantOwner) DeepCopyInto(out *TenantOwner) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOwner.
func (in *TenantOwner) DeepCopy() *TenantOwner {
if in == nil {
return nil
}
out := new(TenantOwner)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *TenantOwner) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantOwnerList) DeepCopyInto(out *TenantOwnerList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]TenantOwner, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOwnerList.
func (in *TenantOwnerList) DeepCopy() *TenantOwnerList {
if in == nil {
return nil
}
out := new(TenantOwnerList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *TenantOwnerList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantOwnerSpec) DeepCopyInto(out *TenantOwnerSpec) {
*out = *in
in.CoreOwnerSpec.DeepCopyInto(&out.CoreOwnerSpec)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOwnerSpec.
func (in *TenantOwnerSpec) DeepCopy() *TenantOwnerSpec {
if in == nil {
return nil
}
out := new(TenantOwnerSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantOwnerStatus) DeepCopyInto(out *TenantOwnerStatus) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOwnerStatus.
func (in *TenantOwnerStatus) DeepCopy() *TenantOwnerStatus {
if in == nil {
return nil
}
out := new(TenantOwnerStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantResource) DeepCopyInto(out *TenantResource) {
*out = *in
@@ -1502,21 +1139,9 @@ func (in *TenantResourceStatus) DeepCopy() *TenantResourceStatus {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
*out = *in
in.Permissions.DeepCopyInto(&out.Permissions)
if in.Rules != nil {
in, out := &in.Rules, &out.Rules
*out = make([]*NamespaceRule, len(*in))
for i := range *in {
if (*in)[i] != nil {
in, out := &(*in)[i], &(*out)[i]
*out = new(NamespaceRule)
(*in).DeepCopyInto(*out)
}
}
}
if in.Owners != nil {
in, out := &in.Owners, &out.Owners
*out = make(api.OwnerListSpec, len(*in))
*out = make(OwnerListSpec, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
@@ -1542,6 +1167,11 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
(*in).DeepCopyInto(*out)
}
in.IngressOptions.DeepCopyInto(&out.IngressOptions)
if in.ContainerRegistries != nil {
in, out := &in.ContainerRegistries, &out.ContainerRegistries
*out = new(api.AllowedListSpec)
(*in).DeepCopyInto(*out)
}
if in.NodeSelector != nil {
in, out := &in.NodeSelector, &out.NodeSelector
*out = make(map[string]string, len(*in))
@@ -1549,6 +1179,8 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
(*out)[key] = val
}
}
in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
in.LimitRanges.DeepCopyInto(&out.LimitRanges)
in.ResourceQuota.DeepCopyInto(&out.ResourceQuota)
if in.AdditionalRoleBindings != nil {
in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
@@ -1557,6 +1189,11 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.ImagePullPolicies != nil {
in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
*out = make([]api.ImagePullPolicySpec, len(*in))
copy(*out, *in)
}
if in.RuntimeClasses != nil {
in, out := &in.RuntimeClasses, &out.RuntimeClasses
*out = new(api.DefaultAllowedListSpec)
@@ -1567,29 +1204,12 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
*out = new(api.DefaultAllowedListSpec)
(*in).DeepCopyInto(*out)
}
if in.DeviceClasses != nil {
in, out := &in.DeviceClasses, &out.DeviceClasses
*out = new(api.SelectorAllowedListSpec)
(*in).DeepCopyInto(*out)
}
in.GatewayOptions.DeepCopyInto(&out.GatewayOptions)
if in.ForceTenantPrefix != nil {
in, out := &in.ForceTenantPrefix, &out.ForceTenantPrefix
*out = new(bool)
**out = **in
}
if in.ContainerRegistries != nil {
in, out := &in.ContainerRegistries, &out.ContainerRegistries
*out = new(api.AllowedListSpec)
(*in).DeepCopyInto(*out)
}
if in.ImagePullPolicies != nil {
in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
*out = make([]api.ImagePullPolicySpec, len(*in))
copy(*out, *in)
}
in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
in.LimitRanges.DeepCopyInto(&out.LimitRanges)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.
@@ -1605,14 +1225,6 @@ func (in *TenantSpec) DeepCopy() *TenantSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantStatus) DeepCopyInto(out *TenantStatus) {
*out = *in
in.TenantAvailableStatus.DeepCopyInto(&out.TenantAvailableStatus)
if in.Owners != nil {
in, out := &in.Owners, &out.Owners
*out = make(api.OwnerStatusListSpec, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Namespaces != nil {
in, out := &in.Namespaces, &out.Namespaces
*out = make([]string, len(*in))
@@ -1648,28 +1260,6 @@ func (in *TenantStatus) DeepCopy() *TenantStatus {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantStatusNamespaceEnforcement) DeepCopyInto(out *TenantStatusNamespaceEnforcement) {
*out = *in
if in.Registries != nil {
in, out := &in.Registries, &out.Registries
*out = make([]api.OCIRegistry, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantStatusNamespaceEnforcement.
func (in *TenantStatusNamespaceEnforcement) DeepCopy() *TenantStatusNamespaceEnforcement {
if in == nil {
return nil
}
out := new(TenantStatusNamespaceEnforcement)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TenantStatusNamespaceItem) DeepCopyInto(out *TenantStatusNamespaceItem) {
*out = *in
@@ -1685,7 +1275,6 @@ func (in *TenantStatusNamespaceItem) DeepCopyInto(out *TenantStatusNamespaceItem
*out = new(TenantStatusNamespaceMetadata)
(*in).DeepCopyInto(*out)
}
in.Enforce.DeepCopyInto(&out.Enforce)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantStatusNamespaceItem.

6
charts/capsule/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: capsule-proxy
repository: oci://ghcr.io/projectcapsule/charts
version: 0.10.0
digest: sha256:b268fe0a87e4fa4d0196e5dac82c7e8ae20e96053f5ca860b1f7c44e3a357406
generated: "2025-12-09T15:58:45.796317945Z"
version: 0.9.13
digest: sha256:dbca86ef4afef07c79c0d5e049c6666a70d2b8990262224970f662531fffd9c3
generated: "2025-09-03T20:29:41.043265755Z"

6
charts/capsule/Chart.yaml
View File

@@ -1,12 +1,12 @@
apiVersion: v2
type: application
description: A Helm chart to deploy the Capsule Operator for easily implementing,
managing, and maintaining multitenancy and access control in Kubernetes.
home: https://projectcapsule.dev/
managing, and maintaining mutitenancy and access control in Kubernetes.
home: https://github.com/projectcapsule/capsule
icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
dependencies:
- name: capsule-proxy
version: 0.10.0
version: 0.9.13
repository: "oci://ghcr.io/projectcapsule/charts"
condition: proxy.enabled
alias: proxy

81
charts/capsule/README.md
View File

@@ -67,7 +67,7 @@ The following Values have changed key or Value:
|-----|------|---------|-------------|
| affinity | object | `{}` | Set affinity rules for the Capsule pod |
| certManager.additionalSANS | list | `[]` | Specify additional SANS to add to the certificate |
| certManager.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
| certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
| customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
| customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
| extraManifests | list | `[]` | Array of additional resources to be created alongside Capsule helm chart |
@@ -88,10 +88,9 @@ The following Values have changed key or Value:
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.imagePullSecrets | list | `[]` | |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
| tls.create | bool | `false` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
| tls.enableController | bool | `false` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
| tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
| tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
| tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
@@ -113,27 +112,19 @@ The following Values have changed key or Value:
| manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
| manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
| manager.options.administrators | list | `[]` | Define entities which can act as Administrators in the capsule construct These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor be ignored by capsule. May also be handy in GitOps scenarios where certain service accounts need to be able to manage namespaces for all tenants. |
| manager.options.allowServiceAccountPromotion | bool | `false` | ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant. However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts. |
| manager.options.annotations | object | `{}` | Additional annotations to add to the CapsuleConfiguration resource |
| manager.options.cacheInvalidation | string | `"24h0m0s"` | Duration after which the in-memory cache is invalidated (based on usaage) and re-fetched from the API server |
| manager.options.capsuleConfiguration | string | `"default"` | Change the default name of the capsule configuration name |
| manager.options.capsuleUserGroups | list | `[]` | DEPRECATED: use users properties. Names of the users considered as Capsule users. |
| manager.options.capsuleUserGroups | list | `["projectcapsule.dev"]` | Names of the groups considered as Capsule users. |
| manager.options.createConfiguration | bool | `true` | Create Configuration |
| manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
| manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator |
| manager.options.ignoreUserWithGroups | list | `[]` | Define groups which when found in the request of a user will be ignored by the Capsule this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups. |
| manager.options.labels | object | `{}` | Additional labels to add to the CapsuleConfiguration resource |
| manager.options.logLevel | string | `"info"` | Set the log verbosity of the capsule with a value from 1 to 5 |
| manager.options.logLevel | string | `"3"` | Set the log verbosity of the capsule with a value from 1 to 5 |
| manager.options.nodeMetadata | object | `{"forbiddenAnnotations":{"denied":[],"deniedRegex":""},"forbiddenLabels":{"denied":[],"deniedRegex":""}}` | Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant |
| manager.options.protectedNamespaceRegex | string | `""` | If specified, disallows creation of namespaces matching the passed regexp |
| manager.options.rbac | object | `{"administrationClusterRoles":["capsule-namespace-deleter"],"deleter":"capsule-namespace-deleter","promotionClusterRoles":["capsule-namespace-provisioner","capsule-namespace-deleter"],"provisioner":"capsule-namespace-provisioner"}` | Managed RBAC configuration for the controller |
| manager.options.rbac.administrationClusterRoles | list | `["capsule-namespace-deleter"]` | The ClusterRoles applied for Administrators |
| manager.options.rbac.deleter | string | `"capsule-namespace-deleter"` | Name for the ClusterRole required to grant Namespace Deletion permissions. |
| manager.options.rbac.promotionClusterRoles | list | `["capsule-namespace-provisioner","capsule-namespace-deleter"]` | The ClusterRoles applied for ServiceAccounts which had owner Promotion |
| manager.options.rbac.provisioner | string | `"capsule-namespace-provisioner"` | Name for the ClusterRole required to grant Namespace Provision permissions. |
| manager.options.userNames | list | `[]` | DEPRECATED: use users properties. Names of the users considered as Capsule users. |
| manager.options.users | list | `[{"kind":"Group","name":"projectcapsule.dev"}]` | Define entities which are considered part of the Capsule construct. Users not mentioned here will be ignored by Capsule |
| manager.options.userNames | list | `[]` | Names of the users considered as Capsule users. |
| manager.options.workers | int | `1` | Workers (MaxConcurrentReconciles) is the maximum number of concurrent Reconciles which can be run (ALPHA). |
| manager.rbac.create | bool | `true` | Specifies whether RBAC resources should be created. |
| manager.rbac.existingClusterRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
@@ -158,14 +149,6 @@ The following Values have changed key or Value:
| monitoring.dashboards.operator.folder | string | `""` | folder assignment for dashboard |
| monitoring.dashboards.operator.instanceSelector | object | `{}` | Selects Grafana instances for import |
| monitoring.dashboards.operator.resyncPeriod | string | `"10m"` | How often the resource is synced, defaults to 10m0s if not set |
| monitoring.diagnostics.annotations | object | `{}` | Annotations for dashboard configmaps |
| monitoring.diagnostics.enabled | bool | `false` | Enable Diagnostic Dashboards to be deployed |
| monitoring.diagnostics.labels | object | `{}` | Labels for dashboard configmaps |
| monitoring.diagnostics.operator.allowCrossNamespaceImport | bool | `true` | Allow the Operator to match this resource with Grafanas outside the current namespace |
| monitoring.diagnostics.operator.enabled | bool | `false` | Enable Operator Resources (GrafanaDashboard) |
| monitoring.diagnostics.operator.folder | string | `""` | folder assignment for dashboard |
| monitoring.diagnostics.operator.instanceSelector | object | `{}` | Selects Grafana instances for import |
| monitoring.diagnostics.operator.resyncPeriod | string | `"10m"` | How often the resource is synced, defaults to 10m0s if not set |
| monitoring.serviceMonitor.annotations | object | `{}` | Assign additional Annotations |
| monitoring.serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor |
| monitoring.serviceMonitor.endpoint.interval | string | `"15s"` | Set the scrape interval for the endpoint of the serviceMonitor |
@@ -181,38 +164,23 @@ The following Values have changed key or Value:
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| webhooks.annotations | object | `{}` | Additional Annotations for all webhooks |
| webhooks.exclusive | bool | `false` | When `crds.exclusive` is `true` the webhooks will be installed |
| webhooks.hooks.config.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.config.failurePolicy | string | `"Ignore"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.config.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.config.matchPolicy | string | `"Exact"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.config.namespaceSelector | object | `{}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.config.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.config.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
| webhooks.hooks.cordoning.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.cordoning.matchConditions | list | `[{"expression":"!has(request.subResource) || request.subResource == \"\"","name":"ignore-subresources"},{"expression":"request.resource.resource != \"events\"","name":"ignore-events"}]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.cordoning.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.cordoning.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.cordoning.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"},{"key":"projectcapsule.dev/cordoned","operator":"In","values":["true"]}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.cordoning.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"},{"key":"projectcapsule.dev/cordoned","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.cordoning.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.cordoning.rules | list | `[{"apiGroups":["*"],"apiVersions":["*"],"operations":["CREATE","UPDATE","DELETE"],"resources":["*"],"scope":"Namespaced"}]` | [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) |
| webhooks.hooks.customresources.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.customresources.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.customresources.matchConditions | list | `[{"expression":"!has(request.subResource) || request.subResource == \"\"","name":"ignore-subresources"},{"expression":"request.resource.resource != \"events\"","name":"ignore-events"}]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.customresources.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.customresources.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.customresources.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"},{"key":"projectcapsule.dev/custom-resources","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.customresources.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.customresources.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.defaults.ingress | object | `{}` | Deprecated, use webhooks.hooks.ingresses instead |
| webhooks.hooks.defaults.pods | object | `{}` | Deprecated, use webhooks.hooks.pods instead |
| webhooks.hooks.defaults.pvc | object | `{}` | Deprecated, use webhooks.hooks.persistentvolumeclaims instead |
| webhooks.hooks.devices.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.devices.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.devices.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.devices.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.devices.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.devices.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.devices.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
| webhooks.hooks.gateways.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.gateways.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.gateways.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
@@ -226,13 +194,6 @@ The following Values have changed key or Value:
| webhooks.hooks.ingresses.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.ingresses.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.ingresses.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
| webhooks.hooks.managed.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.managed.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.managed.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.managed.matchPolicy | string | `"Exact"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.managed.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.managed.objectSelector | object | `{"matchExpressions":[{"key":"projectcapsule.dev/managed-by","operator":"Exists"}]}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.managed.rules | list | `[{"apiGroups":["*"],"apiVersions":["*"],"operations":["CREATE","UPDATE","DELETE"],"resources":["*"],"scope":"*"}]` | [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) |
| webhooks.hooks.namespaceOwnerReference | object | `{}` | Deprecated, use webhooks.hooks.namespaces instead |
| webhooks.hooks.namespaces.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
@@ -241,6 +202,12 @@ The following Values have changed key or Value:
| webhooks.hooks.namespaces.namespaceSelector | object | `{}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.namespaces.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.namespaces.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
| webhooks.hooks.networkpolicies.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.networkpolicies.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.networkpolicies.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.networkpolicies.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.networkpolicies.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.nodes.enabled | bool | `false` | Enable the Hook |
| webhooks.hooks.nodes.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.nodes.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
@@ -285,15 +252,12 @@ The following Values have changed key or Value:
| webhooks.hooks.services.matchPolicy | string | `"Exact"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.services.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.services.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.tenantLabel.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.tenantLabel.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.tenantLabel.matchConditions | list | `[{"expression":"!has(request.subResource) || request.subResource == \"\"","name":"ignore-subresources"},{"expression":"request.resource.resource != \"events\"","name":"ignore-events"}]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.tenantLabel.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.tenantLabel.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.tenantLabel.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.tenantLabel.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
| webhooks.hooks.tenantLabel.rules | list | `[{"apiGroups":["*"],"apiVersions":["*"],"operations":["CREATE","UPDATE"],"resources":["*"],"scope":"Namespaced"}]` | [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) |
| webhooks.hooks.tenantResourceObjects | object | `{}` | Deprecated, use webhooks.hooks.managed instead |
| webhooks.hooks.tenantResourceObjects.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.tenantResourceObjects.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.tenantResourceObjects.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.tenantResourceObjects.matchPolicy | string | `"Exact"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
| webhooks.hooks.tenantResourceObjects.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.tenantResourceObjects.objectSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.tenants.enabled | bool | `true` | Enable the Hook |
| webhooks.hooks.tenants.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
| webhooks.hooks.tenants.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
@@ -301,7 +265,6 @@ The following Values have changed key or Value:
| webhooks.hooks.tenants.namespaceSelector | object | `{}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
| webhooks.hooks.tenants.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
| webhooks.hooks.tenants.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
| webhooks.labels | object | `{}` | Additional Labels for all webhooks |
| webhooks.mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
| webhooks.service.caBundle | string | `""` | CABundle for the webhook service |
| webhooks.service.name | string | `""` | Custom service name for the webhook service |

4
charts/capsule/ci/ha-values.yaml
View File

@@ -1,4 +0,0 @@
replicaCount: 2
manager:
extraArgs:
- "--enable-leader-election=true"

0
charts/capsule/ci/tracing.yaml → charts/capsule/ci/tracing-values.yaml
View File

326
charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
name: capsuleconfigurations.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -40,219 +40,6 @@ spec:
spec:
description: CapsuleConfigurationSpec defines the Capsule configuration.
properties:
administrators:
description: |-
Define entities which can act as Administrators in the capsule construct
These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label
for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor
be ignored by capsule.
items:
properties:
kind:
description: Kind of entity. Possible values are "User", "Group",
and "ServiceAccount"
enum:
- User
- Group
- ServiceAccount
type: string
name:
description: Name of the entity.
type: string
required:
- kind
- name
type: object
type: array
admission:
description: Configuration for dynamic Validating and Mutating Admission
webhooks managed by Capsule.
properties:
mutating:
description: Configure dynamic Mutating Admission for Capsule
properties:
annotations:
additionalProperties:
type: string
description: Annotations added to the Admission Webhook
type: object
client:
description: From the upstram struct
properties:
caBundle:
description: |-
`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
format: byte
type: string
service:
description: |-
`service` is a reference to the service for this webhook. Either
`service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`.
properties:
name:
description: |-
`name` is the name of the service.
Required
type: string
namespace:
description: |-
`namespace` is the namespace of the service.
Required
type: string
path:
description: |-
`path` is an optional URL path which will be sent in any request to
this service.
type: string
port:
description: |-
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
`port` should be a valid port number (1-65535, inclusive).
format: int32
type: integer
required:
- name
- namespace
type: object
url:
description: |-
`url` gives the location of the webhook, in standard URL form
(`scheme://host:port/path`). Exactly one of `url` or `service`
must be specified.
The `host` should not refer to a service running in the cluster; use
the `service` field instead. The host might be resolved via external
DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
in-cluster DNS as that would be a layering violation). `host` may
also be an IP address.
Please note that using `localhost` or `127.0.0.1` as a `host` is
risky unless you take great care to run this webhook on all hosts
which run an apiserver which might need to make calls to this
webhook. Such installs are likely to be non-portable, i.e., not easy
to turn up in a new cluster.
The scheme must be "https"; the URL must begin with "https://".
A path is optional, and if present may be any string permissible in
a URL. You may use the path to pass an arbitrary string to the
webhook, for example, a cluster identifier.
Attempting to use a user or basic auth e.g. "user:password@" is not
allowed. Fragments ("#...") and query parameters ("?...") are not
allowed, either.
type: string
type: object
labels:
additionalProperties:
type: string
description: Labels added to the Admission Webhook
type: object
name:
description: Name the Admission Webhook
maxLength: 63
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- client
type: object
validating:
description: Configure dynamic Validating Admission for Capsule
properties:
annotations:
additionalProperties:
type: string
description: Annotations added to the Admission Webhook
type: object
client:
description: From the upstram struct
properties:
caBundle:
description: |-
`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
format: byte
type: string
service:
description: |-
`service` is a reference to the service for this webhook. Either
`service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`.
properties:
name:
description: |-
`name` is the name of the service.
Required
type: string
namespace:
description: |-
`namespace` is the namespace of the service.
Required
type: string
path:
description: |-
`path` is an optional URL path which will be sent in any request to
this service.
type: string
port:
description: |-
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
`port` should be a valid port number (1-65535, inclusive).
format: int32
type: integer
required:
- name
- namespace
type: object
url:
description: |-
`url` gives the location of the webhook, in standard URL form
(`scheme://host:port/path`). Exactly one of `url` or `service`
must be specified.
The `host` should not refer to a service running in the cluster; use
the `service` field instead. The host might be resolved via external
DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
in-cluster DNS as that would be a layering violation). `host` may
also be an IP address.
Please note that using `localhost` or `127.0.0.1` as a `host` is
risky unless you take great care to run this webhook on all hosts
which run an apiserver which might need to make calls to this
webhook. Such installs are likely to be non-portable, i.e., not easy
to turn up in a new cluster.
The scheme must be "https"; the URL must begin with "https://".
A path is optional, and if present may be any string permissible in
a URL. You may use the path to pass an arbitrary string to the
webhook, for example, a cluster identifier.
Attempting to use a user or basic auth e.g. "user:password@" is not
allowed. Fragments ("#...") and query parameters ("?...") are not
allowed, either.
type: string
type: object
labels:
additionalProperties:
type: string
description: Labels added to the Admission Webhook
type: object
name:
description: Name the Admission Webhook
maxLength: 63
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- client
type: object
type: object
allowServiceAccountPromotion:
default: false
description: |-
@@ -260,13 +47,8 @@ spec:
this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.
However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.
type: boolean
cacheInvalidation:
default: 24h
description: Define the period of time upon a cache invalidation is
executed for all caches.
type: string
enableTLSReconciler:
default: false
default: true
description: |-
Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
@@ -311,6 +93,9 @@ spec:
deniedRegex:
type: string
type: object
required:
- forbiddenAnnotations
- forbiddenLabels
type: object
overrides:
default:
@@ -346,114 +131,21 @@ spec:
description: Disallow creation of namespaces, whose name matches this
regexp
type: string
rbac:
default: {}
description: Define Properties for managed ClusterRoles by Capsule
properties:
administrationClusterRoles:
default:
- capsule-namespace-deleter
description: The ClusterRoles applied for Administrators
items:
type: string
type: array
deleter:
default: capsule-namespace-deleter
description: Name for the ClusterRole required to grant Namespace
Deletion permissions.
type: string
promotionClusterRoles:
default:
- capsule-namespace-provisioner
- capsule-namespace-deleter
description: The ClusterRoles applied for ServiceAccounts which
had owner Promotion
items:
type: string
type: array
provisioner:
default: capsule-namespace-provisioner
description: Name for the ClusterRole required to grant Namespace
Provision permissions.
type: string
type: object
userGroups:
description: |-
Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)
Names of the groups considered as Capsule users.
default:
- capsule.clastix.io
description: Names of the groups considered as Capsule users.
items:
type: string
type: array
userNames:
description: |-
Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)
Names of the users considered as Capsule users.
description: Names of the users considered as Capsule users.
items:
type: string
type: array
users:
description: |-
Define entities which are considered part of the Capsule construct
Users not mentioned here will be ignored by Capsule
items:
properties:
kind:
description: Kind of entity. Possible values are "User", "Group",
and "ServiceAccount"
enum:
- User
- Group
- ServiceAccount
type: string
name:
description: Name of the entity.
type: string
required:
- kind
- name
type: object
type: array
required:
- cacheInvalidation
- enableTLSReconciler
- rbac
type: object
status:
description: CapsuleConfigurationStatus defines the Capsule configuration
status.
properties:
lastCacheInvalidation:
description: Last time all caches were invalided
format: date-time
type: string
users:
description: Users which are considered Capsule Users and are bound
to the Capsule Tenant construct.
items:
properties:
kind:
description: Kind of entity. Possible values are "User", "Group",
and "ServiceAccount"
enum:
- User
- Group
- ServiceAccount
type: string
name:
description: Name of the entity.
type: string
required:
- kind
- name
type: object
type: array
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

4
charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -291,8 +291,6 @@ spec:
- processedItems
- selectedTenants
type: object
required:
- spec
type: object
served: true
storage: true

135
charts/capsule/crds/capsule.clastix.io_resourcepoolclaims.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
name: resourcepoolclaims.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -19,22 +19,18 @@ spec:
jsonPath: .status.pool.name
name: Pool
type: string
- description: Ready Status
jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
- description: Status for claim
jsonPath: .status.condition.type
name: Status
type: string
- description: Ready Message
jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Message
type: string
- description: Bound Status
jsonPath: .status.conditions[?(@.type=="Bound")].status
name: Bound
type: string
- description: Bound Message
jsonPath: .status.conditions[?(@.type=="Bound")].message
- description: Reason for status
jsonPath: .status.condition.reason
name: Reason
type: string
- description: Condition Message
jsonPath: .status.condition.message
name: Message
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -84,44 +80,8 @@ spec:
status:
description: ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
properties:
allocation:
description: Tracks the Usage from Claimed from this claim and available
resources
properties:
available:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: Used to track the usage of the resource in the pool
(diff hard - claimed). May be used for further automation
type: object
hard:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Hard is the set of enforced hard limits for each named resource.
More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
type: object
used:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: Used is the current observed total usage of the resource
in the namespace.
type: object
type: object
condition:
description: 'Deprecated: Use Conditions'
description: Condtion for this resource claim
properties:
lastTransitionTime:
description: |-
@@ -173,83 +133,24 @@ spec:
- status
- type
type: object
conditions:
description: Conditions for the resource claim
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
pool:
description: Reference to the GlobalQuota being claimed from
properties:
name:
description: Name of the referent.
maxLength: 63
description: Name
maxLength: 253
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
namespace:
description: Namespace
maxLength: 253
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
uid:
description: UID of the tracked Tenant to pin point tracking
type: string
required:
- name
- uid
type: object
required:
- conditions
type: object
required:
- spec
type: object
served: true
storage: true

89
charts/capsule/crds/capsule.clastix.io_resourcepools.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
name: resourcepools.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -25,14 +25,6 @@ spec:
jsonPath: .status.namespaceCount
name: Namespaces
type: integer
- description: Reconcile Status
jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- description: Reconcile Message
jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
- description: Age
jsonPath: .metadata.creationTimestamp
name: Age
@@ -74,13 +66,13 @@ spec:
defaultsZero:
default: false
description: With this option all resources which can be allocated
are set to 0 for the resourcequota defaults. (Default false)
are set to 0 for the resourcequota defaults.
type: boolean
deleteBoundResources:
default: false
description: |-
When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state. (Default false)
By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
type: boolean
orderedQueue:
default: false
@@ -90,7 +82,7 @@ spec:
but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
it's priority was lower
Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
other claim can claim the same resources with lower priority. (Default false)
other claim can claim the same resources with lower priority.
type: boolean
type: object
defaults:
@@ -283,83 +275,22 @@ spec:
description: Claimed resources
type: object
name:
description: Name of the referent.
maxLength: 63
description: Name
maxLength: 253
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
namespace:
description: Namespace of the referent.
description: Namespace
maxLength: 253
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
uid:
description: UID of the tracked Tenant to pin point tracking
type: string
required:
- name
- namespace
- uid
type: object
type: array
description: Tracks the quotas for the Resource.
type: object
conditions:
description: Conditions for the resource claim
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
exhaustions:
additionalProperties:
properties:
@@ -389,11 +320,7 @@ spec:
items:
type: string
type: array
required:
- conditions
type: object
required:
- spec
type: object
served: true
storage: true

94
charts/capsule/crds/capsule.clastix.io_rulestatuses.yaml
View File

@@ -1,94 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
name: rulestatuses.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: RuleStatus
listKind: RuleStatusList
plural: rulestatuses
singular: rulestatus
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Age
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta2
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
status:
description: RuleStatus contains the accumulated rules applying to namespace
it's deployed in.
properties:
rule:
description: Managed Enforcement properties per Namespace (aggregated
from rules)
properties:
enforce:
description: Enforcement Rules applied
properties:
registries:
description: |-
Define registries which are allowed to be used within this tenant
The rules are aggregated, since you can use Regular Expressions the match registry endpoints
items:
properties:
policy:
description: Allowed PullPolicy for the given registry.
Supplying no value allows all policies.
items:
description: PullPolicy describes a policy for if/when
to pull a container image
type: string
type: array
url:
description: OCI Registry endpoint, is treated as regular
expression.
type: string
validation:
default:
- pod/images
- pod/volumes
description: Requesting Resources
items:
enum:
- pod/images
- pod/volumes
type: string
type: array
required:
- url
type: object
type: array
type: object
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

82
charts/capsule/crds/capsule.clastix.io_tenantowners.yaml
View File

@@ -1,82 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
name: tenantowners.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: TenantOwner
listKind: TenantOwnerList
plural: tenantowners
singular: tenantowner
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: TenantOwner is the Schema for the tenantowners API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: spec defines the desired state of TenantOwner.
properties:
aggregate:
default: true
description: |-
Adds the given subject as capsule user. When enabled this subject does not have to be
mentioned in the CapsuleConfiguration as Capsule User. In almost all scenarios Tenant Owners
must be Capsule Users.
type: boolean
clusterRoles:
default:
- admin
- capsule-namespace-deleter
description: Defines additional cluster-roles for the specific Owner.
items:
type: string
type: array
kind:
description: Kind of entity. Possible values are "User", "Group",
and "ServiceAccount"
enum:
- User
- Group
- ServiceAccount
type: string
name:
description: Name of the entity.
type: string
required:
- aggregate
- kind
- name
type: object
status:
description: status defines the observed state of TenantOwner.
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

4
charts/capsule/crds/capsule.clastix.io_tenantresources.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -239,8 +239,6 @@ spec:
required:
- processedItems
type: object
required:
- spec
type: object
served: true
storage: true

430
charts/capsule/crds/capsule.clastix.io_tenants.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
name: tenants.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -123,16 +123,10 @@ spec:
can use only one of the allowed trusted registries. Optional.
properties:
allowed:
description: Match exact elements which are allowed as class names
within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
type: object
imagePullPolicies:
@@ -157,16 +151,10 @@ spec:
Optional.
properties:
allowed:
description: Match exact elements which are allowed as class
names within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
type: object
allowedHostnames:
@@ -176,16 +164,10 @@ spec:
Optional.
properties:
allowed:
description: Match exact elements which are allowed as class
names within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
type: object
hostnameCollisionScope:
@@ -858,16 +840,10 @@ spec:
can use only one of the allowed PriorityClasses. Optional.
properties:
allowed:
description: Match exact elements which are allowed as class names
within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
type: object
resourceQuotas:
@@ -1036,16 +1012,10 @@ spec:
Optional.
properties:
allowed:
description: Match exact elements which are allowed as class names
within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
type: object
required:
@@ -1074,8 +1044,6 @@ spec:
- size
- state
type: object
required:
- spec
type: object
served: true
storage: false
@@ -1191,22 +1159,15 @@ spec:
type: object
type: array
containerRegistries:
description: |-
Deprecated: Use Enforcement.Registries instead
Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
description: Specifies the trusted Image Registries assigned to the
Tenant. Capsule assures that all Pods resources created in the Tenant
can use only one of the allowed trusted registries. Optional.
properties:
allowed:
description: Match exact elements which are allowed as class names
within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
type: object
cordoned:
@@ -1214,64 +1175,6 @@ spec:
description: Toggling the Tenant resources cordoning, when enable
resources cannot be deleted.
type: boolean
deviceClasses:
description: Specifies options for the DeviceClass resources.
properties:
allowed:
description: Match exact elements which are allowed as class names
within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
forceTenantPrefix:
description: |-
Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
@@ -1288,18 +1191,6 @@ spec:
properties:
allowedClasses:
properties:
allowed:
description: Match exact elements which are allowed as class
names within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
default:
type: string
matchExpressions:
@@ -1347,10 +1238,9 @@ spec:
x-kubernetes-map-type: atomic
type: object
imagePullPolicies:
description: |-
Deprecated: Use Enforcement.Registries instead
Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
description: Specify the allowed values for the imagePullPolicies
option in Pod resources. Capsule assures that all Pod resources
created in the Tenant can use only one of the allowed policy. Optional.
items:
enum:
- Always
@@ -1374,16 +1264,10 @@ spec:
Optional.
properties:
allowed:
description: Match exact elements which are allowed as class
names within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
default:
type: string
@@ -1437,16 +1321,10 @@ spec:
Optional.
properties:
allowed:
description: Match exact elements which are allowed as class
names within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
type: object
hostnameCollisionScope:
@@ -1470,9 +1348,8 @@ spec:
type: object
limitRanges:
description: |-
Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
properties:
items:
items:
@@ -1562,9 +1439,8 @@ spec:
properties:
additionalMetadata:
description: |-
Deprecated: Use additionalMetadataList instead (https://projectcapsule.dev/docs/tenants/metadata/#additionalmetadatalist)
Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
Deprecated: Use additionalMetadataList instead
properties:
annotations:
additionalProperties:
@@ -1675,26 +1551,11 @@ spec:
format: int32
minimum: 1
type: integer
requiredMetadata:
description: Required Metadata for namespace within this tenant
properties:
annotations:
additionalProperties:
type: string
description: Annotations that must be defined for each namespace
type: object
labels:
additionalProperties:
type: string
description: Labels that must be defined for each namespace
type: object
type: object
type: object
networkPolicies:
description: |-
Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
properties:
items:
items:
@@ -2200,8 +2061,8 @@ spec:
type: string
type: array
kind:
description: Kind of entity. Possible values are "User", "Group",
and "ServiceAccount"
description: Kind of tenant owner. Possible values are "User",
"Group", and "ServiceAccount"
enum:
- User
- Group
@@ -2213,7 +2074,7 @@ spec:
description: Additional Labels for the synchronized rolebindings
type: object
name:
description: Name of the entity.
description: Name of tenant owner.
type: string
proxySettings:
description: Proxy settings for tenant owner.
@@ -2246,65 +2107,6 @@ spec:
- name
type: object
type: array
permissions:
description: Specify Permissions for the Tenant.
properties:
matchOwners:
description: |-
Matches TenantOwner objects which are promoted to owners of this tenant
The elements are OR operations and independent. You can see the resulting Tenant Owners
in the Status.Owners specification of the Tenant.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
type: object
podOptions:
description: Specifies options for the Pods deployed in the Tenant
namespaces, such as additional metadata.
@@ -2337,16 +2139,10 @@ spec:
Optional.
properties:
allowed:
description: Match exact elements which are allowed as class names
within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
default:
type: string
@@ -2480,100 +2276,6 @@ spec:
- Namespace
type: string
type: object
rules:
description: |-
Specify enforcement specifications for the scope of the Tenant.
We are moving all configuration enforcement. per namespace into a rule construct.
It's currently not final.
Read More: https://projectcapsule.dev/docs/tenants/rules/
items:
properties:
enforce:
description: Enforcement Rules applied
properties:
registries:
description: |-
Define registries which are allowed to be used within this tenant
The rules are aggregated, since you can use Regular Expressions the match registry endpoints
items:
properties:
policy:
description: Allowed PullPolicy for the given registry.
Supplying no value allows all policies.
items:
description: PullPolicy describes a policy for if/when
to pull a container image
type: string
type: array
url:
description: OCI Registry endpoint, is treated as
regular expression.
type: string
validation:
default:
- pod/images
- pod/volumes
description: Requesting Resources
items:
enum:
- pod/images
- pod/volumes
type: string
type: array
required:
- url
type: object
type: array
type: object
namespaceSelector:
description: Select namespaces which are going to usese
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
type: array
runtimeClasses:
description: |-
Specifies the allowed RuntimeClasses assigned to the Tenant.
@@ -2581,16 +2283,10 @@ spec:
Optional.
properties:
allowed:
description: Match exact elements which are allowed as class names
within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
default:
type: string
@@ -2717,16 +2413,10 @@ spec:
Optional.
properties:
allowed:
description: Match exact elements which are allowed as class names
within this tenant
items:
type: string
type: array
allowedRegex:
description: |-
Deprecated: will be removed in a future release
Match elements by regex.
type: string
default:
type: string
@@ -2777,36 +2467,6 @@ spec:
status:
description: Returns the observed state of the Tenant.
properties:
classes:
description: Available Class Types within Tenant
properties:
device:
description: Available DeviceClasses
items:
type: string
type: array
gateway:
description: Available GatewayClasses
items:
type: string
type: array
priority:
description: Available PriorityClasses
items:
type: string
type: array
runtime:
description: Available StorageClasses
items:
type: string
type: array
storage:
description: Available Storageclasses (Only collected if any matching
condition is specified)
items:
type: string
type: array
type: object
conditions:
description: Tenant Condition
items:
@@ -2869,35 +2529,6 @@ spec:
items:
type: string
type: array
owners:
description: Collected owners for this tenant
items:
properties:
clusterRoles:
default:
- admin
- capsule-namespace-deleter
description: Defines additional cluster-roles for the specific
Owner.
items:
type: string
type: array
kind:
description: Kind of entity. Possible values are "User", "Group",
and "ServiceAccount"
enum:
- User
- Group
- ServiceAccount
type: string
name:
description: Name of the entity.
type: string
required:
- kind
- name
type: object
type: array
size:
description: How many namespaces are assigned to the Tenant.
type: integer
@@ -2964,41 +2595,6 @@ spec:
- type
type: object
type: array
enforce:
description: Managed Metadata
properties:
registry:
description: Registries which are allowed within this namespace
items:
properties:
policy:
description: Allowed PullPolicy for the given registry.
Supplying no value allows all policies.
items:
description: PullPolicy describes a policy for if/when
to pull a container image
type: string
type: array
url:
description: OCI Registry endpoint, is treated as
regular expression.
type: string
validation:
default:
- pod/images
- pod/volumes
description: Requesting Resources
items:
enum:
- pod/images
- pod/volumes
type: string
type: array
required:
- url
type: object
type: array
type: object
metadata:
description: Managed Metadata
properties:

1083
charts/capsule/diagnostics/admission-dashboard.json
View File

File diff suppressed because it is too large Load Diff

37
charts/capsule/templates/_helpers.tpl
View File

@@ -155,24 +155,6 @@ service:
{{- end }}
{{- end }}
{{/*
Capsule Webhook service (Without Path)
*/}}
{{- define "capsule.webhooks.serviceConfig" -}}
{{- include "capsule.webhooks.cabundle" $ | nindent 0 }}
{{- if $.Values.webhooks.service.url }}
url: {{ trimSuffix "/" $.Values.webhooks.service.url }}
{{- else }}
service:
name: {{ default (printf "%s-webhook-service" (include "capsule.fullname" $)) $.Values.webhooks.service.name }}
namespace: {{ default $.Release.Namespace $.Values.webhooks.service.namespace }}
port: {{ default 443 $.Values.webhooks.service.port }}
{{- end }}
{{- end }}
{{/*
Capsule Webhook endpoint CA Bundle
*/}}
@@ -198,22 +180,3 @@ caBundle: {{ $.Values.webhooks.service.caBundle -}}
{{- $joined := join "," $sizes -}}
{{- sha256sum $joined -}}
{{- end -}}
{{- define "admission.labels" -}}
{{- with $.Values.webhooks.labels }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- end }}
{{- define "admission.annotations" -}}
{{- if and ($.Values.certManager.generateCertificates) (not $.Values.webhooks.service.caBundle) }}
cert-manager.io/inject-ca-from: {{ $.Release.Namespace }}/{{ include "capsule.fullname" $ }}-webhook-cert
{{- end }}
{{- with $.Values.customAnnotations }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- with $.Values.webhooks.annotations }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- end }}

32
charts/capsule/templates/configuration.yaml
View File

@@ -14,38 +14,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
cacheInvalidation: {{ .Values.manager.options.cacheInvalidation }}
rbac:
{{- toYaml .Values.manager.options.rbac | nindent 4 }}
admission:
validating:
name: "{{ include "capsule.fullname" . }}-dynamic"
client:
{{- include "capsule.webhooks.serviceConfig" $ | nindent 8 }}
{{- if (include "admission.labels" $) }}
labels:
{{- include "admission.labels" $ | nindent 8 }}
{{- end }}
{{- if (include "admission.annotations" $) }}
annotations:
{{- include "admission.annotations" $ | nindent 8 }}
{{- end }}
mutating:
name: "{{ include "capsule.fullname" . }}-dynamic"
client:
{{- include "capsule.webhooks.serviceConfig" $ | nindent 8 }}
{{- if (include "admission.labels" $) }}
labels:
{{- include "admission.labels" $ | nindent 8 }}
{{- end }}
{{- if (include "admission.annotations" $) }}
annotations:
{{- include "admission.annotations" $ | nindent 8 }}
{{- end }}
administrators:
{{- toYaml .Values.manager.options.administrators | nindent 4 }}
users:
{{- toYaml .Values.manager.options.users | nindent 4 }}
enableTLSReconciler: {{ .Values.tls.enableController }}
overrides:
mutatingWebhookConfigurationName: {{ include "capsule.fullname" . }}-mutating-webhook-configuration

2
charts/capsule/templates/crd-lifecycle/job.yaml
View File

@@ -87,7 +87,7 @@ spec:
# piping stderr to stdout means kubectl's errors are surfaced
# in the pod's logs.
kubectl apply --server-side=true --overwrite=true --force-conflicts=true --field-manager='capsule/crd-lifecycle' -f /data/ 2>&1
kubectl apply --server-side=true --overwrite=true --force-conflicts=true -f /data/ 2>&1
volumeMounts:
{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
- name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}

2
charts/capsule/templates/crd-lifecycle/rbac.yaml
View File

@@ -31,8 +31,6 @@ rules:
- tenantresources.capsule.clastix.io
- globaltenantresources.capsule.clastix.io
- tenants.capsule.clastix.io
- tenantowners.capsule.clastix.io
- rulestatuses.capsule.clastix.io
verbs:
- create
- delete

0
charts/capsule/templates/dashboards/operations.yaml → charts/capsule/templates/dashboards.yaml
View File

51
charts/capsule/templates/dashboards/diagnostics.yaml
View File

@@ -1,51 +0,0 @@
{{- if $.Values.monitoring.diagnostics.enabled }}
{{ range $path, $_ := .Files.Glob "dashboards/**-dashboard.json" }}
{{- with $ }}
{{- $content := (.Files.Get $path) }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "capsule.fullname" . }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$" }}-dashboard
namespace: {{ default $.Release.Namespace $.Values.monitoring.diagnostics.namespace | quote }}
annotations:
{{- with $.Values.monitoring.diagnostics.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "capsule.labels" $ | nindent 4 }}
{{- with $.Values.monitoring.diagnostics.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{ base $path }}: |-
{{- $content | nindent 4 }}
{{- if $.Values.monitoring.diagnostics.operator.enabled }}
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
name: {{ include "capsule.fullname" $ }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$" }}
namespace: {{ default $.Release.Namespace $.Values.monitoring.diagnostics.namespace | quote }}
annotations:
{{- with $.Values.monitoring.diagnostics.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "capsule.labels" $ | nindent 4 }}
{{- with $.Values.monitoring.diagnostics.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
configMapRef:
name: {{ include "capsule.fullname" $ }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$" }}-dashboard
key: {{ base $path }}
{{- with (omit $.Values.monitoring.diagnostics.operator "enabled") }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

49
charts/capsule/templates/mutatingwebhookconfiguration.yaml
View File

@@ -3,12 +3,15 @@ apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
namespace: {{ $.Release.Namespace }}
labels:
{{- include "capsule.labels" $ | nindent 4 }}
{{- include "admission.labels" . | nindent 4 }}
{{- include "capsule.labels" . | nindent 4 }}
annotations:
{{- include "admission.annotations" . | nindent 4 }}
{{- if .Values.certManager.generateCertificates }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
{{- end }}
{{- with .Values.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- with (mergeOverwrite .Values.webhooks.hooks.pods .Values.webhooks.hooks.defaults.pods) }}
{{- if .enabled }}
@@ -164,7 +167,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/namespaces/mutating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/namespace-patch" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
reinvocationPolicy: {{ .reinvocationPolicy }}
@@ -202,7 +205,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/resourcepools/mutating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/resourcepool/mutating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
reinvocationPolicy: {{ .reinvocationPolicy }}
@@ -240,7 +243,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/resourcepools/claim/mutating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/mutating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
reinvocationPolicy: {{ .reinvocationPolicy }}
@@ -298,7 +301,7 @@ webhooks:
- apiGroups:
- capsule.clastix.io
apiVersions:
- "*"
- v1beta2
operations:
- CREATE
- UPDATE
@@ -310,33 +313,5 @@ webhooks:
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.tenantLabel }}
{{- if .enabled }}
- name: assign.misc.projectcapsule.dev
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/misc/tenant-label" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
reinvocationPolicy: {{ .reinvocationPolicy }}
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .matchConditions }}
matchConditions:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{- toYaml .rules | nindent 4 }}
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- end }}

6
charts/capsule/templates/serviceaccount.yaml
View File

@@ -11,11 +11,5 @@ metadata:
annotations:
{{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

242
charts/capsule/templates/validatingwebhookconfiguration.yaml
View File

@@ -5,57 +5,23 @@ metadata:
name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
namespace: {{ $.Release.Namespace }}
labels:
{{- include "capsule.labels" $ | nindent 4 }}
{{- include "admission.labels" . | nindent 4 }}
{{- include "capsule.labels" . | nindent 4 }}
annotations:
{{- include "admission.annotations" . | nindent 4 }}
{{- if .Values.certManager.generateCertificates }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
{{- end }}
{{- with .Values.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- with .Values.webhooks.hooks.customresources }}
{{- if .enabled }}
- name: customresources.misc.projectcapsule.dev
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/misc/customresources" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .matchConditions }}
matchConditions:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
- DELETE
resources:
- '*'
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.cordoning }}
{{- if .enabled }}
- name: cordoning.misc.projectcapsule.dev
- name: cordoning.tenant.projectcapsule.dev
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/misc/cordoning" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/cordoning" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -78,44 +44,6 @@ webhooks:
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.devices }}
{{- if .enabled }}
- name: devices.projectcapsule.dev
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/devices/validating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .matchConditions }}
matchConditions:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- resource.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- resourceclaimtemplates
- resourceclaims
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.gateways }}
{{- if .enabled }}
- name: gateway.projectcapsule.dev
@@ -123,7 +51,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/gateways/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/gateways" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -160,7 +88,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/ingresses/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/ingresses" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -199,7 +127,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/namespaces/validating " "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/namespaces" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -225,13 +153,48 @@ webhooks:
- DELETE
resources:
- namespaces
- namespaces/status
- namespace/finalize
scope: '*'
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.networkpolicies }}
{{- if .enabled }}
- name: networkpolicies.projectcapsule.dev
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/networkpolicies" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .matchConditions }}
matchConditions:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- UPDATE
- DELETE
resources:
- networkpolicies
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.nodes }}
{{- if .enabled }}
- name: nodes.projectcapsule.dev
@@ -239,7 +202,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/nodes/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/nodes" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -274,7 +237,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/pods/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/pods" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -312,7 +275,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/persistentvolumeclaims/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/persistentvolumeclaims" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -348,7 +311,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/services/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/services" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -378,13 +341,13 @@ webhooks:
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with (mergeOverwrite .Values.webhooks.hooks.managed .Values.webhooks.hooks.tenantResourceObjects) }}
{{- with .Values.webhooks.hooks.tenantResourceObjects }}
{{- if .enabled }}
- name: resource-objects.tenant.projectcapsule.dev
admissionReviewVersions:
- v1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/misc/managed" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/tenantresource-objects" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -400,7 +363,16 @@ webhooks:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{- toYaml .rules | nindent 4 }}
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- UPDATE
- DELETE
resources:
- '*'
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
@@ -450,7 +422,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/resourcepools/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/resourcepool/validating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -487,7 +459,7 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/resourcepools/claim/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/validating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -518,14 +490,52 @@ webhooks:
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.serviceaccounts }}
{{- with .Values.webhooks.hooks.customresources }}
{{- if .enabled }}
- name: serviceaccounts.projectcapsule.dev
- name: customresources.tenant.projectcapsule.dev
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/serviceaccounts/validating" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/customresources" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .matchConditions }}
matchConditions:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
- DELETE
resources:
- '*'
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.serviceaccounts }}
{{- if .enabled }}
- name: serviceaccounts.tenant.projectcapsule.dev
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/serviceaccounts" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
@@ -555,40 +565,4 @@ webhooks:
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- with .Values.webhooks.hooks.config }}
{{- if .enabled }}
- name: config.projectcapsule.dev
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/config/validating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .matchConditions }}
matchConditions:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- capsule.clastix.io
apiVersions:
- v1beta2
operations:
- UPDATE
resources:
- capsuleconfigurations
scope: 'Cluster'
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- end }}

438
charts/capsule/values.schema.json
View File

@@ -319,10 +319,6 @@
"options": {
"type": "object",
"properties": {
"administrators": {
"description": "Define entities which can act as Administrators in the capsule construct These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor be ignored by capsule. May also be handy in GitOps scenarios where certain service accounts need to be able to manage namespaces for all tenants.",
"type": "array"
},
"allowServiceAccountPromotion": {
"description": "ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant. However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.",
"type": "boolean"
@@ -331,17 +327,16 @@
"description": "Additional annotations to add to the CapsuleConfiguration resource",
"type": "object"
},
"cacheInvalidation": {
"description": "Duration after which the in-memory cache is invalidated (based on usaage) and re-fetched from the API server",
"type": "string"
},
"capsuleConfiguration": {
"description": "Change the default name of the capsule configuration name",
"type": "string"
},
"capsuleUserGroups": {
"description": "DEPRECATED: use users properties. Names of the users considered as Capsule users.",
"type": "array"
"description": "Names of the groups considered as Capsule users.",
"type": "array",
"items": {
"type": "string"
}
},
"createConfiguration": {
"description": "Create Configuration",
@@ -399,53 +394,10 @@
"description": "If specified, disallows creation of namespaces matching the passed regexp",
"type": "string"
},
"rbac": {
"description": "Managed RBAC configuration for the controller",
"type": "object",
"properties": {
"administrationClusterRoles": {
"description": "The ClusterRoles applied for Administrators",
"type": "array",
"items": {
"type": "string"
}
},
"deleter": {
"description": "Name for the ClusterRole required to grant Namespace Deletion permissions.",
"type": "string"
},
"promotionClusterRoles": {
"description": "The ClusterRoles applied for ServiceAccounts which had owner Promotion",
"type": "array",
"items": {
"type": "string"
}
},
"provisioner": {
"description": "Name for the ClusterRole required to grant Namespace Provision permissions.",
"type": "string"
}
}
},
"userNames": {
"description": "DEPRECATED: use users properties. Names of the users considered as Capsule users.",
"description": "Names of the users considered as Capsule users.",
"type": "array"
},
"users": {
"description": "Define entities which are considered part of the Capsule construct. Users not mentioned here will be ignored by Capsule",
"type": "array",
"items": {
"type": "object",
"properties": {
"kind": {
"type": "string"
},
"name": {
"type": "string"
}
}
}
},
"workers": {
"description": "Workers (MaxConcurrentReconciles) is the maximum number of concurrent Reconciles which can be run (ALPHA).",
"type": "integer"
@@ -557,48 +509,6 @@
}
}
},
"diagnostics": {
"type": "object",
"properties": {
"annotations": {
"description": "Annotations for dashboard configmaps",
"type": "object"
},
"enabled": {
"description": "Enable Diagnostic Dashboards to be deployed",
"type": "boolean"
},
"labels": {
"description": "Labels for dashboard configmaps",
"type": "object"
},
"operator": {
"type": "object",
"properties": {
"allowCrossNamespaceImport": {
"description": "Allow the Operator to match this resource with Grafanas outside the current namespace",
"type": "boolean"
},
"enabled": {
"description": "Enable Operator Resources (GrafanaDashboard)",
"type": "boolean"
},
"folder": {
"description": "folder assignment for dashboard",
"type": "string"
},
"instanceSelector": {
"description": "Selects Grafana instances for import",
"type": "object"
},
"resyncPeriod": {
"description": "How often the resource is synced, defaults to 10m0s if not set",
"type": "string"
}
}
}
}
},
"serviceMonitor": {
"type": "object",
"properties": {
@@ -784,9 +694,6 @@
"description": "Specifies whether a service account should be created.",
"type": "boolean"
},
"imagePullSecrets": {
"type": "array"
},
"name": {
"description": "The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template",
"type": "string"
@@ -821,10 +728,6 @@
"webhooks": {
"type": "object",
"properties": {
"annotations": {
"description": "Additional Annotations for all webhooks",
"type": "object"
},
"exclusive": {
"description": "When `crds.exclusive` is `true` the webhooks will be installed",
"type": "boolean"
@@ -832,7 +735,7 @@
"hooks": {
"type": "object",
"properties": {
"config": {
"cordoning": {
"type": "object",
"properties": {
"enabled": {
@@ -851,50 +754,6 @@
"description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "string"
},
"namespaceSelector": {
"description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
"type": "object"
},
"objectSelector": {
"description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
"type": "object"
},
"reinvocationPolicy": {
"description": "[ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)",
"type": "string"
}
}
},
"cordoning": {
"type": "object",
"properties": {
"enabled": {
"description": "Enable the Hook",
"type": "boolean"
},
"failurePolicy": {
"description": "[FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)",
"type": "string"
},
"matchConditions": {
"description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "array",
"items": {
"type": "object",
"properties": {
"expression": {
"type": "string"
},
"name": {
"type": "string"
}
}
}
},
"matchPolicy": {
"description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "string"
},
"namespaceSelector": {
"description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
"type": "object",
@@ -909,12 +768,6 @@
},
"operator": {
"type": "string"
},
"values": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
@@ -976,18 +829,7 @@
},
"matchConditions": {
"description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "array",
"items": {
"type": "object",
"properties": {
"expression": {
"type": "string"
},
"name": {
"type": "string"
}
}
}
"type": "array"
},
"matchPolicy": {
"description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
@@ -1036,55 +878,6 @@
}
}
},
"devices": {
"type": "object",
"properties": {
"enabled": {
"description": "Enable the Hook",
"type": "boolean"
},
"failurePolicy": {
"description": "[FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)",
"type": "string"
},
"matchConditions": {
"description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "array"
},
"matchPolicy": {
"description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "string"
},
"namespaceSelector": {
"description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
"type": "object",
"properties": {
"matchExpressions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
}
}
}
}
}
},
"objectSelector": {
"description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
"type": "object"
},
"reinvocationPolicy": {
"description": "[ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)",
"type": "string"
}
}
},
"gateways": {
"type": "object",
"properties": {
@@ -1179,103 +972,6 @@
}
}
},
"managed": {
"type": "object",
"properties": {
"enabled": {
"description": "Enable the Hook",
"type": "boolean"
},
"failurePolicy": {
"description": "[FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)",
"type": "string"
},
"matchConditions": {
"description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "array"
},
"matchPolicy": {
"description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "string"
},
"namespaceSelector": {
"description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
"type": "object",
"properties": {
"matchExpressions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
}
}
}
}
}
},
"objectSelector": {
"description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
"type": "object",
"properties": {
"matchExpressions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
}
}
}
}
}
},
"rules": {
"description": "[Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)",
"type": "array",
"items": {
"type": "object",
"properties": {
"apiGroups": {
"type": "array",
"items": {
"type": "string"
}
},
"apiVersions": {
"type": "array",
"items": {
"type": "string"
}
},
"operations": {
"type": "array",
"items": {
"type": "string"
}
},
"resources": {
"type": "array",
"items": {
"type": "string"
}
},
"scope": {
"type": "string"
}
}
}
}
}
},
"namespaceOwnerReference": {
"description": "Deprecated, use webhooks.hooks.namespaces instead",
"type": "object"
@@ -1313,6 +1009,51 @@
}
}
},
"networkpolicies": {
"type": "object",
"properties": {
"enabled": {
"description": "Enable the Hook",
"type": "boolean"
},
"failurePolicy": {
"description": "[FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)",
"type": "string"
},
"matchConditions": {
"description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "array"
},
"matchPolicy": {
"description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "string"
},
"namespaceSelector": {
"description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
"type": "object",
"properties": {
"matchExpressions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
}
}
}
}
}
},
"objectSelector": {
"description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
"type": "object"
}
}
},
"nodes": {
"type": "object",
"properties": {
@@ -1593,7 +1334,7 @@
}
}
},
"tenantLabel": {
"tenantResourceObjects": {
"type": "object",
"properties": {
"enabled": {
@@ -1606,18 +1347,7 @@
},
"matchConditions": {
"description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
"type": "array",
"items": {
"type": "object",
"properties": {
"expression": {
"type": "string"
},
"name": {
"type": "string"
}
}
}
"type": "array"
},
"matchPolicy": {
"description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
@@ -1645,54 +1375,26 @@
},
"objectSelector": {
"description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
"type": "object"
},
"reinvocationPolicy": {
"description": "[ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)",
"type": "string"
},
"rules": {
"description": "[Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)",
"type": "array",
"items": {
"type": "object",
"properties": {
"apiGroups": {
"type": "array",
"items": {
"type": "string"
"type": "object",
"properties": {
"matchExpressions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
}
}
},
"apiVersions": {
"type": "array",
"items": {
"type": "string"
}
},
"operations": {
"type": "array",
"items": {
"type": "string"
}
},
"resources": {
"type": "array",
"items": {
"type": "string"
}
},
"scope": {
"type": "string"
}
}
}
}
}
},
"tenantResourceObjects": {
"description": "Deprecated, use webhooks.hooks.managed instead",
"type": "object"
},
"tenants": {
"type": "object",
"properties": {
@@ -1728,10 +1430,6 @@
}
}
},
"labels": {
"description": "Additional Labels for all webhooks",
"type": "object"
},
"mutatingWebhooksTimeoutSeconds": {
"description": "Timeout in seconds for mutating webhooks",
"type": "integer"

177
charts/capsule/values.yaml
View File

@@ -83,9 +83,9 @@ crds:
# Secret Options
tls:
# -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well.
enableController: false
enableController: true
# -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion.
create: false
create: true
# -- Override name of the Capsule TLS Secret name when externally managed.
name: ""
@@ -177,19 +177,11 @@ manager:
# -- Workers (MaxConcurrentReconciles) is the maximum number of concurrent Reconciles which can be run (ALPHA).
workers: 1
# -- Set the log verbosity of the capsule with a value from 1 to 5
logLevel: "info"
# -- Define entities which are considered part of the Capsule construct.
# Users not mentioned here will be ignored by Capsule
users:
- kind: "Group"
name: "projectcapsule.dev"
# -- Define entities which can act as Administrators in the capsule construct
# These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label
# for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor
# be ignored by capsule. May also be handy in GitOps scenarios where certain service accounts need to be able to manage namespaces for all tenants.
administrators: []
# - kind: User
# name: alice
logLevel: '3'
# -- Names of the users considered as Capsule users.
userNames: []
# -- Names of the groups considered as Capsule users.
capsuleUserGroups: ["projectcapsule.dev"]
# -- Define groups which when found in the request of a user will be ignored by the Capsule
# this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.
ignoreUserWithGroups: []
@@ -212,31 +204,6 @@ manager:
denied: []
deniedRegex: ""
# -- Duration after which the in-memory cache is invalidated (based on usaage) and re-fetched from the API server
cacheInvalidation: 24h0m0s
# -- Managed RBAC configuration for the controller
rbac:
# -- The ClusterRoles applied for Administrators
administrationClusterRoles:
- capsule-namespace-deleter
# -- The ClusterRoles applied for ServiceAccounts which had owner Promotion
promotionClusterRoles:
- capsule-namespace-provisioner
- capsule-namespace-deleter
# -- Name for the ClusterRole required to grant Namespace Deletion permissions.
deleter: capsule-namespace-deleter
# -- Name for the ClusterRole required to grant Namespace Provision permissions.
provisioner: capsule-namespace-provisioner
# -- DEPRECATED: use users properties.
# Names of the users considered as Capsule users.
userNames: []
# -- DEPRECATED: use users properties.
# Names of the users considered as Capsule users.
capsuleUserGroups: []
# -- A list of extra arguments for the capsule controller
extraArgs:
- "--enable-leader-election=true"
@@ -336,12 +303,9 @@ serviceAccount:
# -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template
name: ""
imagePullSecrets: []
# just string array [ "sec-1", "sec-2" ]
certManager:
# -- Specifies whether capsule webhooks certificates should be generated using cert-manager
generateCertificates: true
generateCertificates: false
# -- Specify additional SANS to add to the certificate
additionalSANS: []
# -- Additional labels which will be added to all resources created by Capsule helm chart
@@ -362,28 +326,6 @@ extraManifests: []
# Monitoring Settings
monitoring:
diagnostics:
# -- Enable Diagnostic Dashboards to be deployed
enabled: false
# -- Annotations for dashboard configmaps
annotations: {}
# -- Labels for dashboard configmaps
labels: {}
# grafana_dashboard: "1"
# Grafana Operator
operator:
# -- Enable Operator Resources (GrafanaDashboard)
enabled: false
# -- Allow the Operator to match this resource with Grafanas outside the current namespace
allowCrossNamespaceImport: true
# -- How often the resource is synced, defaults to 10m0s if not set
resyncPeriod: "10m"
# -- Selects Grafana instances for import
instanceSelector: {}
# -- folder assignment for dashboard
folder: ""
dashboards:
# -- Enable Dashboards to be deployed
enabled: false
@@ -394,7 +336,6 @@ monitoring:
# grafana_dashboard: "1"
# -- Custom namespace for dashboard configmaps
namespace: ""
# Grafana Operator
operator:
# -- Enable Operator Resources (GrafanaDashboard)
@@ -442,12 +383,6 @@ webhooks:
# -- Timeout in seconds for validating webhooks
validatingWebhooksTimeoutSeconds: 30
# -- Additional Labels for all webhooks
labels: {}
# -- Additional Annotations for all webhooks
annotations: {}
# Configure custom webhook service
service:
# -- The URL where the capsule webhook services are running (Overwrites cluster scoped service definition)
@@ -463,41 +398,6 @@ webhooks:
# Admission Webhook Configuration
hooks:
tenantLabel:
# -- Enable the Hook
enabled: true
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
failurePolicy: Fail
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
matchPolicy: Equivalent
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
objectSelector: {}
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
namespaceSelector:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
matchConditions:
- name: ignore-subresources
expression: '!has(request.subResource) || request.subResource == ""'
- name: ignore-events
expression: 'request.resource.resource != "events"'
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
reinvocationPolicy: Never
# -- [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*'
scope: Namespaced
resourcepools:
pools:
@@ -542,16 +442,8 @@ webhooks:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- key: projectcapsule.dev/custom-resources
operator: Exists
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
matchConditions:
- name: ignore-subresources
expression: '!has(request.subResource) || request.subResource == ""'
- name: ignore-events
expression: 'request.resource.resource != "events"'
matchConditions: []
namespaces:
# -- Enable the Hook
@@ -584,15 +476,9 @@ webhooks:
- key: capsule.clastix.io/tenant
operator: Exists
- key: projectcapsule.dev/cordoned
operator: In
values:
- "true"
operator: Exists
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
matchConditions:
- name: ignore-subresources
expression: '!has(request.subResource) || request.subResource == ""'
- name: ignore-events
expression: 'request.resource.resource != "events"'
matchConditions: []
# -- [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)
rules:
- apiGroups:
@@ -642,7 +528,8 @@ webhooks:
matchConditions: []
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
reinvocationPolicy: Never
devices:
networkpolicies:
# -- Enable the Hook
enabled: true
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
@@ -658,8 +545,6 @@ webhooks:
operator: Exists
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
matchConditions: []
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
reinvocationPolicy: Never
pods:
# -- Enable the Hook
@@ -715,23 +600,7 @@ webhooks:
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
reinvocationPolicy: Never
config:
# -- Enable the Hook
enabled: true
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
failurePolicy: Ignore
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
matchPolicy: Exact
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
objectSelector: {}
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
namespaceSelector: {}
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
matchConditions: []
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
reinvocationPolicy: Never
managed:
tenantResourceObjects:
# -- Enable the Hook
enabled: true
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
@@ -741,7 +610,7 @@ webhooks:
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
objectSelector:
matchExpressions:
- key: "projectcapsule.dev/managed-by"
- key: capsule.clastix.io/tenant
operator: Exists
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
namespaceSelector:
@@ -750,19 +619,6 @@ webhooks:
operator: Exists
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
matchConditions: []
# -- [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
- DELETE
resources:
- '*'
scope: '*'
services:
# -- Enable the Hook
@@ -822,6 +678,3 @@ webhooks:
pvc: {}
# -- Deprecated, use webhooks.hooks.pods instead
pods: {}
# -- Deprecated, use webhooks.hooks.managed instead
tenantResourceObjects: {}

248
cmd/main.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package main
@@ -31,42 +31,37 @@ import (
capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
"github.com/projectcapsule/capsule/internal/cache"
"github.com/projectcapsule/capsule/internal/controllers/admission"
configcontroller "github.com/projectcapsule/capsule/internal/controllers/cfg"
podlabelscontroller "github.com/projectcapsule/capsule/internal/controllers/pod"
"github.com/projectcapsule/capsule/internal/controllers/pv"
rbaccontroller "github.com/projectcapsule/capsule/internal/controllers/rbac"
"github.com/projectcapsule/capsule/internal/controllers/resourcepools"
"github.com/projectcapsule/capsule/internal/controllers/resources"
servicelabelscontroller "github.com/projectcapsule/capsule/internal/controllers/servicelabels"
tenantcontroller "github.com/projectcapsule/capsule/internal/controllers/tenant"
tlscontroller "github.com/projectcapsule/capsule/internal/controllers/tls"
utilscontroller "github.com/projectcapsule/capsule/internal/controllers/utils"
"github.com/projectcapsule/capsule/internal/metrics"
"github.com/projectcapsule/capsule/internal/webhook"
cfgvalidation "github.com/projectcapsule/capsule/internal/webhook/cfg"
"github.com/projectcapsule/capsule/internal/webhook/defaults"
"github.com/projectcapsule/capsule/internal/webhook/dra"
"github.com/projectcapsule/capsule/internal/webhook/gateway"
"github.com/projectcapsule/capsule/internal/webhook/ingress"
"github.com/projectcapsule/capsule/internal/webhook/misc"
namespacemutation "github.com/projectcapsule/capsule/internal/webhook/namespace/mutation"
namespacevalidation "github.com/projectcapsule/capsule/internal/webhook/namespace/validation"
"github.com/projectcapsule/capsule/internal/webhook/node"
"github.com/projectcapsule/capsule/internal/webhook/pod"
"github.com/projectcapsule/capsule/internal/webhook/pvc"
"github.com/projectcapsule/capsule/internal/webhook/resourcepool"
"github.com/projectcapsule/capsule/internal/webhook/route"
"github.com/projectcapsule/capsule/internal/webhook/service"
"github.com/projectcapsule/capsule/internal/webhook/serviceaccounts"
tenantmutation "github.com/projectcapsule/capsule/internal/webhook/tenant/mutation"
tenantvalidation "github.com/projectcapsule/capsule/internal/webhook/tenant/validation"
tntresource "github.com/projectcapsule/capsule/internal/webhook/tenantresource"
"github.com/projectcapsule/capsule/internal/webhook/utils"
"github.com/projectcapsule/capsule/pkg/runtime/configuration"
"github.com/projectcapsule/capsule/pkg/runtime/handlers"
"github.com/projectcapsule/capsule/pkg/runtime/indexers"
configcontroller "github.com/projectcapsule/capsule/controllers/config"
podlabelscontroller "github.com/projectcapsule/capsule/controllers/pod"
"github.com/projectcapsule/capsule/controllers/pv"
rbaccontroller "github.com/projectcapsule/capsule/controllers/rbac"
"github.com/projectcapsule/capsule/controllers/resourcepools"
"github.com/projectcapsule/capsule/controllers/resources"
servicelabelscontroller "github.com/projectcapsule/capsule/controllers/servicelabels"
tenantcontroller "github.com/projectcapsule/capsule/controllers/tenant"
tlscontroller "github.com/projectcapsule/capsule/controllers/tls"
utilscontroller "github.com/projectcapsule/capsule/controllers/utils"
"github.com/projectcapsule/capsule/pkg/configuration"
"github.com/projectcapsule/capsule/pkg/indexer"
"github.com/projectcapsule/capsule/pkg/metrics"
"github.com/projectcapsule/capsule/pkg/webhook"
"github.com/projectcapsule/capsule/pkg/webhook/defaults"
"github.com/projectcapsule/capsule/pkg/webhook/gateway"
"github.com/projectcapsule/capsule/pkg/webhook/ingress"
namespacemutation "github.com/projectcapsule/capsule/pkg/webhook/namespace/mutation"
namespacevalidation "github.com/projectcapsule/capsule/pkg/webhook/namespace/validation"
"github.com/projectcapsule/capsule/pkg/webhook/networkpolicy"
"github.com/projectcapsule/capsule/pkg/webhook/node"
"github.com/projectcapsule/capsule/pkg/webhook/pod"
"github.com/projectcapsule/capsule/pkg/webhook/pvc"
"github.com/projectcapsule/capsule/pkg/webhook/resourcepool"
"github.com/projectcapsule/capsule/pkg/webhook/route"
"github.com/projectcapsule/capsule/pkg/webhook/service"
"github.com/projectcapsule/capsule/pkg/webhook/serviceaccounts"
tenantmutation "github.com/projectcapsule/capsule/pkg/webhook/tenant/mutation"
tenantvalidation "github.com/projectcapsule/capsule/pkg/webhook/tenant/validation"
tntresource "github.com/projectcapsule/capsule/pkg/webhook/tenantresource"
"github.com/projectcapsule/capsule/pkg/webhook/utils"
)
var (
@@ -91,13 +86,13 @@ func printVersion() {
setupLog.Info(fmt.Sprintf("Go OS/Arch: %s/%s", goRuntime.GOOS, goRuntime.GOARCH))
}
//nolint:maintidx,cyclop
//nolint:maintidx
func main() {
controllerConfig := utilscontroller.ControllerOptions{}
var enableLeaderElection, enablePprof, version bool
var enableLeaderElection, version bool
var metricsAddr, ns string
var metricsAddr, namespace, configurationName string
var webhookPort int
@@ -110,8 +105,7 @@ func main() {
"Enable leader election for controller manager. "+
"Enabling this will ensure there is only one active controller manager.")
flag.BoolVar(&version, "version", false, "Print the Capsule version and exit")
flag.StringVar(&controllerConfig.ConfigurationName, "configuration-name", "default", "The CapsuleConfiguration resource name to use")
flag.BoolVar(&enablePprof, "enable-pprof", false, "Enables Pprof endpoint for profiling (not recommend in production)")
flag.StringVar(&configurationName, "configuration-name", "default", "The CapsuleConfiguration resource name to use")
opts := zap.Options{
EncoderConfigOptions: append([]zap.EncoderConfigOption{}, func(config *zapcore.EncoderConfig) {
@@ -131,19 +125,17 @@ func main() {
os.Exit(0)
}
setupLog.V(5).Info("Controller", "Options", controllerConfig)
if ns = os.Getenv("NAMESPACE"); len(ns) == 0 {
if namespace = os.Getenv("NAMESPACE"); len(namespace) == 0 {
setupLog.Error(fmt.Errorf("unable to determinate the Namespace Capsule is running on"), "unable to start manager")
os.Exit(1)
}
if len(controllerConfig.ConfigurationName) == 0 {
if len(configurationName) == 0 {
setupLog.Error(fmt.Errorf("missing CapsuleConfiguration resource name"), "unable to start manager")
os.Exit(1)
}
ctrlOpts := ctrl.Options{
manager, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
Scheme: scheme,
Metrics: metricsserver.Options{
BindAddress: metricsAddr,
@@ -159,13 +151,7 @@ func main() {
return client.New(config, options)
},
}
if enablePprof {
ctrlOpts.PprofBindAddress = ":8082"
}
manager, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrlOpts)
})
if err != nil {
setupLog.Error(err, "unable to start manager")
os.Exit(1)
@@ -176,7 +162,7 @@ func main() {
ctx := ctrl.SetupSignalHandler()
cfg := configuration.NewCapsuleConfiguration(ctx, manager.GetClient(), controllerConfig.ConfigurationName)
cfg := configuration.NewCapsuleConfiguration(ctx, manager.GetClient(), configurationName)
directClient, err := client.New(ctrl.GetConfigOrDie(), client.Options{
Scheme: manager.GetScheme(),
@@ -187,13 +173,13 @@ func main() {
os.Exit(1)
}
directCfg := configuration.NewCapsuleConfiguration(ctx, directClient, controllerConfig.ConfigurationName)
directCfg := configuration.NewCapsuleConfiguration(ctx, directClient, configurationName)
if directCfg.EnableTLSConfiguration() {
tlsReconciler := &tlscontroller.Reconciler{
Client: directClient,
Log: ctrl.Log.WithName("capsule.ctrl").WithName("tls"),
Namespace: ns,
Log: ctrl.Log.WithName("controllers").WithName("TLS"),
Namespace: namespace,
Configuration: directCfg,
}
@@ -204,7 +190,7 @@ func main() {
tlsCert := &corev1.Secret{}
if err = directClient.Get(ctx, types.NamespacedName{Namespace: ns, Name: directCfg.TLSSecretName()}, tlsCert); err != nil {
if err = directClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: directCfg.TLSSecretName()}, tlsCert); err != nil {
setupLog.Error(err, "unable to get Capsule TLS secret")
os.Exit(1)
}
@@ -215,15 +201,12 @@ func main() {
}
}
registryCache := cache.NewRegistryRuleSetCache()
if err = (&tenantcontroller.Manager{
RESTConfig: manager.GetConfig(),
Client: manager.GetClient(),
Metrics: metrics.MustMakeTenantRecorder(),
Log: ctrl.Log.WithName("capsule.ctrl").WithName("tenant"),
Recorder: manager.GetEventRecorder("tenant-controller"),
Configuration: cfg,
RESTConfig: manager.GetConfig(),
Client: manager.GetClient(),
Metrics: metrics.MustMakeTenantRecorder(),
Log: ctrl.Log.WithName("controllers").WithName("Tenant"),
Recorder: manager.GetEventRecorderFor("tenant-controller"),
}).SetupWithManager(manager, controllerConfig); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "Tenant")
os.Exit(1)
@@ -234,7 +217,7 @@ func main() {
os.Exit(1)
}
if err = indexers.AddToManager(ctx, setupLog, manager); err != nil {
if err = indexer.AddToManager(ctx, setupLog, manager); err != nil {
setupLog.Error(err, "unable to setup indexers")
os.Exit(1)
}
@@ -248,97 +231,32 @@ func main() {
// webhooks: the order matters, don't change it and just append
webhooksList := append(
make([]handlers.Webhook, 0),
route.Pod(
pod.Handler(
pod.ImagePullPolicy(),
pod.ContainerRegistryLegacy(cfg),
pod.ContainerRegistry(cfg, registryCache),
pod.PriorityClass(),
pod.RuntimeClass(),
),
),
make([]webhook.Webhook, 0),
route.Pod(pod.ImagePullPolicy(), pod.ContainerRegistry(cfg), pod.PriorityClass(), pod.RuntimeClass()),
route.Namespace(utils.InCapsuleGroups(cfg, namespacevalidation.PatchHandler(cfg), namespacevalidation.QuotaHandler(), namespacevalidation.FreezeHandler(cfg), namespacevalidation.PrefixHandler(cfg), namespacevalidation.UserMetadataHandler())),
route.Ingress(ingress.Class(cfg, kubeVersion), ingress.Hostnames(cfg), ingress.Collision(cfg), ingress.Wildcard()),
route.PVC(
pvc.Handler(
pvc.Validating(),
pvc.PersistentVolumeReuse(),
),
),
route.Service(
service.Handler(
service.Validating(),
),
),
route.TenantResourceObjects(handlers.InCapsuleGroups(cfg, tntresource.WriteOpsHandler())),
route.Cordoning(handlers.InCapsuleGroups(cfg, misc.CordoningHandler(cfg))),
route.Node(handlers.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),
route.ServiceAccounts(
serviceaccounts.Handler(
serviceaccounts.Validating(cfg),
),
),
route.MiscCustomResources(misc.ResourceCounterHandler(manager.GetClient())),
route.PVC(pvc.Validating(), pvc.PersistentVolumeReuse()),
route.Service(service.Handler()),
route.TenantResourceObjects(utils.InCapsuleGroups(cfg, tntresource.WriteOpsHandler())),
route.NetworkPolicy(utils.InCapsuleGroups(cfg, networkpolicy.Handler())),
route.TenantMutating(tenantmutation.MetaHandler()),
route.TenantValidating(tenantvalidation.NameHandler(), tenantvalidation.RoleBindingRegexHandler(), tenantvalidation.IngressClassRegexHandler(), tenantvalidation.StorageClassRegexHandler(), tenantvalidation.ContainerRegistryRegexHandler(), tenantvalidation.HostnameRegexHandler(), tenantvalidation.FreezedEmitter(), tenantvalidation.ServiceAccountNameHandler(), tenantvalidation.ForbiddenAnnotationsRegexHandler(), tenantvalidation.ProtectedHandler()),
route.Cordoning(tenantvalidation.CordoningHandler(cfg)),
route.Node(utils.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),
route.ServiceAccounts(serviceaccounts.Handler(cfg)),
route.NamespacePatch(utils.InCapsuleGroups(cfg, namespacemutation.CordoningLabelHandler(cfg), namespacemutation.OwnerReferenceHandler(cfg), namespacemutation.MetadataHandler(cfg))),
route.CustomResources(tenantvalidation.ResourceCounterHandler(manager.GetClient())),
route.Gateway(gateway.Class(cfg)),
route.DeviceClass(dra.DeviceClass()),
route.Defaults(defaults.Handler(cfg, kubeVersion)),
route.TenantMutation(
tenantmutation.MetaHandler(),
),
route.TenantValidation(
tenantvalidation.Handler(cfg,
tenantvalidation.NameHandler(),
tenantvalidation.RoleBindingRegexHandler(),
tenantvalidation.IngressClassRegexHandler(),
tenantvalidation.StorageClassRegexHandler(),
tenantvalidation.ContainerRegistryRegexHandler(),
tenantvalidation.RuleHandler(),
tenantvalidation.HostnameRegexHandler(),
tenantvalidation.FreezedEmitter(),
tenantvalidation.ServiceAccountNameHandler(),
tenantvalidation.ForbiddenAnnotationsRegexHandler(),
tenantvalidation.ProtectedHandler(),
tenantvalidation.RequiredMetadataHandler(),
tenantvalidation.WarningHandler(cfg),
),
),
route.NamespaceValidation(
namespacevalidation.NamespaceHandler(
cfg,
namespacevalidation.PatchHandler(cfg),
namespacevalidation.FreezeHandler(cfg),
namespacevalidation.QuotaHandler(),
namespacevalidation.PrefixHandler(cfg),
namespacevalidation.UserMetadataHandler(),
namespacevalidation.RequiredMetadataHandler(),
),
),
route.NamespaceMutation(
namespacemutation.NamespaceHandler(
cfg,
namespacemutation.OwnerReferenceHandler(cfg),
namespacemutation.MetadataHandler(cfg),
namespacemutation.CordoningLabelHandler(cfg),
),
),
route.ResourcePoolMutation((resourcepool.PoolMutationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepool")))),
route.ResourcePoolValidation((resourcepool.PoolValidationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepool")))),
route.ResourcePoolClaimMutation((resourcepool.ClaimMutationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepoolclaims")))),
route.ResourcePoolClaimValidation((resourcepool.ClaimValidationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepoolclaims")))),
route.MiscTenantAssignment(
misc.TenantAssignmentHandler(),
),
route.MiscManagedValidation(
handlers.InCapsuleGroups(cfg, misc.ManagedValidatingHandler()),
),
route.ConfigValidation(
cfgvalidation.WarningHandler(),
),
)
nodeWebhookSupported, _ := utils.NodeWebhookSupported(kubeVersion)
if !nodeWebhookSupported {
setupLog.Info("disabling node labels verification webhook as current Kubernetes version doesn't have fix for CVE-2021-25735")
setupLog.Info("Disabling node labels verification webhook as current Kubernetes version doesn't have fix for CVE-2021-25735")
}
if err = webhook.Register(manager, webhooksList...); err != nil {
@@ -347,7 +265,7 @@ func main() {
}
rbacManager := &rbaccontroller.Manager{
Log: ctrl.Log.WithName("capsule.ctrl").WithName("rbac"),
Log: ctrl.Log.WithName("controllers").WithName("Rbac"),
Client: manager.GetClient(),
Configuration: cfg,
}
@@ -357,28 +275,25 @@ func main() {
os.Exit(1)
}
if err = rbacManager.SetupWithManager(ctx, manager, controllerConfig); err != nil {
if err = rbacManager.SetupWithManager(ctx, manager, configurationName); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "Rbac")
os.Exit(1)
}
if err = (&servicelabelscontroller.ServicesLabelsReconciler{
Log: ctrl.Log.WithName("capsule.ctrl").WithName("services"),
Log: ctrl.Log.WithName("controllers").WithName("ServiceLabels"),
}).SetupWithManager(ctx, manager); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "ServiceLabels")
os.Exit(1)
}
if err = (&servicelabelscontroller.EndpointSlicesLabelsReconciler{
Log: ctrl.Log.WithName("capsule.ctrl").WithName("endpointslices"),
Log: ctrl.Log.WithName("controllers").WithName("EndpointSliceLabels"),
}).SetupWithManager(ctx, manager); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "EndpointSliceLabels")
}
if err = (&podlabelscontroller.MetadataReconciler{
Client: manager.GetClient(),
Log: ctrl.Log.WithName("capsule.ctrl").WithName("pods"),
}).SetupWithManager(ctx, manager); err != nil {
if err = (&podlabelscontroller.MetadataReconciler{Client: manager.GetClient()}).SetupWithManager(ctx, manager); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "PodLabels")
os.Exit(1)
}
@@ -389,10 +304,8 @@ func main() {
}
if err = (&configcontroller.Manager{
Client: manager.GetClient(),
RegistryCache: registryCache,
Log: ctrl.Log.WithName("capsule.ctrl").WithName("configuration"),
}).SetupWithManager(manager, controllerConfig); err != nil {
Log: ctrl.Log.WithName("controllers").WithName("CapsuleConfiguration"),
}).SetupWithManager(manager, configurationName); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "CapsuleConfiguration")
os.Exit(1)
}
@@ -407,21 +320,10 @@ func main() {
os.Exit(1)
}
if err := admission.Add(
ctrl.Log.WithName("capsule.ctrl").WithName("admission"),
manager,
manager.GetEventRecorder("admission-ctrl"),
controllerConfig,
cfg,
); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "admission")
os.Exit(1)
}
if err := resourcepools.Add(
ctrl.Log.WithName("capsule.ctrl").WithName("resourcepools"),
ctrl.Log.WithName("controllers").WithName("ResourcePools"),
manager,
manager.GetEventRecorder("pools-ctrl"),
manager.GetEventRecorderFor("pools-ctrl"),
controllerConfig,
); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "resourcepools")

2
cmd/version.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package main

46
controllers/config/manager.go Normal file
View File

@@ -0,0 +1,46 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package config
import (
"context"
"github.com/go-logr/logr"
"github.com/pkg/errors"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
"github.com/projectcapsule/capsule/controllers/utils"
"github.com/projectcapsule/capsule/pkg/configuration"
)
type Manager struct {
client client.Client
Log logr.Logger
}
func (c *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) error {
c.client = mgr.GetClient()
return ctrl.NewControllerManagedBy(mgr).
For(&capsulev1beta2.CapsuleConfiguration{}, utils.NamesMatchingPredicate(configurationName)).
Complete(c)
}
func (c *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
c.Log.Info("CapsuleConfiguration reconciliation started", "request.name", request.Name)
cfg := configuration.NewCapsuleConfiguration(ctx, c.client, request.Name)
// Validating the Capsule Configuration options
if _, err = cfg.ProtectedNamespaceRegexp(); err != nil {
panic(errors.Wrap(err, "Invalid configuration for protected Namespace regex"))
}
c.Log.V(5).Info("CapsuleConfiguration reconciliation finished", "request.name", request.Name)
return res, err
}

30
controllers/pod/errors.go Normal file
View File

@@ -0,0 +1,30 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package pod
import "fmt"
type NonTenantObjectError struct {
objectName string
}
func NewNonTenantObject(objectName string) error {
return &NonTenantObjectError{objectName: objectName}
}
func (n NonTenantObjectError) Error() string {
return fmt.Sprintf("Skipping labels sync for %s as it doesn't belong to tenant", n.objectName)
}
type NoPodMetadataError struct {
objectName string
}
func NewNoPodMetadata(objectName string) error {
return &NoPodMetadataError{objectName: objectName}
}
func (n NoPodMetadataError) Error() string {
return fmt.Sprintf("Skipping labels sync for %s because no AdditionalLabels or AdditionalAnnotations presents in Tenant spec", n.objectName)
}

34
internal/controllers/pod/metadata.go → controllers/pod/metadata.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package pod
@@ -7,10 +7,10 @@ import (
"context"
"fmt"
"github.com/go-logr/logr"
"github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
apierr "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/types"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -21,19 +21,15 @@ import (
"sigs.k8s.io/controller-runtime/pkg/reconcile"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
caperrors "github.com/projectcapsule/capsule/pkg/api/errors"
"github.com/projectcapsule/capsule/pkg/tenant"
"github.com/projectcapsule/capsule/pkg/utils"
)
type MetadataReconciler struct {
Client client.Client
Log logr.Logger
}
func (m *MetadataReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
Named("capsule/pod").
For(&corev1.Pod{}, m.forOptionPerInstanceName(ctx)).
Complete(m)
}
@@ -45,9 +41,9 @@ func (m *MetadataReconciler) Reconcile(ctx context.Context, request ctrl.Request
tenant, err := m.getTenant(ctx, request.NamespacedName, m.Client)
if err != nil {
noTenantObjError := &caperrors.NonTenantObjectError{}
noTenantObjError := &NonTenantObjectError{}
noPodMetaError := &caperrors.NoPodMetadataError{}
noPodMetaError := &NoPodMetadataError{}
if errors.As(err, &noTenantObjError) || errors.As(err, &noPodMetaError) {
return reconcile.Result{}, nil
}
@@ -86,7 +82,7 @@ func (m *MetadataReconciler) getTenant(ctx context.Context, namespacedName types
capsuleLabel, _ := utils.GetTypeLabel(&capsulev1beta2.Tenant{})
if _, ok := ns.GetLabels()[capsuleLabel]; !ok {
return nil, caperrors.NewNonTenantObject(namespacedName.Name)
return nil, NewNonTenantObject(namespacedName.Name)
}
if err := client.Get(ctx, types.NamespacedName{Name: ns.Labels[capsuleLabel]}, tenant); err != nil {
@@ -94,7 +90,7 @@ func (m *MetadataReconciler) getTenant(ctx context.Context, namespacedName types
}
if tenant.Spec.PodOptions == nil || tenant.Spec.PodOptions.AdditionalMetadata == nil {
return nil, caperrors.NewNoPodMetadata(namespacedName.Name)
return nil, NewNoPodMetadata(namespacedName.Name)
}
return tenant, nil
@@ -118,11 +114,17 @@ func (m *MetadataReconciler) sync(available map[string]string, tenantSpec map[st
func (m *MetadataReconciler) forOptionPerInstanceName(ctx context.Context) builder.ForOption {
return builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
status, err := tenant.IsNamespaceInTenant(ctx, m.Client, object.GetNamespace())
if err != nil {
m.Log.Error(err, "failed resolving instances")
}
return status
return m.isNamespaceInTenant(ctx, object.GetNamespace())
}))
}
func (m *MetadataReconciler) isNamespaceInTenant(ctx context.Context, namespace string) bool {
tl := &capsulev1beta2.TenantList{}
if err := m.Client.List(ctx, tl, client.MatchingFieldsSelector{
Selector: fields.OneTermEqualSelector(".status.namespaces", namespace),
}); err != nil {
return false
}
return len(tl.Items) > 0
}

13
internal/controllers/pv/controller.go → controllers/pv/controller.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package pv
@@ -18,9 +18,9 @@ import (
"sigs.k8s.io/controller-runtime/pkg/reconcile"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
"github.com/projectcapsule/capsule/internal/controllers/utils"
"github.com/projectcapsule/capsule/pkg/tenant"
"github.com/projectcapsule/capsule/controllers/utils"
capsuleutils "github.com/projectcapsule/capsule/pkg/utils"
webhookutils "github.com/projectcapsule/capsule/pkg/webhook/utils"
)
type Controller struct {
@@ -38,7 +38,6 @@ func (c *Controller) SetupWithManager(mgr ctrl.Manager, cfg utils.ControllerOpti
c.label = label
return ctrl.NewControllerManagedBy(mgr).
Named("capsule/persistentvolumes").
For(&corev1.PersistentVolume{}, builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
pv, ok := object.(*corev1.PersistentVolume)
if !ok {
@@ -80,14 +79,14 @@ func (c *Controller) Reconcile(ctx context.Context, request reconcile.Request) (
return reconcile.Result{}, nil
}
tnt, err := tenant.GetTenantNameByStatusNamespace(ctx, c.client, persistentVolume.Spec.ClaimRef.Namespace)
tnt, err := webhookutils.TenantByStatusNamespace(ctx, c.client, persistentVolume.Spec.ClaimRef.Namespace)
if err != nil {
log.Error(err, "unable to retrieve Tenant from the claimRef")
return reconcile.Result{}, err
}
if tnt == "" {
if tnt == nil {
log.V(4).Info("skipping reconciliation, PV is claimed by a PVC not managed in a Tenant")
return reconcile.Result{}, nil
@@ -105,7 +104,7 @@ func (c *Controller) Reconcile(ctx context.Context, request reconcile.Request) (
labels = map[string]string{}
}
labels[c.label] = tnt
labels[c.label] = tnt.GetName()
pv.SetLabels(labels)

Some files were not shown because too many files have changed in this diff Show More