fix: add rolebinding validation against rfc-1123 dns for sa subjects

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

.github/workflows/ci.yml

@@ -7,6 +7,15 @@ on:
     branches: [ "*" ]
 
 jobs:
+  commit_lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@v2
+        with:
+          firstParent: true
   golangci:
     name: lint
     runs-on: ubuntu-latest

.github/workflows/e2e.yml

@@ -3,8 +3,26 @@ name: e2e
 on:
   push:
     branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
   pull_request:
     branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
 
 jobs:
   kind:

.github/workflows/helm.yml

@@ -3,6 +3,7 @@ name: Helm Chart
 on:
   push:
     branches: [ "*" ]
+    tags: [ "helm-v*" ]
   pull_request:
     branches: [ "*" ]
 

.gitignore

@@ -22,6 +22,7 @@ bin
 *.swp
 *.swo
 *~
+.vscode
 
 **/*.kubeconfig
 **/*.crt

Makefile

@@ -1,5 +1,5 @@
 # Current Operator version
-VERSION ?= $$(git describe --abbrev=0 --tags)
+VERSION ?= $$(git describe --abbrev=0 --tags --match "v*")
 
 # Default bundle image tag
 BUNDLE_IMG ?= quay.io/clastix/capsule:$(VERSION)-bundle
@@ -45,7 +45,7 @@ manager: generate fmt vet
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate manifests
-	go run ./main.go
+	go run .
 
 # Creates the single file to install Capsule without any external dependency
 installer: manifests kustomize
@@ -78,6 +78,58 @@ manifests: controller-gen
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
+# Setup development env
+# Usage: 
+# 	LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
+# For example:
+#	LAPTOP_HOST_IP=192.168.10.101 make dev-setup
+define TLS_CNF
+[ req ]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                = SG
+stateOrProvinceName        = SG
+localityName               = SG
+organizationName           = CAPSULE
+commonName                 = CAPSULE
+[ req_ext ]
+subjectAltName = @alt_names
+[alt_names]
+IP.1   = $(LAPTOP_HOST_IP)
+endef
+export TLS_CNF
+dev-setup:
+	kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
+	mkdir -p /tmp/k8s-webhook-server/serving-certs
+	echo "$${TLS_CNF}" > _tls.cnf
+	openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
+		-subj "/C=SG/ST=SG/L=SG/O=CAPSULE/CN=CAPSULE" \
+		-extensions req_ext \
+		-config _tls.cnf \
+		-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
+		-out /tmp/k8s-webhook-server/serving-certs/tls.crt
+	rm -f _tls.cnf 
+	export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
+	export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
+	kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \
+		--type='json' -p="[\
+			{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/mutate-v1-namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\
+		]" && \
+	kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
+		--type='json' -p="[\
+			{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}}\
+		]";
+
 # Build the docker image
 docker-build: test
 	docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \

README.md

@@ -13,7 +13,7 @@
 
 ---
 
-# Kubernetes multi-tenancy made simple
+# Kubernetes multi-tenancy made easy
 **Capsule** helps to implement a multi-tenancy and policy-based environment in your Kubernetes cluster. It is not intended to be yet another _PaaS_, instead, it has been designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.
 
 # What's the problem with the current status?
@@ -71,36 +71,24 @@ Clone this repository and move to the repo folder:
 
 ```
 $ kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/master/config/install.yaml
-namespace/capsule-system created
-customresourcedefinition.apiextensions.k8s.io/capsuleconfigurations.capsule.clastix.io created
-customresourcedefinition.apiextensions.k8s.io/tenants.capsule.clastix.io created
-clusterrolebinding.rbac.authorization.k8s.io/capsule-manager-rolebinding created
-secret/capsule-ca created
-secret/capsule-tls created
-service/capsule-controller-manager-metrics-service created
-service/capsule-webhook-service created
-deployment.apps/capsule-controller-manager created
-capsuleconfiguration.capsule.clastix.io/capsule-default created
-mutatingwebhookconfiguration.admissionregistration.k8s.io/capsule-mutating-webhook-configuration created
-validatingwebhookconfiguration.admissionregistration.k8s.io/capsule-validating-webhook-configuration created
 ```
 
 It will install the Capsule controller in a dedicated namespace `capsule-system`.
 
 ## How to create Tenants
-Use the scaffold [Tenant](config/samples/capsule_v1alpha1_tenant.yaml) and simply apply as cluster admin.
+Use the scaffold [Tenant](config/samples/capsule_v1beta1_tenant.yaml) and simply apply as cluster admin.
 
 ```
-$ kubectl apply -f config/samples/capsule_v1alpha1_tenant.yaml
-tenant.capsule.clastix.io/oil created
+$ kubectl apply -f config/samples/capsule_v1beta1_tenant.yaml
+tenant.capsule.clastix.io/gas created
 ```
 
 You can check the tenant just created as
 
 ```
 $ kubectl get tenants
-NAME      NAMESPACE QUOTA   NAMESPACE COUNT   OWNER NAME   OWNER KIND   NODE SELECTOR    AGE
-oil       3                 0                 alice        User                          1m
+NAME   STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR                  AGE
+gas    Active   3                 0                 {"kubernetes.io/os":"linux"}   25s
 ```
 
 ## Tenant owners
@@ -112,52 +100,46 @@ Assignment to a group depends on the authentication strategy in your cluster.
 
 For example, if you are using `capsule.clastix.io`, users authenticated through a _X.509_ certificate must have `capsule.clastix.io` as _Organization_: `-subj "/CN=${USER}/O=capsule.clastix.io"`
 
-Users authenticated through an _OIDC token_ must have
+Users authenticated through an _OIDC token_ must have in their token:
 
 ```json
 ...
 "users_groups": [
-    "capsule.clastix.io",
-    "other_group"
+  "capsule.clastix.io",
+  "other_group"
 ]
 ```
 
-in their token.
-
-The [hack/create-user.sh](hack/create-user.sh) can help you set up a dummy `kubeconfig` for the `alice` user acting as owner of a tenant called `oil`
+The [hack/create-user.sh](hack/create-user.sh) can help you set up a dummy `kubeconfig` for the `bob` user acting as owner of a tenant called `gas`
 
 ```bash
-./hack/create-user.sh alice oil
-creating certs in TMPDIR /tmp/tmp.4CLgpuime3 
-Generating RSA private key, 2048 bit long modulus (2 primes)
-............+++++
-........................+++++
-e is 65537 (0x010001)
-certificatesigningrequest.certificates.k8s.io/alice-oil created
-certificatesigningrequest.certificates.k8s.io/alice-oil approved
-kubeconfig file is: alice-oil.kubeconfig
-to use it as alice export KUBECONFIG=alice-oil.kubeconfig
+./hack/create-user.sh bob gas
+...
+certificatesigningrequest.certificates.k8s.io/bob-gas created
+certificatesigningrequest.certificates.k8s.io/bob-gas approved
+kubeconfig file is: bob-gas.kubeconfig
+to use it as bob export KUBECONFIG=bob-gas.kubeconfig
 ```
 
 ## Working with Tenants
-Log in to the Kubernetes cluster as `alice` tenant owner
+Log in to the Kubernetes cluster as `bob` tenant owner
 
 ```
-$ export KUBECONFIG=alice-oil.kubeconfig
+$ export KUBECONFIG=bob-gas.kubeconfig
 ```
 
 and create a couple of new namespaces
 
 ```
-$ kubectl create namespace oil-production
-$ kubectl create namespace oil-development
+$ kubectl create namespace gas-production
+$ kubectl create namespace gas-development
 ```
 
-As user `alice` you can operate with fully admin permissions:
+As user `bob` you can operate with fully admin permissions:
 
 ```
-$ kubectl -n oil-development run nginx --image=docker.io/nginx 
-$ kubectl -n oil-development get pods
+$ kubectl -n gas-development run nginx --image=docker.io/nginx 
+$ kubectl -n gas-development get pods
 ```
 
 but limited to only your own namespaces:
@@ -165,12 +147,9 @@ but limited to only your own namespaces:
 ```
 $ kubectl -n kube-system get pods
 Error from server (Forbidden): pods is forbidden:
-User "alice" cannot list resource "pods" in API group "" in the namespace "kube-system"
+User "bob" cannot list resource "pods" in API group "" in the namespace "kube-system"
 ```
 
-# Documentation
-Please, check the project [documentation](./docs/index.md) for more cool things you can do with Capsule.
-
 # Removal
 Similar to `deploy`, you can get rid of Capsule using the `remove` target.
 
@@ -178,15 +157,21 @@ Similar to `deploy`, you can get rid of Capsule using the `remove` target.
 $ make remove
 ```
 
+# Documentation
+Please, check the project [documentation](./docs/index.md) for more cool things you can do with Capsule.
+
+# Contribution
+Capsule is Open Source with Apache 2 license and any contribution is welcome.
+
+Please refer to the corresponding docs:
+- [contributing.md](./docs/contributing.md) for the general guide; and
+- [dev-guide.md](./docs/dev-guide.md) for how to set up the development env to get started.
+
 # FAQ
 - Q. How to pronounce Capsule?
 
   A. It should be pronounced as `/ˈkæpsjuːl/`.
 
-- Q. Can I contribute?
-
-  A. Absolutely! Capsule is Open Source with Apache 2 license and any contribution is welcome. Please refer to the corresponding [section](./docs/operator/contributing.md) in the documentation.
-
 - Q. Is it production grade?
 
   A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/clastix/capsule/releases) page for a detailed list of available versions.

api/v1alpha1/capsuleconfiguration_annotations.go

@@ -0,0 +1,8 @@
+package v1alpha1
+
+const (
+	ForbiddenNodeLabelsAnnotation            = "capsule.clastix.io/forbidden-node-labels"
+	ForbiddenNodeLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-node-labels-regexp"
+	ForbiddenNodeAnnotationsAnnotation       = "capsule.clastix.io/forbidden-node-annotations"
+	ForbiddenNodeAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-node-annotations-regexp"
+)

api/v1alpha1/conversion_hub.go

@@ -26,6 +26,7 @@ const (
 
 	enableNodePortsAnnotation    = "capsule.clastix.io/enable-node-ports"
 	enableExternalNameAnnotation = "capsule.clastix.io/enable-external-name"
+	enableLoadBalancerAnnotation = "capsule.clastix.io/enable-loadbalancer-service"
 
 	ownerGroupsAnnotation         = "owners.capsule.clastix.io/group"
 	ownerUsersAnnotation          = "owners.capsule.clastix.io/user"
@@ -199,17 +200,17 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 		}
 	}
 	if len(t.Spec.NetworkPolicies) > 0 {
-		dst.Spec.NetworkPolicies = &capsulev1beta1.NetworkPolicySpec{
+		dst.Spec.NetworkPolicies = capsulev1beta1.NetworkPolicySpec{
 			Items: t.Spec.NetworkPolicies,
 		}
 	}
 	if len(t.Spec.LimitRanges) > 0 {
-		dst.Spec.LimitRanges = &capsulev1beta1.LimitRangesSpec{
+		dst.Spec.LimitRanges = capsulev1beta1.LimitRangesSpec{
 			Items: t.Spec.LimitRanges,
 		}
 	}
 	if len(t.Spec.ResourceQuota) > 0 {
-		dst.Spec.ResourceQuota = &capsulev1beta1.ResourceQuotaSpec{
+		dst.Spec.ResourceQuota = capsulev1beta1.ResourceQuotaSpec{
 			Scope: func() capsulev1beta1.ResourceQuotaScope {
 				if v, ok := t.GetAnnotations()[resourceQuotaScopeAnnotation]; ok {
 					switch v {
@@ -297,6 +298,21 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.ServiceOptions.AllowedServices.ExternalName = pointer.BoolPtr(val)
 	}
 
+	loadBalancerService, ok := annotations[enableLoadBalancerAnnotation]
+	if ok {
+		val, err := strconv.ParseBool(loadBalancerService)
+		if err != nil {
+			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableLoadBalancerAnnotation, t.GetName()))
+		}
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+		dst.Spec.ServiceOptions.AllowedServices.LoadBalancer = pointer.BoolPtr(val)
+	}
+
 	// Status
 	dst.Status = capsulev1beta1.TenantStatus{
 		Size:       t.Status.Size,
@@ -309,6 +325,7 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 	delete(dst.ObjectMeta.Annotations, podPriorityAllowedRegexAnnotation)
 	delete(dst.ObjectMeta.Annotations, enableNodePortsAnnotation)
 	delete(dst.ObjectMeta.Annotations, enableExternalNameAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableLoadBalancerAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerGroupsAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerUsersAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerServiceAccountAnnotation)
@@ -483,13 +500,13 @@ func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
 			Regex: src.Spec.ContainerRegistries.Regex,
 		}
 	}
-	if src.Spec.NetworkPolicies != nil {
+	if len(src.Spec.NetworkPolicies.Items) > 0 {
 		t.Spec.NetworkPolicies = src.Spec.NetworkPolicies.Items
 	}
-	if src.Spec.LimitRanges != nil {
+	if len(src.Spec.LimitRanges.Items) > 0 {
 		t.Spec.LimitRanges = src.Spec.LimitRanges.Items
 	}
-	if src.Spec.ResourceQuota != nil {
+	if len(src.Spec.ResourceQuota.Items) > 0 {
 		t.Annotations[resourceQuotaScopeAnnotation] = string(src.Spec.ResourceQuota.Scope)
 		t.Spec.ResourceQuota = src.Spec.ResourceQuota.Items
 	}
@@ -528,8 +545,15 @@ func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
 	}
 
 	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AllowedServices != nil {
-		t.Annotations[enableNodePortsAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.NodePort)
-		t.Annotations[enableExternalNameAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.ExternalName)
+		if src.Spec.ServiceOptions.AllowedServices.NodePort != nil {
+			t.Annotations[enableNodePortsAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.NodePort)
+		}
+		if src.Spec.ServiceOptions.AllowedServices.ExternalName != nil {
+			t.Annotations[enableExternalNameAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.ExternalName)
+		}
+		if src.Spec.ServiceOptions.AllowedServices.LoadBalancer != nil {
+			t.Annotations[enableLoadBalancerAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.LoadBalancer)
+		}
 	}
 
 	// Status

api/v1alpha1/conversion_hub_test.go

@@ -52,6 +52,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 		AllowedServices: &capsulev1beta1.AllowedServices{
 			NodePort:     pointer.BoolPtr(false),
 			ExternalName: pointer.BoolPtr(false),
+			LoadBalancer: pointer.BoolPtr(false),
 		},
 		ExternalServiceIPs: &capsulev1beta1.ExternalServiceIPsSpec{
 			Allowed: []capsulev1beta1.AllowedIP{"192.168.0.1"},
@@ -239,13 +240,13 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			},
 			ContainerRegistries: v1beta1AllowedListSpec,
 			NodeSelector:        nodeSelector,
-			NetworkPolicies: &capsulev1beta1.NetworkPolicySpec{
+			NetworkPolicies: capsulev1beta1.NetworkPolicySpec{
 				Items: networkPolicies,
 			},
-			LimitRanges: &capsulev1beta1.LimitRangesSpec{
+			LimitRanges: capsulev1beta1.LimitRangesSpec{
 				Items: limitRanges,
 			},
-			ResourceQuota: &capsulev1beta1.ResourceQuotaSpec{
+			ResourceQuota: capsulev1beta1.ResourceQuotaSpec{
 				Scope: capsulev1beta1.ResourceQuotaScopeNamespace,
 				Items: resourceQuotas,
 			},
@@ -285,6 +286,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 				podAllowedImagePullPolicyAnnotation:  "Always,IfNotPresent",
 				enableExternalNameAnnotation:         "false",
 				enableNodePortsAnnotation:            "false",
+				enableLoadBalancerAnnotation:         "false",
 				podPriorityAllowedAnnotation:         "default",
 				podPriorityAllowedRegexAnnotation:    "^tier-.*$",
 				ownerGroupsAnnotation:                "owner-foo,owner-bar",

api/v1alpha1/zz_generated.deepcopy.go

@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
 // Copyright 2020-2021 Clastix Labs

api/v1beta1/allowed_list.go

@@ -1,6 +1,6 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
-
+//nolint:dupl
 package v1beta1
 
 import (

api/v1beta1/allowed_list_test.go

@@ -1,6 +1,6 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
-
+//nolint:dupl
 package v1beta1
 
 import (

api/v1beta1/deny_wildcard.go

@@ -0,0 +1,15 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+const (
+	denyWildcard = "capsule.clastix.io/deny-wildcard"
+)
+
+func (t *Tenant) IsWildcardDenied() bool {
+	if v, ok := t.Annotations[denyWildcard]; ok && v == "true" {
+		return true
+	}
+	return false
+}

api/v1beta1/forbidden_list.go

@@ -0,0 +1,33 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+//nolint:dupl
+package v1beta1
+
+import (
+	"regexp"
+	"sort"
+	"strings"
+)
+
+type ForbiddenListSpec struct {
+	Exact []string `json:"denied,omitempty"`
+	Regex string   `json:"deniedRegex,omitempty"`
+}
+
+func (in *ForbiddenListSpec) ExactMatch(value string) (ok bool) {
+	if len(in.Exact) > 0 {
+		sort.SliceStable(in.Exact, func(i, j int) bool {
+			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
+		})
+		i := sort.SearchStrings(in.Exact, value)
+		ok = i < len(in.Exact) && in.Exact[i] == value
+	}
+	return
+}
+
+func (in ForbiddenListSpec) RegexMatch(value string) (ok bool) {
+	if len(in.Regex) > 0 {
+		ok = regexp.MustCompile(in.Regex).MatchString(value)
+	}
+	return
+}

api/v1beta1/forbidden_list_test.go

@@ -0,0 +1,67 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+//nolint:dupl
+package v1beta1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestForbiddenListSpec_ExactMatch(t *testing.T) {
+	type tc struct {
+		In    []string
+		True  []string
+		False []string
+	}
+	for _, tc := range []tc{
+		{
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"bing", "bong"},
+		},
+		{
+			[]string{"one", "two", "three"},
+			[]string{"one", "two", "three"},
+			[]string{"a", "b", "c"},
+		},
+		{
+			nil,
+			nil,
+			[]string{"any", "value"},
+		},
+	} {
+		a := ForbiddenListSpec{
+			Exact: tc.In,
+		}
+		for _, ok := range tc.True {
+			assert.True(t, a.ExactMatch(ok))
+		}
+		for _, ko := range tc.False {
+			assert.False(t, a.ExactMatch(ko))
+		}
+	}
+}
+
+func TestForbiddenListSpec_RegexMatch(t *testing.T) {
+	type tc struct {
+		Regex string
+		True  []string
+		False []string
+	}
+	for _, tc := range []tc{
+		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
+		{``, nil, []string{"any", "value"}},
+	} {
+		a := ForbiddenListSpec{
+			Regex: tc.Regex,
+		}
+		for _, ok := range tc.True {
+			assert.True(t, a.RegexMatch(ok))
+		}
+		for _, ko := range tc.False {
+			assert.False(t, a.RegexMatch(ko))
+		}
+	}
+}

api/v1beta1/namespace_options.go

@@ -1,5 +1,7 @@
 package v1beta1
 
+import "strings"
+
 type NamespaceOptions struct {
 	//+kubebuilder:validation:Minimum=1
 	// Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
@@ -7,3 +9,43 @@ type NamespaceOptions struct {
 	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
 	AdditionalMetadata *AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
 }
+
+func (t *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
+	if _, ok := t.Annotations[ForbiddenNamespaceLabelsAnnotation]; ok {
+		return true
+	}
+	if _, ok := t.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
+		return true
+	}
+	return false
+}
+
+func (t *Tenant) hasForbiddenNamespaceAnnotationsAnnotations() bool {
+	if _, ok := t.Annotations[ForbiddenNamespaceAnnotationsAnnotation]; ok {
+		return true
+	}
+	if _, ok := t.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
+		return true
+	}
+	return false
+}
+
+func (t *Tenant) ForbiddenUserNamespaceLabels() *ForbiddenListSpec {
+	if !t.hasForbiddenNamespaceLabelsAnnotations() {
+		return nil
+	}
+	return &ForbiddenListSpec{
+		Exact: strings.Split(t.Annotations[ForbiddenNamespaceLabelsAnnotation], ","),
+		Regex: t.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation],
+	}
+}
+
+func (t *Tenant) ForbiddenUserNamespaceAnnotations() *ForbiddenListSpec {
+	if !t.hasForbiddenNamespaceAnnotationsAnnotations() {
+		return nil
+	}
+	return &ForbiddenListSpec{
+		Exact: strings.Split(t.Annotations[ForbiddenNamespaceAnnotationsAnnotation], ","),
+		Regex: t.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation],
+	}
+}

api/v1beta1/service_allowed_types.go

@@ -10,4 +10,7 @@ type AllowedServices struct {
 	//+kubebuilder:default=true
 	// Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
 	ExternalName *bool `json:"externalName,omitempty"`
+	//+kubebuilder:default=true
+	// Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+	LoadBalancer *bool `json:"loadBalancer,omitempty"`
 }

api/v1beta1/tenant_annotations.go

@@ -8,12 +8,16 @@ import (
 )
 
 const (
-	AvailableIngressClassesAnnotation       = "capsule.clastix.io/ingress-classes"
-	AvailableIngressClassesRegexpAnnotation = "capsule.clastix.io/ingress-classes-regexp"
-	AvailableStorageClassesAnnotation       = "capsule.clastix.io/storage-classes"
-	AvailableStorageClassesRegexpAnnotation = "capsule.clastix.io/storage-classes-regexp"
-	AllowedRegistriesAnnotation             = "capsule.clastix.io/allowed-registries"
-	AllowedRegistriesRegexpAnnotation       = "capsule.clastix.io/allowed-registries-regexp"
+	AvailableIngressClassesAnnotation             = "capsule.clastix.io/ingress-classes"
+	AvailableIngressClassesRegexpAnnotation       = "capsule.clastix.io/ingress-classes-regexp"
+	AvailableStorageClassesAnnotation             = "capsule.clastix.io/storage-classes"
+	AvailableStorageClassesRegexpAnnotation       = "capsule.clastix.io/storage-classes-regexp"
+	AllowedRegistriesAnnotation                   = "capsule.clastix.io/allowed-registries"
+	AllowedRegistriesRegexpAnnotation             = "capsule.clastix.io/allowed-registries-regexp"
+	ForbiddenNamespaceLabelsAnnotation            = "capsule.clastix.io/forbidden-namespace-labels"
+	ForbiddenNamespaceLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-namespace-labels-regexp"
+	ForbiddenNamespaceAnnotationsAnnotation       = "capsule.clastix.io/forbidden-namespace-annotations"
+	ForbiddenNamespaceAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-namespace-annotations-regexp"
 )
 
 func UsedQuotaFor(resource fmt.Stringer) string {

api/v1beta1/tenant_types.go

@@ -24,16 +24,16 @@ type TenantSpec struct {
 	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
-	NetworkPolicies *NetworkPolicySpec `json:"networkPolicies,omitempty"`
+	NetworkPolicies NetworkPolicySpec `json:"networkPolicies,omitempty"`
 	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
-	LimitRanges *LimitRangesSpec `json:"limitRanges,omitempty"`
+	LimitRanges LimitRangesSpec `json:"limitRanges,omitempty"`
 	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
-	ResourceQuota *ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
+	ResourceQuota ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
 	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
 	AdditionalRoleBindings []AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
 	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
 	ImagePullPolicies []ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
-	// Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+	// Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
 	PriorityClasses *AllowedListSpec `json:"priorityClasses,omitempty"`
 }
 

api/v1beta1/zz_generated.deepcopy.go

@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
 // Copyright 2020-2021 Clastix Labs
@@ -96,6 +97,11 @@ func (in *AllowedServices) DeepCopyInto(out *AllowedServices) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedServices.
@@ -149,6 +155,26 @@ func (in *ExternalServiceIPsSpec) DeepCopy() *ExternalServiceIPsSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ForbiddenListSpec) DeepCopyInto(out *ForbiddenListSpec) {
+	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForbiddenListSpec.
+func (in *ForbiddenListSpec) DeepCopy() *ForbiddenListSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ForbiddenListSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IngressOptions) DeepCopyInto(out *IngressOptions) {
 	*out = *in
@@ -455,21 +481,9 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*out)[key] = val
 		}
 	}
-	if in.NetworkPolicies != nil {
-		in, out := &in.NetworkPolicies, &out.NetworkPolicies
-		*out = new(NetworkPolicySpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.LimitRanges != nil {
-		in, out := &in.LimitRanges, &out.LimitRanges
-		*out = new(LimitRangesSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ResourceQuota != nil {
-		in, out := &in.ResourceQuota, &out.ResourceQuota
-		*out = new(ResourceQuotaSpec)
-		(*in).DeepCopyInto(*out)
-	}
+	in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
+	in.LimitRanges.DeepCopyInto(&out.LimitRanges)
+	in.ResourceQuota.DeepCopyInto(&out.ResourceQuota)
 	if in.AdditionalRoleBindings != nil {
 		in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
 		*out = make([]AdditionalRoleBindingsSpec, len(*in))

charts/capsule/Chart.yaml

@@ -21,8 +21,8 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.0.19
+version: 0.1.3
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.0.5
+appVersion: 0.1.0

charts/capsule/README.md

@@ -1,6 +1,6 @@
 # Deploying the Capsule Operator
 
-Use the Capsule Operator for easily implementing, managing, and maintaining mutitenancy and access control in Kubernetes.
+Use the Capsule Operator for easily implementing, managing, and maintaining multitenancy and access control in Kubernetes.
 
 ## Requirements
 
@@ -67,7 +67,7 @@ Parameter | Description | Default
 `manager.hostNetwork` | Specifies if the container should be started in `hostNetwork` mode. | `false` 
 `manager.options.logLevel` | Set the log verbosity of the controller with a value from 1 to 10.| `4`
 `manager.options.forceTenantPrefix` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash | `false`
-`manager.options.capsuleUserGroup` | Override the Capsule user group | `capsule.clastix.io`
+`manager.options.capsuleUserGroups` | Override the Capsule user groups | `[capsule.clastix.io]`
 `manager.options.protectedNamespaceRegex` | If specified, disallows creation of namespaces matching the passed regexp | `null`
 `manager.image.repository` | Set the image repository of the controller. | `quay.io/clastix/capsule`
 `manager.image.tag` | Overrides the image tag whose default is the chart. `appVersion` | `null`
@@ -80,6 +80,7 @@ Parameter | Description | Default
 `manager.resources.limits/cpu` | Set the memory limits assigned to the controller. | `128Mi`
 `mutatingWebhooksTimeoutSeconds` | Timeout in seconds for mutating webhooks. | `30`
 `validatingWebhooksTimeoutSeconds` | Timeout in seconds for validating webhooks. | `30`
+`webhooks` | Additional configuration for capsule webhooks. |
 `imagePullSecrets` | Configuration for `imagePullSecrets` so that you can use a private images registry. | `[]`
 `serviceAccount.create` | Specifies whether a service account should be created. | `true`
 `serviceAccount.annotations` | Annotations to add to the service account. | `{}`
@@ -91,19 +92,24 @@ Parameter | Description | Default
 `replicaCount` | Set the replica count for Capsule pod. | `1`
 `affinity` | Set affinity rules for the Capsule pod. | `{}`
 `podSecurityPolicy.enabled` | Specify if a Pod Security Policy must be created. | `false`
-`serviceMonitor.enabled` | Specify if a Service Monitor must be created. | `false`
-`serviceMonitor.serviceAccount.name` | Specify Service Account name for metrics scrape. | `capsule`
-`serviceMonitor.serviceAccount.namespace` | Specify Service Account namespace for metrics scrape. | `capsule-system`
+`serviceMonitor.enabled` | Specifies if a service monitor must be created. | `false`
+`serviceMonitor.labels` | Additional labels which will be added to service monitor. | `{}`
+`serviceMonitor.annotations` | Additional annotations which will be added to service monitor. | `{}`
+`serviceMonitor.matchLabels` | Additional matchLabels which will be added to service monitor. | `{}`
+`serviceMonitor.serviceAccount.name` | Specifies service account name for metrics scrape. | `capsule`
+`serviceMonitor.serviceAccount.namespace` | Specifies service account namespace for metrics scrape. | `capsule-system`
+`customLabels` | Additional labels which will be added to all resources created by Capsule helm chart . | `{}`
+`customAnnotations` | Additional annotations which will be added to all resources created by Capsule helm chart . | `{}`
 
 ## Created resources
 
-This Helm Chart cretes the following Kubernetes resources in the release namespace:
+This Helm Chart creates the following Kubernetes resources in the release namespace:
 
 * Capsule Namespace
 * Capsule Operator Deployment
 * Capsule Service
 * CA Secret
-* Certfificate Secret
+* Certificate Secret
 * Tenant Custom Resource Definition
 * MutatingWebHookConfiguration
 * ValidatingWebHookConfiguration

charts/capsule/crds/tenant-crd.yaml

@@ -1101,7 +1101,7 @@ spec:
                     type: object
                   type: array
                 priorityClasses:
-                  description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                  description: Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
                   properties:
                     allowed:
                       items:
@@ -1189,6 +1189,10 @@ spec:
                           default: true
                           description: Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
                           type: boolean
+                        loadBalancer:
+                          default: true
+                          description: Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+                          type: boolean
                         nodePort:
                           default: true
                           description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.

charts/capsule/templates/_helpers.tpl

@@ -40,6 +40,9 @@ helm.sh/chart: {{ include "capsule.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels }}
+{{- end }}
 {{- end }}
 
 {{/*
@@ -50,6 +53,19 @@ app.kubernetes.io/name: {{ include "capsule.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+ServiceAccount annotations
+*/}}
+{{- define "capsule.serviceAccountAnnotations" -}}
+{{- if .Values.serviceAccount.annotations }}
+{{- toYaml .Values.serviceAccount.annotations }}
+{{- end }}
+{{- if .Values.customAnnotations }}
+{{ toYaml .Values.customAnnotations }}
+{{- end }}
+{{- end }}
+
+
 {{/*
 Create the name of the service account to use
 */}}

charts/capsule/templates/ca.yaml

@@ -3,5 +3,9 @@ kind: Secret
 metadata:
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   name: {{ include "capsule.secretCaName" . }}
 data:

charts/capsule/templates/certs.yaml

@@ -3,5 +3,9 @@ kind: Secret
 metadata:
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   name: {{ include "capsule.secretTlsName" . }}
 data:

charts/capsule/templates/configuration-default.yaml

@@ -2,6 +2,12 @@ apiVersion: capsule.clastix.io/v1alpha1
 kind: CapsuleConfiguration
 metadata:
   name: default
+  labels:
+  {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   forceTenantPrefix: {{ .Values.manager.options.forceTenantPrefix }}
   userGroups:

charts/capsule/templates/deployment.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.deploymentName" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
@@ -11,12 +15,12 @@ spec:
       {{- include "capsule.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-    {{- with .Values.podAnnotations }}
+      {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
       labels:
-        {{- include "capsule.selectorLabels" . | nindent 8 }}
+        {{- include "capsule.labels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:

charts/capsule/templates/metrics-rbac.yaml

@@ -4,9 +4,13 @@ kind: Role
 metadata:
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-    {{- if .Values.serviceMonitor.labels }}
+  {{- if .Values.serviceMonitor.labels }}
     {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
-    {{- end }}
+  {{- end }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   name: {{ include "capsule.fullname" . }}-metrics-role
   namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
 rules:

charts/capsule/templates/metrics-service.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-controller-manager-metrics-service
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   ports:
   - port: 8080

charts/capsule/templates/mutatingwebhookconfiguration.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 webhooks:
 - admissionReviewVersions:
     - v1
@@ -15,7 +19,7 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /namespace-owner-reference
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.namespaceOwnerReference.failurePolicy }}
   matchPolicy: Equivalent
   name: owner.namespace.capsule.clastix.io
   namespaceSelector: {}
@@ -28,6 +32,7 @@ webhooks:
       - v1
       operations:
       - CREATE
+      - UPDATE
       resources:
       - namespaces
       scope: '*'

charts/capsule/templates/podsecuritypolicy.yaml

@@ -5,6 +5,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   fsGroup:
     rule: RunAsAny

charts/capsule/templates/post-install-job.yaml

@@ -6,16 +6,16 @@ kind: Job
 metadata:
   name: "{{ .Release.Name }}-waiting-certs"
   labels:
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/instance: {{ .Release.Name | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    {{- include "capsule.labels" . | nindent 4 }}
   annotations:
     # This is what defines this resource as a hook. Without this line, the
     # job is considered part of the release.
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   template:
     metadata:

charts/capsule/templates/pre-delete-job.yaml

@@ -7,16 +7,16 @@ kind: Job
 metadata:
   name: "{{ .Release.Name }}-rbac-cleaner"
   labels:
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/instance: {{ .Release.Name | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    {{- include "capsule.labels" . | nindent 4 }}
   annotations:
     # This is what defines this resource as a hook. Without this line, the
     # job is considered part of the release.
     "helm.sh/hook": pre-delete
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   template:
     metadata:

charts/capsule/templates/rbac.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-proxy-role
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 rules:
 - apiGroups:
   - authentication.k8s.io
@@ -24,6 +28,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-metrics-reader
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 rules:
 - nonResourceURLs:
   - /metrics
@@ -36,6 +44,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-proxy-rolebinding
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -51,6 +63,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-manager-rolebinding
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

charts/capsule/templates/serviceaccount.yaml

@@ -5,8 +5,8 @@ metadata:
   name: {{ include "capsule.serviceAccountName" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
+  {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations)  }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
   {{- end }}
 {{- end }}

charts/capsule/templates/servicemonitor.yaml

@@ -6,9 +6,13 @@ metadata:
   namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-    {{- if .Values.serviceMonitor.labels }}
-    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+    {{- with .Values.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   endpoints:
   - interval: 15s
@@ -16,7 +20,11 @@ spec:
     path: /metrics
   jobLabel: app.kubernetes.io/name
   selector:
-    matchLabels: {{ include "capsule.labels" . | nindent 6 }}
+    matchLabels:
+    {{- include "capsule.labels" . | nindent 6 }}
+    {{- with .Values.serviceMonitor.matchLabels }}
+    {{- toYaml . | nindent 6 }}
+    {{- end }}
   namespaceSelector:
     matchNames:
       - {{ .Release.Namespace }}

charts/capsule/templates/validatingwebhookconfiguration.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 webhooks:
 - admissionReviewVersions:
     - v1
@@ -15,13 +19,11 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /cordoning
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.cordoning.failurePolicy }}
   matchPolicy: Equivalent
   name: cordoning.tenant.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -47,13 +49,11 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /ingresses
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.ingresses.failurePolicy }}
   matchPolicy: Equivalent
   name: ingress.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -80,7 +80,7 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /namespaces
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.namespaces.failurePolicy }}
   matchPolicy: Equivalent
   name: namespaces.capsule.clastix.io
   namespaceSelector: {}
@@ -109,13 +109,11 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /networkpolicies
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.networkpolicies.failurePolicy }}
   matchPolicy: Equivalent
   name: networkpolicies.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.networkpolicies.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -140,13 +138,11 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /pods
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.pods.failurePolicy }}
   matchPolicy: Exact
   name: pods.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.pods.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -167,14 +163,12 @@ webhooks:
     caBundle: Cg==
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: capsule-system
+      namespace: {{ .Release.Namespace }}
       path: /persistentvolumeclaims
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.persistentvolumeclaims.failurePolicy }}
   name: pvc.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.persistentvolumeclaims.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -198,13 +192,11 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /services
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.services.failurePolicy }}
   matchPolicy: Exact
   name: services.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.services.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -229,7 +221,7 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /tenants
       port: 443
-  failurePolicy: Fail
+  failurePolicy:  {{ .Values.webhooks.tenants.failurePolicy }}
   matchPolicy: Exact
   name: tenants.capsule.clastix.io
   namespaceSelector: {}
@@ -248,3 +240,29 @@ webhooks:
       scope: '*'
   sideEffects: None
   timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /nodes
+      port: 443
+  failurePolicy: {{ .Values.webhooks.nodes.failurePolicy }}
+  name: nodes.capsule.clastix.io
+  matchPolicy: Exact
+  namespaceSelector: {}
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - UPDATE
+      resources:
+        - nodes
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}

charts/capsule/templates/webhook-service.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-webhook-service
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+   {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   ports:
   - port: 443

charts/capsule/values.yaml

@@ -42,8 +42,6 @@ jobs:
     repository: quay.io/clastix/kubectl
     pullPolicy: IfNotPresent
     tag: "v1.20.7"
-mutatingWebhooksTimeoutSeconds: 30
-validatingWebhooksTimeoutSeconds: 30
 imagePullSecrets: []
 serviceAccount:
   create: true
@@ -66,7 +64,7 @@ podSecurityPolicy:
 serviceMonitor:
   enabled: false
   # Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
-  namespace:
+  namespace: ''
   # Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
   labels: {}
   annotations: {}
@@ -74,3 +72,58 @@ serviceMonitor:
   serviceAccount:
     name: capsule
     namespace: capsule-system
+
+# Additional labels
+customLabels: {}
+
+# Additional annotations
+customAnnotations: {}
+
+# Webhooks configurations
+webhooks:
+  namespaceOwnerReference:
+    failurePolicy: Fail
+  cordoning:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  ingresses:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  namespaces:
+    failurePolicy: Fail
+  networkpolicies:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  pods:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  persistentvolumeclaims:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  tenants:
+    failurePolicy: Fail
+  services:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  nodes:
+    failurePolicy: Fail
+mutatingWebhooksTimeoutSeconds: 30
+validatingWebhooksTimeoutSeconds: 30

config/crd/bases/capsule.clastix.io_tenants.yaml

@@ -1101,7 +1101,7 @@ spec:
                   type: object
                 type: array
               priorityClasses:
-                description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                description: Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
                 properties:
                   allowed:
                     items:
@@ -1189,6 +1189,10 @@ spec:
                         default: true
                         description: Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
                         type: boolean
+                      loadBalancer:
+                        default: true
+                        description: Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
                       nodePort:
                         default: true
                         description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.

config/install.yaml

@@ -1173,7 +1173,7 @@ spec:
                   type: object
                 type: array
               priorityClasses:
-                description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                description: Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
                 properties:
                   allowed:
                     items:
@@ -1261,6 +1261,10 @@ spec:
                         default: true
                         description: Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
                         type: boolean
+                      loadBalancer:
+                        default: true
+                        description: Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
                       nodePort:
                         default: true
                         description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
@@ -1407,7 +1411,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/clastix/capsule:v0.1.0-rc5
+        image: quay.io/clastix/capsule:v0.1.1-rc0
         imagePullPolicy: IfNotPresent
         name: manager
         ports:
@@ -1468,6 +1472,7 @@ webhooks:
     - v1
     operations:
     - CREATE
+    - UPDATE
     resources:
     - namespaces
   sideEffects: None
@@ -1583,14 +1588,33 @@ webhooks:
     service:
       name: capsule-webhook-service
       namespace: capsule-system
-      path: /pods
+      path: /nodes
   failurePolicy: Fail
-  name: pods.capsule.clastix.io
+  name: nodes.capsule.clastix.io
   namespaceSelector:
     matchExpressions:
     - key: capsule.clastix.io/tenant
       operator: Exists
   rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    resources:
+    - nodes
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: capsule-webhook-service
+      namespace: capsule-system
+      path: /pods
+  failurePolicy: Fail
+  name: pods.capsule.clastix.io
+  rules:
   - apiGroups:
     - ""
     apiVersions:

config/manager/kustomization.yaml

@@ -7,4 +7,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/clastix/capsule
-  newTag: v0.1.0-rc5
+  newTag: v0.1.1-rc0

config/webhook/manifests.yaml

@@ -22,6 +22,7 @@ webhooks:
     - v1
     operations:
     - CREATE
+    - UPDATE
     resources:
     - namespaces
   sideEffects: None
@@ -117,6 +118,25 @@ webhooks:
     resources:
     - networkpolicies
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /nodes
+  failurePolicy: Fail
+  name: nodes.capsule.clastix.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    resources:
+    - nodes
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

config/webhook/patch_ns_selector.yaml

@@ -23,13 +23,13 @@
       - key: capsule.clastix.io/tenant
         operator: Exists
 - op: add
-  path: /webhooks/5/namespaceSelector
+  path: /webhooks/6/namespaceSelector
   value:
     matchExpressions:
       - key: capsule.clastix.io/tenant
         operator: Exists
 - op: add
-  path: /webhooks/6/namespaceSelector
+  path: /webhooks/7/namespaceSelector
   value:
     matchExpressions:
       - key: capsule.clastix.io/tenant
@@ -43,12 +43,12 @@
 - op: add
   path: /webhooks/3/rules/0/scope
   value: Namespaced
-- op: add
-  path: /webhooks/4/rules/0/scope
-  value: Namespaced
 - op: add
   path: /webhooks/5/rules/0/scope
   value: Namespaced
 - op: add
   path: /webhooks/6/rules/0/scope
   value: Namespaced
+- op: add
+  path: /webhooks/7/rules/0/scope
+  value: Namespaced

controllers/rbac/const.go

@@ -35,7 +35,7 @@ var (
 				{
 					APIGroups: []string{""},
 					Resources: []string{"namespaces"},
-					Verbs:     []string{"delete"},
+					Verbs:     []string{"delete", "patch"},
 				},
 			},
 		},

controllers/secret/ca.go

@@ -35,7 +35,7 @@ type CAReconciler struct {
 
 func (r *CAReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Secret{}, forOptionPerInstanceName(caSecretName)).
+		For(&corev1.Secret{}, forOptionPerInstanceName(CASecretName)).
 		Complete(r)
 }
 

controllers/secret/const.go

@@ -7,6 +7,6 @@ const (
 	certSecretKey       = "tls.crt"
 	privateKeySecretKey = "tls.key"
 
-	caSecretName  = "capsule-ca"
+	CASecretName  = "capsule-ca"
 	tlsSecretName = "capsule-tls"
 )

controllers/secret/reconciler.go

@@ -22,10 +22,10 @@ func getCertificateAuthority(client client.Client, namespace string) (ca cert.CA
 
 	err = client.Get(context.TODO(), types.NamespacedName{
 		Namespace: namespace,
-		Name:      caSecretName,
+		Name:      CASecretName,
 	}, instance)
 	if err != nil {
-		return nil, fmt.Errorf("missing secret %s, cannot reconcile", caSecretName)
+		return nil, fmt.Errorf("missing secret %s, cannot reconcile", CASecretName)
 	}
 
 	if instance.Data == nil {

controllers/secret/tls.go

@@ -9,12 +9,13 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"syscall"
+	"os"
 	"time"
 
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -112,8 +113,38 @@ func (r TLSReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctr
 	}
 
 	if instance.Name == tlsSecretName && res == controllerutil.OperationResultUpdated {
-		r.Log.Info("Capsule TLS certificates has been updated, we need to restart the Controller")
-		_ = syscall.Kill(syscall.Getpid(), syscall.SIGINT)
+		r.Log.Info("Capsule TLS certificates has been updated, Controller pods must be restarted to load new certificate")
+
+		hostname, _ := os.Hostname()
+		leaderPod := &corev1.Pod{}
+		if err = r.Client.Get(ctx, types.NamespacedName{Namespace: os.Getenv("NAMESPACE"), Name: hostname}, leaderPod); err != nil {
+			r.Log.Error(err, "cannot retrieve the leader Pod, probably running in out of the cluster mode")
+
+			return reconcile.Result{}, nil
+		}
+
+		podList := &corev1.PodList{}
+		if err = r.Client.List(ctx, podList, client.MatchingLabels(leaderPod.ObjectMeta.Labels)); err != nil {
+			r.Log.Error(err, "cannot retrieve list of Capsule pods requiring restart upon TLS update")
+
+			return reconcile.Result{}, nil
+		}
+
+		for _, p := range podList.Items {
+			nonLeaderPod := p
+			// Skipping this Pod, must be deleted at the end
+			if nonLeaderPod.GetName() == leaderPod.GetName() {
+				continue
+			}
+
+			if err = r.Client.Delete(ctx, &nonLeaderPod); err != nil {
+				r.Log.Error(err, "cannot delete the non-leader Pod due to TLS update")
+			}
+		}
+
+		if err = r.Client.Delete(ctx, leaderPod); err != nil {
+			r.Log.Error(err, "cannot delete the leader Pod due to TLS update")
+		}
 	}
 
 	r.Log.Info("Reconciliation completed, processing back in " + rq.String())

controllers/servicelabels/endpoint_slices.go

@@ -14,8 +14,8 @@ type EndpointSlicesLabelsReconciler struct {
 	abstractServiceLabelsReconciler
 
 	Log          logr.Logger
-	VersionMinor int
-	VersionMajor int
+	VersionMinor uint
+	VersionMajor uint
 }
 
 func (r *EndpointSlicesLabelsReconciler) SetupWithManager(mgr ctrl.Manager) error {

controllers/tenant/manager.go

@@ -68,28 +68,22 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 		return
 	}
 
-	if instance.Spec.NetworkPolicies != nil {
-		r.Log.Info("Starting processing of Network Policies", "items", len(instance.Spec.NetworkPolicies.Items))
-		if err = r.syncNetworkPolicies(instance); err != nil {
-			r.Log.Error(err, "Cannot sync NetworkPolicy items")
-			return
-		}
+	r.Log.Info("Starting processing of Network Policies")
+	if err = r.syncNetworkPolicies(instance); err != nil {
+		r.Log.Error(err, "Cannot sync NetworkPolicy items")
+		return
 	}
 
-	if instance.Spec.LimitRanges != nil {
-		r.Log.Info("Starting processing of Limit Ranges", "items", len(instance.Spec.LimitRanges.Items))
-		if err = r.syncLimitRanges(instance); err != nil {
-			r.Log.Error(err, "Cannot sync LimitRange items")
-			return
-		}
+	r.Log.Info("Starting processing of Limit Ranges", "items", len(instance.Spec.LimitRanges.Items))
+	if err = r.syncLimitRanges(instance); err != nil {
+		r.Log.Error(err, "Cannot sync LimitRange items")
+		return
 	}
 
-	if instance.Spec.ResourceQuota != nil {
-		r.Log.Info("Starting processing of Resource Quotas", "items", len(instance.Spec.ResourceQuota.Items))
-		if err = r.syncResourceQuotas(instance); err != nil {
-			r.Log.Error(err, "Cannot sync ResourceQuota items")
-			return
-		}
+	r.Log.Info("Starting processing of Resource Quotas", "items", len(instance.Spec.ResourceQuota.Items))
+	if err = r.syncResourceQuotas(instance); err != nil {
+		r.Log.Error(err, "Cannot sync ResourceQuota items")
+		return
 	}
 
 	r.Log.Info("Ensuring additional RoleBindings for owner")

controllers/tenant/namespaces.go

@@ -1,3 +1,6 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
 package tenant
 
 import (
@@ -49,6 +52,10 @@ func (r *Manager) syncNamespaceMetadata(namespace string, tnt *capsulev1beta1.Te
 
 		res, conflictErr = controllerutil.CreateOrUpdate(context.TODO(), r.Client, ns, func() error {
 			annotations := make(map[string]string)
+			labels := map[string]string{
+				"name":       namespace,
+				capsuleLabel: tnt.GetName(),
+			}
 
 			if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
 				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Annotations {
@@ -56,6 +63,12 @@ func (r *Manager) syncNamespaceMetadata(namespace string, tnt *capsulev1beta1.Te
 				}
 			}
 
+			if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
+				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Labels {
+					labels[k] = v
+				}
+			}
+
 			if tnt.Spec.NodeSelector != nil {
 				var selector []string
 				for k, v := range tnt.Spec.NodeSelector {
@@ -91,20 +104,37 @@ func (r *Manager) syncNamespaceMetadata(namespace string, tnt *capsulev1beta1.Te
 				}
 			}
 
-			ns.SetAnnotations(annotations)
-
-			newLabels := map[string]string{
-				"name":       namespace,
-				capsuleLabel: tnt.GetName(),
+			if value, ok := tnt.Annotations[capsulev1beta1.ForbiddenNamespaceLabelsAnnotation]; ok {
+				annotations[capsulev1beta1.ForbiddenNamespaceLabelsAnnotation] = value
 			}
 
-			if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
-				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Labels {
-					newLabels[k] = v
+			if value, ok := tnt.Annotations[capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
+				annotations[capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation] = value
+			}
+
+			if value, ok := tnt.Annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsAnnotation]; ok {
+				annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsAnnotation] = value
+			}
+
+			if value, ok := tnt.Annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
+				annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation] = value
+			}
+
+			if ns.Annotations == nil {
+				ns.SetAnnotations(annotations)
+			} else {
+				for k, v := range annotations {
+					ns.Annotations[k] = v
 				}
 			}
 
-			ns.SetLabels(newLabels)
+			if ns.Labels == nil {
+				ns.SetLabels(labels)
+			} else {
+				for k, v := range labels {
+					ns.Labels[k] = v
+				}
+			}
 
 			return nil
 		})

docs/.gitignore

@@ -0,0 +1,8 @@
+*.log
+.cache
+.DS_Store
+src/.temp
+node_modules
+dist
+.env
+.env.*

docs/README.md

@@ -0,0 +1,12 @@
+# Capsule Documentation
+
+1. Ensure to have [`yarn`](https://classic.yarnpkg.com/lang/en/docs/install/#debian-stable) installed in your path.
+2. `yarn install`
+
+## Local development
+
+```shell
+yarn develop
+```
+
+This will create a local webserver listening on `localhost:8080` with hot-reload of your local changes.

docs/content/dev-guide.md

@@ -0,0 +1,369 @@
+# Capsule Development Guide
+
+## Prerequisites
+
+### Tools
+
+Make sure you have these tools installed:
+
+- [Go 1.16+](https://golang.org/dl/)
+- [Operator SDK 1.7.2+](https://github.com/operator-framework/operator-sdk), or [Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)
+- [KinD](https://github.com/kubernetes-sigs/kind) or [k3d](https://k3d.io/), with `kubectl`
+- [ngrok](https://ngrok.com/) (if you want to run locally with remote Kubernetes)
+- [golangci-lint](https://github.com/golangci/golangci-lint)
+- OpenSSL
+
+### Kubernetes Cluster
+
+A lightweight Kubernetes within your laptop can be very handy for Kubernetes-native development like Capsule.
+
+#### By `k3d`
+
+```shell
+# Install K3d cli by brew in Mac, or your preferred way
+$ brew install k3d
+
+# Export your laptop's IP, e.g. retrieving it by: ifconfig
+# Do change this IP to yours
+$ export LAPTOP_HOST_IP=192.168.10.101
+
+# Spin up a bare minimum cluster
+# Refer to here for more options: https://k3d.io/v4.4.8/usage/commands/k3d_cluster_create/
+$ k3d cluster create k3s-capsule --servers 1 --agents 1 --no-lb --k3s-server-arg --tls-san=${LAPTOP_HOST_IP}
+
+# Get Kubeconfig 
+$ k3d kubeconfig get k3s-capsule > /tmp/k3s-capsule && export KUBECONFIG="/tmp/k3s-capsule"
+
+# This will create a cluster with 1 server and 1 worker node
+$ kubectl get nodes
+NAME                       STATUS   ROLES                  AGE     VERSION
+k3d-k3s-capsule-server-0   Ready    control-plane,master   2m13s   v1.21.2+k3s1
+k3d-k3s-capsule-agent-0    Ready    <none>                 2m3s    v1.21.2+k3s1
+
+# Or 2 Docker containers if you view it from Docker perspective
+$ docker ps
+CONTAINER ID   IMAGE                      COMMAND                  CREATED          STATUS          PORTS                     NAMES
+5c26ad840c62   rancher/k3s:v1.21.2-k3s1   "/bin/k3s agent"         53 seconds ago   Up 45 seconds                             k3d-k3s-capsule-agent-0
+753998879b28   rancher/k3s:v1.21.2-k3s1   "/bin/k3s server --t…"   53 seconds ago   Up 51 seconds   0.0.0.0:49708->6443/tcp   k3d-k3s-capsule-server-0
+```
+
+#### By `kind`
+
+```shell
+# # Install kind cli by brew in Mac, or your preferred way
+$ brew install kind
+
+# Prepare a kind config file with necessary customization
+$ cat > kind.yaml <<EOF
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  apiServerAddress: "0.0.0.0"
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      certSANs:
+      - localhost
+      - 127.0.0.1
+      - kubernetes
+      - kubernetes.default.svc
+      - kubernetes.default.svc.cluster.local
+      - kind
+      - 0.0.0.0
+      - ${LAPTOP_HOST_IP}
+- role: worker
+EOF
+
+# Spin up a bare minimum cluster with 1 master 1 worker node
+$ kind create cluster --name kind-capsule --config kind.yaml
+
+# This will create a cluster with 1 server and 1 worker node
+$ kubectl get nodes
+NAME                         STATUS   ROLES                  AGE   VERSION
+kind-capsule-control-plane   Ready    control-plane,master   84s   v1.21.1
+kind-capsule-worker          Ready    <none>                 56s   v1.21.1
+
+# Or 2 Docker containers if you view it from Docker perspective
+$ docker ps
+CONTAINER ID   IMAGE                  COMMAND                  CREATED              STATUS              PORTS                     NAMES
+7b329fd3a838   kindest/node:v1.21.1   "/usr/local/bin/entr…"   About a minute ago   Up About a minute   0.0.0.0:54894->6443/tcp   kind-capsule-control-plane
+7d50f1633555   kindest/node:v1.21.1   "/usr/local/bin/entr…"   About a minute ago   Up About a minute                             kind-capsule-worker
+```
+
+## Fork & clone the repository
+
+The `fork-clone-contribute-pr` flow is common for contributing to OSS projects like Kubernetes, Capsule.
+
+Let's assume you've forked it into your GitHub namespace, say `myuser`, and then you can clone it with Git protocol.
+Do remember to change the `myuser` to yours.
+
+```shell
+$ git clone git@github.com:myuser/capsule.git && cd capsule
+```
+
+It's a good practice to add the upsteam as the remote too so we can easily fetch and merge the upstream to our fork:
+
+```shell
+$ git remote add upstream https://github.com/clastix/capsule.git
+$ git remote -vv
+origin	git@github.com:myuser/capsule.git (fetch)
+origin	git@github.com:myuser/capsule.git (push)
+upstream	https://github.com/clastix/capsule.git (fetch)
+upstream	https://github.com/clastix/capsule.git (push)
+```
+
+## Build & deploy Capsule
+
+```shell
+# Download the project dependencies
+$ go mod download
+
+# Build the Capsule image
+$ make docker-build
+
+# Retrieve the built image version
+$ export CAPSULE_IMAGE_VESION=`docker images --format '{{.Tag}}' quay.io/clastix/capsule`
+
+# If k3s, load the image into cluster by
+$ k3d image import --cluster k3s-capsule capsule quay.io/clastix/capsule:${CAPSULE_IMAGE_VESION}
+# If Kind, load the image into cluster by
+$ kind load docker-image --name kind-capsule quay.io/clastix/capsule:${CAPSULE_IMAGE_VESION}
+
+# deploy all the required manifests
+# Note: 1) please retry if you saw errors; 2) if you want to clean it up first, run: make remove
+$ make deploy
+
+# Make sure the controller is running
+$ kubectl get pod -n capsule-system
+NAME                                          READY   STATUS    RESTARTS   AGE
+capsule-controller-manager-5c6b8445cf-566dc   1/1     Running   0          23s
+
+# Check the logs if needed
+$ kubectl -n capsule-system logs --all-containers -l control-plane=controller-manager
+
+# You may have a try to deploy a Tenant too to make sure it works end to end
+$ kubectl apply -f - <<EOF
+apiVersion: capsule.clastix.io/v1beta1
+kind: Tenant
+metadata:
+  name: oil
+spec:
+  owners:
+  - name: alice
+    kind: User
+  - name: system:serviceaccount:capsule-system:default
+    kind: ServiceAccount
+EOF
+
+# There shouldn't be any errors and you should see the newly created tenant
+$ kubectl get tenants
+NAME   STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
+oil    Active                     0                                 14s
+```
+
+If you want to test namespace creation or such stuff, make sure to use impersonation:
+
+```sh
+$ kubectl ... --as system:serviceaccount:capsule-system:default --as-group capsule.clastix.io
+```
+
+As of now, a complete Capsule environment has been set up in `kind`- or `k3d`-powered cluster, and the `capsule-controller-manager` is running as a deployment serving as:
+
+- The reconcilers for CRDs and;
+- A series of webhooks
+
+## Set up development env
+
+During development, we prefer that the code is running within our IDE locally, instead of running as the normal Pod(s) within the Kubernetes cluster.
+
+Such a setup can be illustrated as below diagram:
+
+![Development Env](./assets/dev-env.png)
+
+To achieve that, there are some necessary steps we need to walk through, which have been made as a `make` target within our `Makefile`.
+
+So the TL;DR answer is:
+
+```shell
+# If you haven't installed or run `make deploy` before, do it first
+# Note: please retry if you saw errors
+$ make deploy
+
+# To retrieve your laptop's IP and execute `make dev-setup` to setup dev env
+# For example: LAPTOP_HOST_IP=192.168.10.101 make dev-setup
+$ LAPTOP_HOST_IP="<YOUR_LAPTOP_IP>" make dev-setup
+```
+
+
+This is a very common setup for typical Kubernetes Operator development so we'd better walk them through with more details here.
+
+1. Scaling down the deployed Pod(s) to 0
+
+We need to scale the existing replicas of `capsule-controller-manager` to 0 to avoid reconciliation competition between the Pod(s) and the code running outside of the cluster, in our preferred IDE for example.
+
+```shell
+$ kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
+deployment.apps/capsule-controller-manager scaled
+```
+
+2. Preparing TLS certificate for the webhooks
+
+Running webhooks requires TLS, we can prepare the TLS key pair in our development env to handle HTTPS requests.
+
+```shell
+# Prepare a simple OpenSSL config file
+# Do remember to export LAPTOP_HOST_IP before running this command
+$ cat > _tls.cnf <<EOF
+[ req ]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                = SG
+stateOrProvinceName        = SG
+localityName               = SG
+organizationName           = CAPSULE
+commonName                 = CAPSULE
+[ req_ext ]
+subjectAltName = @alt_names
+[alt_names]
+IP.1   = ${LAPTOP_HOST_IP}
+EOF
+
+# Create this dir to mimic the Pod mount point
+$ mkdir -p /tmp/k8s-webhook-server/serving-certs
+
+# Generate the TLS cert/key under /tmp/k8s-webhook-server/serving-certs
+$ openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
+  -subj "/C=SG/ST=SG/L=SG/O=CAPSULE/CN=CAPSULE" \
+  -extensions req_ext \
+  -config _tls.cnf \
+  -keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
+  -out /tmp/k8s-webhook-server/serving-certs/tls.crt
+
+# Clean it up
+$ rm -f _tls.cnf
+```
+
+3. Patching the Webhooks
+
+By default, the webhooks will be registered with the services, which will route to the Pods, inside the cluster.
+
+We need to _delegate_ the controllers' and webbooks' services to the code running in our IDE by patching the `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration`.
+
+```shell
+# Export your laptop's IP with the 9443 port exposed by controllers/webhooks' services
+$ export WEBHOOK_URL="https://${LAPTOP_HOST_IP}:9443"
+
+# Export the cert we just generated as the CA bundle for webhook TLS
+$ export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`
+
+# Patch the MutatingWebhookConfiguration webhook
+$ kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \
+    --type='json' -p="[\
+      {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/mutate-v1-namespace-owner-reference\",'caBundle':\"${CA_BUNDLE}\"}}\
+    ]"
+
+# Verify it if you want
+$ kubectl get MutatingWebhookConfiguration capsule-mutating-webhook-configuration -o yaml
+
+# Patch the ValidatingWebhookConfiguration webhooks
+# Note: there is a list of validating webhook endpoints, not just one
+$ kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
+    --type='json' -p="[\
+      {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/cordoning\",'caBundle':\"${CA_BUNDLE}\"}},\
+      {'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/ingresses\",'caBundle':\"${CA_BUNDLE}\"}},\
+      {'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/namespaces\",'caBundle':\"${CA_BUNDLE}\"}},\
+      {'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/networkpolicies\",'caBundle':\"${CA_BUNDLE}\"}},\
+      {'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/pods\",'caBundle':\"${CA_BUNDLE}\"}},\
+      {'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"${CA_BUNDLE}\"}},\
+      {'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/services\",'caBundle':\"${CA_BUNDLE}\"}},\
+      {'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/tenants\",'caBundle':\"${CA_BUNDLE}\"}}\
+    ]"
+
+# Verify it if you want
+$ kubectl get ValidatingWebhookConfiguration capsule-validating-webhook-configuration -o yaml
+```
+
+## Run Capsule outside the cluster
+
+Now we can run Capsule controllers with webhooks outside of the Kubernetes cluster:
+
+```shell
+$ export NAMESPACE=capsule-system && export TMPDIR=/tmp/
+$ go run .
+```
+
+To verify that, we can open a new console and create a new Tenant:
+
+```shell
+$ kubectl apply -f - <<EOF
+apiVersion: capsule.clastix.io/v1beta1
+kind: Tenant
+metadata:
+  name: gas
+spec:
+  owners:
+  - name: alice
+    kind: User
+EOF
+```
+
+We should see output like:
+```log
+tenant.capsule.clastix.io/gas created
+```
+
+And could see logs in the `make run` console like:
+```log
+...
+{"level":"info","ts":"2021-09-28T21:10:30.520+0800","logger":"controllers.Tenant","msg":"Ensuring all Namespaces are collected","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.527+0800","logger":"controllers.Tenant","msg":"Starting processing of Namespaces","Request.Name":"gas","items":0}
+{"level":"info","ts":"2021-09-28T21:10:30.527+0800","logger":"controllers.Tenant","msg":"Ensuring additional RoleBindings for owner","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.527+0800","logger":"controllers.Tenant","msg":"Ensuring RoleBinding for owner","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.527+0800","logger":"controllers.Tenant","msg":"Ensuring Namespace count","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.533+0800","logger":"controllers.Tenant","msg":"Tenant reconciling completed","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.540+0800","logger":"controllers.Tenant","msg":"Ensuring all Namespaces are collected","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.547+0800","logger":"controllers.Tenant","msg":"Starting processing of Namespaces","Request.Name":"gas","items":0}
+{"level":"info","ts":"2021-09-28T21:10:30.547+0800","logger":"controllers.Tenant","msg":"Ensuring additional RoleBindings for owner","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.547+0800","logger":"controllers.Tenant","msg":"Ensuring RoleBinding for owner","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.547+0800","logger":"controllers.Tenant","msg":"Ensuring Namespace count","Request.Name":"gas"}
+{"level":"info","ts":"2021-09-28T21:10:30.554+0800","logger":"controllers.Tenant","msg":"Tenant reconciling completed","Request.Name":"gas"}
+```
+
+## Work in your preferred IDE
+
+Now it's time to work through our familiar inner loop for development in our preferred IDE.
+
+For example, if you're using [Visual Studio Code](https://code.visualstudio.com), this `launch.json` file can be a good start.
+
+```json
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Launch",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}",
+            "args": [
+                "--zap-encoder=console",
+                "--zap-log-level=debug",
+                "--configuration-name=capsule-default"
+            ],
+            "env": {
+                "NAMESPACE": "capsule-system",
+                "TMPDIR": "/tmp/"
+            }
+        }
+    ]
+}
+```
+
+Please refer to [contributing](/docs/contributing) for more details while contributing.

docs/content/index.md

@@ -0,0 +1,8 @@
+# Capsule Documentation
+**Capsule** helps to implement a multi-tenancy and policy-based environment in your Kubernetes cluster. It has been designed as a micro-services based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes. 
+
+Currently, the Capsule ecosystem comprises the following:
+
+* [Capsule Operator](/docs/operator/overview)
+* [Capsule Proxy](/docs/proxy/overview)
+* [Capsule Lens extension](/docs/lens-extension/overview)

docs/content/lens-extension/overview.md

@@ -0,0 +1,11 @@
+# Capsule extension for Lens
+With Capsule extension for [Lens](https://github.com/lensapp/lens), a cluster administrator can easily manage from a single pane of glass all resources of a Kubernetes cluster, including all the Tenants created through the Capsule Operator.
+
+## Features
+Capsule extension for Lens provides these capabilities:
+
+- List all tenants
+- See tenant details and change through the embedded Lens editor
+- Check Resources Quota and Budget at both the tenant and namespace level
+
+Please, see the [README](https://github.com/clastix/capsule-lens-extension) for details about the installation of the Capsule Lens Extension.

docs/content/operator/contributing.md

@@ -0,0 +1,63 @@
+# How to contribute to Capsule
+
+First, thanks for your interest in Capsule, any contribution is welcome!
+
+## Development environment setup
+
+The first step is to set up your local development environment.
+
+Please follow the [Capsule Development Guide](/docs/dev-guide) for details.
+
+## Code convention
+
+The changes must follow the Pull Request method where a _GitHub Action_ will
+check the `golangci-lint`, so ensure your changes respect the coding standard.
+
+### golint
+
+You can easily check them issuing the _Make_ recipe `golint`.
+
+```
+# make golint
+golangci-lint run -c .golangci.yml
+```
+
+> Enabled linters and related options are defined in the [.golanci.yml file](https://github.com/clastix/capsule/blob/master/.golangci.yml)
+
+### goimports
+
+Also, the Go import statements must be sorted following the best practice:
+
+```
+<STANDARD LIBRARY>
+
+<EXTERNAL PACKAGES>
+
+<LOCAL PACKAGES>
+```
+
+To help you out you can use the _Make_ recipe `goimports`
+
+```
+# make goimports
+goimports -w -l -local "github.com/clastix/capsule" .
+```
+
+### Commits
+
+All the Pull Requests must refer to an already open issue: this is the first phase to contribute also for informing maintainers about the issue.
+
+Commit's first line should not exceed 50 columns.
+
+A commit description is welcomed to explain more the changes: just ensure
+to put a blank line and an arbitrary number of maximum 72 characters long
+lines, at most one blank line between them.
+
+Please, split changes into several and documented small commits: this will help us to perform a better review. Commits must follow the Conventional Commits Specification, a lightweight convention on top of commit messages. It provides an easy set of rules for creating an explicit commit history; which makes it easier to write automated tools on top of. This convention dovetails with Semantic Versioning, by describing the features, fixes, and breaking changes made in commit messages. See [Conventional Commits Specification](https://www.conventionalcommits.org) to learn about Conventional Commits.
+
+> In case of errors or need of changes to previous commits,
+> fix them squashing to make changes atomic.
+
+### Miscellanea
+
+Please, add a new single line at end of any file as the current coding style.

docs/content/operator/getting-started.md

@@ -6,54 +6,47 @@ Make sure you have access to a Kubernetes cluster as administrator.
 
 There are two ways to install Capsule:
 
-* Use the Helm Chart available [here](https://github.com/clastix/capsule/tree/master/charts/capsule)
-* Use [`kustomize`](https://github.com/kubernetes-sigs/kustomize)
+* Use the [single YAML file installer](https://raw.githubusercontent.com/clastix/capsule/master/config/install.yaml)
+* Use the [Capsule Helm Chart](https://github.com/clastix/capsule/blob/master/charts/capsule/README.md)
 
-### Install with kustomize
-Ensure you have `kubectl` and `kustomize` installed in your `PATH`. 
-
-Clone this repository and move to the repo folder:
+### Install with the single YAML file installer
+Ensure you have `kubectl` installed in your `PATH`. Clone this repository and move to the repo folder:
 
 ```
-$ git clone https://github.com/clastix/capsule
-$ cd capsule
-$ make deploy
+$ kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/master/config/install.yaml
 ```
 
 It will install the Capsule controller in a dedicated namespace `capsule-system`.
 
-# Create your first Tenant
-In Capsule, a _Tenant_ is an abstraction to group togheter multiple namespaces in a single entity within a set of bundaries defined by the Cluster Administrator. The tenant is then assigned to a user or group of users who is called _Tenant Owner_.
+### Install with Helm Chart
+Please, refer to the instructions reported in the Capsule Helm Chart [README](https://github.com/clastix/capsule/blob/master/charts/capsule/README.md). 
 
-Capsule defines a Tenant as Custom Resource with cluster scope:
+# Create your first Tenant
+In Capsule, a _Tenant_ is an abstraction to group multiple namespaces in a single entity within a set of boundaries defined by the Cluster Administrator. The tenant is then assigned to a user or group of users who is called _Tenant Owner_.
+
+Capsule defines a Tenant as Custom Resource with cluster scope.
+
+Create the tenant as cluster admin:
 
 ```yaml
-cat <<EOF > oil_tenant.yaml
-apiVersion: capsule.clastix.io/v1alpha1
+kubectl create -f - << EOF
+apiVersion: capsule.clastix.io/v1beta1
 kind: Tenant
 metadata:
   name: oil
 spec:
-  owner:
-    name: alice
+  owners:
+  - name: alice
     kind: User
-  namespaceQuota: 3
 EOF
 ```
 
-Apply as cluster admin:
-
-```
-$ kubectl apply -f oil_tenant.yaml
-tenant.capsule.clastix.io/oil created
-```
-
-You can check the tenant just created as cluster admin
+You can check the tenant just created
 
 ```
 $ kubectl get tenants
-NAME      NAMESPACE QUOTA   NAMESPACE COUNT   OWNER NAME   OWNER KIND   NODE SELECTOR    AGE
-oil       3                 0                 alice        User                          1m
+NAME   STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
+oil    Active                     0                                 10s
 ```
 
 ## Tenant owners
@@ -65,27 +58,21 @@ Assignment to a group depends on the authentication strategy in your cluster.
 
 For example, if you are using `capsule.clastix.io`, users authenticated through a _X.509_ certificate must have `capsule.clastix.io` as _Organization_: `-subj "/CN=${USER}/O=capsule.clastix.io"`
 
-Users authenticated through an _OIDC token_ must have
+Users authenticated through an _OIDC token_ must have in their token:
 
 ```json
 ...
 "users_groups": [
-    "capsule.clastix.io",
-    "other_group"
+  "capsule.clastix.io",
+  "other_group"
 ]
 ```
 
-in their token.
-
-The [hack/create-user.sh](../../hack/create-user.sh) can help you set up a dummy `kubeconfig` for the `alice` user acting as owner of a tenant called `oil`
+The [hack/create-user.sh](https://github.com/clastix/capsule/blob/master/hack/create-user.sh) can help you set up a dummy `kubeconfig` for the `alice` user acting as owner of a tenant called `oil`
 
 ```bash
 ./hack/create-user.sh alice oil
-creating certs in TMPDIR /tmp/tmp.4CLgpuime3 
-Generating RSA private key, 2048 bit long modulus (2 primes)
-............+++++
-........................+++++
-e is 65537 (0x010001)
+...
 certificatesigningrequest.certificates.k8s.io/alice-oil created
 certificatesigningrequest.certificates.k8s.io/alice-oil approved
 kubeconfig file is: alice-oil.kubeconfig
@@ -112,7 +99,7 @@ $ kubectl -n oil-development run nginx --image=docker.io/nginx
 $ kubectl -n oil-development get pods
 ```
 
-but limited to only your own namespaces:
+but limited to only your namespaces:
 
 ```
 $ kubectl -n kube-system get pods
@@ -120,4 +107,4 @@ Error from server (Forbidden): pods is forbidden: User "alice" cannot list resou
 ```
 
 # What’s next
-The Tenant Owners have full administrative permissions limited to only the namespaces in the assigned tenant. However, their permissions can be controlled by the Cluster Admin by setting rules and policies on the assigned tenant. See the [use cases](./use-cases/overview.md) page for more getting more cool things you can do with Capsule.
+The Tenant Owners have full administrative permissions limited to only the namespaces in the assigned tenant. However, their permissions can be controlled by the Cluster Admin by setting rules and policies on the assigned tenant. See the [use cases](/docs/operator/use-cases/overview) page for more getting more cool things you can do with Capsule.

docs/content/operator/managed-kubernetes/aws-eks.md

@@ -1,7 +1,6 @@
-# Capsule with Amazon EKS
-
-This is an example how to install Amazon EKS cluster and one user
-manged by capsule.
+# Capsule on AWS EKS
+This is an example of how to install AWS EKS cluster and one user
+manged by Capsule.
 
 It is based on [Using IAM Groups to manage Kubernetes access](https://www.eksworkshop.com/beginner/091_iam-groups/intro/)
 
@@ -115,7 +114,7 @@ EOF
 
 ----
 
-Export "admin" kubeconfig to be able to install capsule:
+Export "admin" kubeconfig to be able to install Capsule:
 
 ```bash
 export KUBECONFIG=kubeconfig.conf
@@ -131,7 +130,7 @@ helm upgrade --install --version 0.0.19 --namespace capsule-system --create-name
 Use the default Tenant example:
 
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/master/config/samples/capsule_v1alpha1_tenant.yaml
+kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/master/config/samples/capsule_v1beta1_tenant.yaml
 ```
 
 Based on the tenant configuration above the user `alice` should be able

docs/content/operator/managed-kubernetes/overview.md

@@ -0,0 +1,16 @@
+# Capsule over Managed Kubernetes
+Capsule Operator can be easily installed on a Managed Kubernetes Service. Since in these services, you do not have access to the Kubernetes APIs Server, you should check with your service provider following pre-requisites:
+
+- the default `cluster-admin` ClusterRole is accessible 
+- the following Admission Webhooks are enabled on the APIs Server:
+    - PodNodeSelector
+    - LimitRanger
+    - ResourceQuota
+    - MutatingAdmissionWebhook
+    - ValidatingAdmissionWebhook
+
+* [AWS EKS](/docs/operator/managed-kubernetes/aws-eks)
+* CoAKS - Capsule over Azure Kubernetes Service
+* Google Cloud GKE
+* IBM Cloud
+* OVH

docs/content/operator/monitoring.md

@@ -0,0 +1,181 @@
+# Monitoring Capsule
+
+The Capsule dashboard allows you to track the health and performance of Capsule manager and tenants, with particular attention to resources saturation, server responses, and latencies.
+
+## Requirements
+
+### Prometheus
+
+Prometheus is an open-source monitoring system and time series database; it is based on a multi-dimensional data model and uses PromQL, a powerful query language, to leverage it.
+
+- Minimum version: 1.0.0
+
+### Grafana
+
+Grafana is an open-source monitoring solution that offers a flexible way to generate visuals and configure dashboards.
+
+- Minimum version: 7.5.5
+
+To fastly deploy this monitoring stack, consider installing the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator).
+
+---
+
+## Quick Start
+
+The Capsule Helm [charts](https://github.com/clastix/capsule/tree/master/charts/capsule) allow you to automatically create Kubernetes minimum resources needed for the proper functioning of the dashboard:
+
+* ServiceMonitor
+* Role
+* RoleBinding
+
+N.B: we assume that a ServiceAccount resource has already been created so it can easily interact with the Prometheus API.
+
+### Helm install
+
+During Capsule installation, set the `serviceMonitor` fields as follow:
+
+```yaml
+serviceMonitor:
+  enabled: true
+  [...]
+  serviceAccount:
+    name: <prometheus-sa>
+    namespace: <prometheus-sa-namespace>
+```
+Take a look at the Helm charts [README.md](https://github.com/clastix/capsule/blob/master/charts/capsule/README.md#customize-the-installation) file for further customization.
+
+### Check Service Monitor
+
+Verify that the service monitor is working correctly through the Prometheus "targets" page :
+
+![Prometheus Targets](../assets/prometheus_targets.png)
+
+### Deploy dashboard
+
+Simply upload [dashboard.json](https://github.com/clastix/capsule/blob/master/config/grafana/dashboard.json) file to Grafana through _Create_ -> _Import_,
+making sure to select the correct Prometheus data source:
+
+![Grafana Import](../assets/upload_json.png)
+
+## In-depth view
+
+### Features
+* [Manager controllers](https://github.com/clastix/capsule/blob/master/docs/operator/monitoring.md#manager-controllers)
+* [Webhook error rate](https://github.com/clastix/capsule/blob/master/docs/operator/monitoring.md#webhook-error-rate)
+* [Webhook latency](https://github.com/clastix/capsule/blob/master/docs/operator/monitoring.md#webhook-latency)
+* [REST client latency](https://github.com/clastix/capsule/blob/master/docs/operator/monitoring.md#rest-client-latency)
+* [REST client error rate](https://github.com/clastix/capsule/blob/master/docs/operator/monitoring.md#rest-client-error-rate)
+* [Saturation](https://github.com/clastix/capsule/blob/master/docs/operator/monitoring.md#saturation)
+* [Workqueue](https://github.com/clastix/capsule/blob/master/docs/operator/monitoring.md#workqueue)
+
+---
+
+#### Manager controllers
+
+![Manager controllers](../assets/manager-controllers.png)
+
+##### Description
+
+This section provides information about the medium time delay between manager client input, side effects, and new state determination (reconciliation).
+
+##### Dependant variables and available values
+
+* Controller name
+  - capsuleconfiguration
+  - clusterrole
+  - clusterrolebinding
+  - endpoints
+  - endpointslice
+  - secret
+  - service
+  - tenant
+
+#### Webhook error rate
+
+![Webhook error rate](../assets/webhook-error-rate.png)
+
+##### Description
+
+This section provides information about webhook requests response, mainly focusing on server-side errors research.
+
+##### Dependant variables and available values
+
+* Webhook
+  - cordoning
+  - ingresses
+  - namespace-owner-reference
+  - namespaces
+  - networkpolicies
+  - persistentvolumeclaims
+  - pods
+  - services
+  - tenants
+
+#### Webhook latency
+
+![Webhook latency](../assets/webhook-latency.png)
+
+##### Description
+
+This section provides information about the medium time delay between webhook trigger, side effects, and data written on etcd.
+
+##### Dependant variables and available values
+
+* Webhook
+  - cordoning
+  - ingresses
+  - namespace-owner-reference
+  - namespaces
+  - networkpolicies
+  - persistentvolumeclaims
+  - pods
+  - services
+  - tenants
+
+#### REST client latency
+
+![REST client latency](../assets/rest-client-latency.png)
+
+##### Description
+
+This section provides information about the medium time delay between all the calls done by the controller and the API server.
+Data display may depend on the REST client verb considered and on available REST client URLs.
+
+YMMV
+
+##### Dependant variables and available values
+
+* REST client URL
+* REST client verb
+  - GET
+  - PUT
+  - POST
+  - PATCH
+  - DELETE
+
+#### REST client error rate
+
+![REST client error rate](../assets/rest-client-error-rate.png)
+
+##### Description
+
+This section provides information about client total rest requests response per unit time, grouped by thrown code.
+
+#### Saturation
+
+![Saturation](../assets/saturation.png)
+
+##### Description
+
+This section provides information about resources, giving a detailed picture of the system’s state and the amount of requested work per active controller.
+
+#### Workqueue
+
+![Workqueue](../assets/workqueue.png)
+
+##### Description
+
+This section provides information about "actions" in the queue, particularly:
+- Workqueue latency: time to complete a series of actions in the queue ;
+- Workqueue rate: number of actions per unit time ;
+- Workqueue depth: number of pending actions waiting in the queue.

docs/content/operator/mtb/allow-self-service-management-of-network-policies.md

@@ -6,7 +6,7 @@
 
 **Category:** Self-Service Operations
 
-**Description:** Tenants should be able to perform self-service operations by creating own network policies in their namespaces.
+**Description:** Tenants should be able to perform self-service operations by creating their own network policies in their namespaces.
 
 **Rationale:** Enables self-service management of network-policies.
 
@@ -56,7 +56,7 @@ NAME            POD-SELECTOR   AGE
 capsule-oil-0   <none>         7m5s
 ```
 
-As tenant owner check for permissions to manage networkpolicy for each verb
+As a tenant, checks for permissions to manage networkpolicy for each verb
 
 ```bash 
 kubectl --kubeconfig alice auth can-i get networkpolicies

docs/content/operator/mtb/allow-self-service-management-of-rolebindings.md

@@ -6,7 +6,7 @@
 
 **Category:** Self-Service Operations
 
-**Description:** Tenants should be able to perform self-service operations by creating own rolebindings in their namespaces.
+**Description:** Tenants should be able to perform self-service operations by creating their rolebindings in their namespaces.
 
 **Rationale:** Enables self-service management of roles.
 

docs/content/operator/mtb/allow-self-service-management-of-roles.md

@@ -6,7 +6,7 @@
 
 **Category:** Self-Service Operations
 
-**Description:** Tenants should be able to perform self-service operations by creating own roles in their namespaces.
+**Description:** Tenants should be able to perform self-service operations by creating their own roles in their namespaces.
 
 **Rationale:** Enables self-service management of roles.
 
@@ -37,7 +37,7 @@ kubectl --kubeconfig alice create ns oil-production
 kubectl --kubeconfig alice config set-context --current --namespace oil-production
 ```
 
-As tenant owner check for permissions to manage roles for each verb
+As tenant owner, check for permissions to manage roles for each verb
 
 ```bash 
 kubectl --kubeconfig alice auth can-i get roles

docs/content/operator/mtb/block-access-to-cluster-resources.md

@@ -6,7 +6,7 @@
 
 **Category:** Control Plane Isolation
 
-**Description:** Tenants should not be able to view, edit, create, or delete cluster (non-namespaced) resources such Node, ClusterRole, ClusterRoleBinding, etc.
+**Description:** Tenants should not be able to view, edit, create or delete cluster (non-namespaced) resources such Node, ClusterRole, ClusterRoleBinding, etc.
 
 **Rationale:** Access controls should be configured for tenants so that a tenant cannot list, create, modify or delete cluster resources
 
@@ -53,7 +53,7 @@ kubectl --kubeconfig alice auth can-i create namespaces
 yes
 ```
 
-Any kubernetes user can create `SelfSubjectAccessReview` and `SelfSubjectRulesReviews` to checks whether he/she can perform an action. First two exceptions are not an issue.
+Any kubernetes user can create `SelfSubjectAccessReview` and `SelfSubjectRulesReviews` to checks whether he/she can act. First, two exceptions are not an issue.
 
 ```bash 
 kubectl --anyuser auth can-i --list
@@ -78,7 +78,7 @@ selfsubjectrulesreviews.authorization.k8s.io    []                  []
                                                 [/version]          []               [get]
 ```
 
-In order to enable namespace self-service provisioning, Capsule intentionally gives permissions to create namespaces to all users belonging to the Capsule group:
+To enable namespace self-service provisioning, Capsule intentionally gives permissions to create namespaces to all users belonging to the Capsule group:
 
 ```bash
 kubectl describe clusterrolebindings capsule-namespace-provisioner

docs/content/operator/mtb/block-access-to-multitenant-resources.md

@@ -6,9 +6,9 @@
 
 **Category:** Tenant Isolation
 
-**Description:** Each tenant namespace may contain resources setup by the cluster administrator for multi-tenancy, such as role bindings, and network policies. Tenants should not be allowed to modify the namespaced resources created by the cluster administrator for multi-tenancy. However, for some resources such as network policies, tenants can configure additional instances of the resource for their workloads.
+**Description:** Each tenant namespace may contain resources set up by the cluster administrator for multi-tenancy, such as role bindings, and network policies. Tenants should not be allowed to modify the namespaced resources created by the cluster administrator for multi-tenancy. However, for some resources such as network policies, tenants can configure additional instances of the resource for their workloads.
 
-**Rationale:** Tenants can escalate priviliges and impact other tenants if they are able to delete or modify required multi-tenancy resources such as namespace resource quotas or default network policy.
+**Rationale:** Tenants can escalate privileges and impact other tenants if they can delete or modify required multi-tenancy resources such as namespace resource quotas or default network policy.
 
 **Audit:**
 
@@ -99,7 +99,7 @@ spec:
 EOF
 ```
 
-However, due the additive nature of networkpolicies, the `DENY ALL` policy set by the cluster admin, prevents the hijacking.
+However, due to the additive nature of networkpolicies, the `DENY ALL` policy set by the cluster admin, prevents hijacking.
 
 As tenant owner list RBAC permissions set by Capsule
 
@@ -110,13 +110,13 @@ namespace-deleter   ClusterRole/capsule-namespace-deleter   11h
 namespace:admin     ClusterRole/admin                       11h
 ```
 
-As tenant owner, try to change/delete  the rolebindings in order to escalate permissions
+As tenant owner, try to change/delete  the rolebinding to escalate permissions
 
 ```bash 
 kubectl --kubeconfig alice edit/delete rolebinding namespace:admin
 ```
 
-The rolebindings is immediately recreated by Capsule:
+The rolebinding is immediately recreated by Capsule:
 
 ```
 kubectl --kubeconfig alice get rolebindings
@@ -125,7 +125,7 @@ namespace-deleter   ClusterRole/capsule-namespace-deleter   11h
 namespace:admin     ClusterRole/admin                       2s
 ```
 
-However, the tenant owner can create and assign permissions inside namespace she owns
+However, the tenant owner can create and assign permissions inside the namespace she owns
 
 ```yaml
 kubectl create -f - << EOF

docs/content/operator/mtb/block-access-to-other-tenant-resources.md

@@ -6,7 +6,7 @@
 
 **Category:** Tenant Isolation
 
-**Description:** Each tenant has its own set of resources, such as namespaces, service accounts, secrets, pods, services, etc. Tenants should not be allowed to access eachother's resources.
+**Description:** Each tenant has its own set of resources, such as namespaces, service accounts, secrets, pods, services, etc. Tenants should not be allowed to access each other's resources.
 
 **Rationale:** Tenant's resources must be not accessible by other tenants.
 
@@ -69,10 +69,10 @@ As `oil` tenant owner, try to retrieve the resources in the `gas` tenant namespa
 kubectl --kubeconfig alice get serviceaccounts --namespace  gas-production 
 ```
 
-You must receive an eror message:
+You must receive an error message:
 
 ```
-Error from server (Forbidden): serviceaccounts is forbidden:
+Error from server (Forbidden): serviceaccount is forbidden:
 User "oil" cannot list resource "serviceaccounts" in API group "" in the namespace "gas-production"
 ```
 
@@ -82,10 +82,10 @@ As `gas` tenant owner, try to retrieve the resources in the `oil` tenant namespa
 kubectl --kubeconfig joe get serviceaccounts --namespace  oil-production 
 ```
 
-You must receive an eror message:
+You must receive an error message:
 
 ```
-Error from server (Forbidden): serviceaccounts is forbidden:
+Error from server (Forbidden): serviceaccount is forbidden:
 User "joe" cannot list resource "serviceaccounts" in API group "" in the namespace "oil-production"
 ```
 

docs/content/operator/mtb/block-privilege-escalation.md

@@ -8,7 +8,7 @@
 
 **Description:** Control container permissions.
 
-**Rationale:** The security `allowPrivilegeEscalation` setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional priviliges.
+**Rationale:** The security `allowPrivilegeEscalation` setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional privileges.
 
 **Audit:**
 

docs/content/operator/mtb/block-use-of-existing-persistent-volumes.md

@@ -8,7 +8,7 @@
 
 **Description:** Avoid a tenant to mount existing volumes`.
 
-**Rationale:** Tenants have to be assured that their Persisten Volumes cannot be reclaimed by other tenants.
+**Rationale:** Tenants have to be assured that their Persistent Volumes cannot be reclaimed by other tenants.
 
 **Audit:**
 

docs/content/operator/mtb/block-use-of-host-path-volumes.md

@@ -8,7 +8,7 @@
 
 **Description:** Tenants should not be able to mount host volumes and directories.
 
-**Rationale:** The use of host volumes and directories can be used to access shared data or escalate priviliges and also creates a tight coupling between a tenant workload and a host.
+**Rationale:** The use of host volumes and directories can be used to access shared data or escalate privileges and also creates a tight coupling between a tenant workload and a host.
 
 **Audit:**
 

docs/content/operator/mtb/require-reclaim-policy-of-delete.md

@@ -8,7 +8,7 @@
 
 **Description:** Force a tenant to use a Storage Class with `reclaimPolicy=Delete`.
 
-**Rationale:** Tenants have to be assured that their Persisten Volumes cannot be reclaimed by other tenants.
+**Rationale:** Tenants have to be assured that their Persistent Volumes cannot be reclaimed by other tenants.
 
 **Audit:**
 

docs/content/operator/mtb/require-run-as-non-root-user.md

@@ -8,7 +8,7 @@
 
 **Description:** Control container permissions.
 
-**Rationale:** Processes in containers run as the root user (uid 0), by default. To prevent potential compromise of container hosts, specify a least privileged user ID when building the container image and require that application containers run as non root users.
+**Rationale:** Processes in containers run as the root user (uid 0), by default. To prevent potential compromise of container hosts, specify a least-privileged user ID when building the container image and require that application containers run as non-root users.
 
 **Audit:**
 

docs/content/operator/mtb/sig-multitenancy-bench.md

@@ -0,0 +1,30 @@
+# Meet the multi-tenancy benchmark MTB
+Actually, there's no yet a real standard for the multi-tenancy model in Kubernetes, although the [SIG multi-tenancy group](https://github.com/kubernetes-sigs/multi-tenancy) is working on that. SIG multi-tenancy drafted a generic validation schema appliable to generic multi-tenancy projects. Multi-Tenancy Benchmarks [MTB](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks) are guidelines for multi-tenant configuration of Kubernetes clusters. Capsule is an open source multi-tenancy operator and we decided to meet the requirements of MTB.
+
+> N.B. At the time of writing, the MTB is in development and not ready for usage. Strictly speaking, we do not claim official conformance to MTB, but just to adhere to the multi-tenancy requirements and best practices promoted by MTB.
+
+|MTB Benchmark |MTB Profile|Capsule Version|Conformance|Notes  |
+|--------------|-----------|---------------|-----------|-------|
+|[Block access to cluster resources](/docs/operator/mtb/block-access-to-cluster-resources)|L1|v0.1.0|✓|---|
+|[Block access to multitenant resources](/docs/operator/mtb/block-access-to-multitenant-resources)|L1|v0.1.0|✓|---|
+|[Block access to other tenant resources](/docs/operator/mtb/block-access-to-other-tenant-resources)|L1|v0.1.0|✓|MTB draft|
+|[Block add capabilities](/docs/operator/mtb/block-add-capabilities)|L1|v0.1.0|✓|---|
+|[Require always imagePullPolicy](/docs/operator/mtb/require-always-imagepullpolicy)|L1|v0.1.0|✓|---|
+|[Require run as non-root user](/docs/operator/mtb/require-run-as-non-root-user)|L1|v0.1.0|✓|---|
+|[Block privileged containers](/docs/operator/mtb/block-privileged-containers)|L1|v0.1.0|✓|---|
+|[Block privilege escalation](/docs/operator/mtb/block-privilege-escalation)|L1|v0.1.0|✓|---|
+|[Configure namespace resource quotas](/docs/operator/mtb/configure-namespace-resource-quotas)|L1|v0.1.0|✓|---|
+|[Block modification of resource quotas](/docs/operator/mtb/block-modification-of-resource-quotas)|L1|v0.1.0|✓|---|
+|[Configure namespace object limits](/docs/operator/mtb/configure-namespace-object-limits)|L1|v0.1.0|✓|---|
+|[Block use of host path volumes](/docs/operator/mtb/block-use-of-host-path-volumes)|L1|v0.1.0|✓|---|
+|[Block use of host networking and ports](/docs/operator/mtb/block-use-of-host-networking-and-ports)|L1|v0.1.0|✓|---|
+|[Block use of host PID](/docs/operator/mtb/block-use-of-host-pid)|L1|v0.1.0|✓|---|
+|[Block use of host IPC](/docs/operator/mtb/block-use-of-host-ipc)|L1|v0.1.0|✓|---|
+|[Block use of NodePort services](/docs/operator/mtb/block-use-of-nodeport-services)|L1|v0.1.0|✓|---|
+|[Require PersistentVolumeClaim for storage](/docs/operator/mtb/require-persistentvolumeclaim-for-storage)|L1|v0.1.0|✓|MTB draft|
+|[Require PV reclaim policy of delete](/docs/operator/mtb/require-reclaim-policy-of-delete)|L1|v0.1.0|✓|MTB draft|
+|[Block use of existing PVs](/docs/operator/mtb/block-use-of-existing-persistent-volumes)|L1|v0.1.0|✓|MTB draft|
+|[Block network access across tenant namespaces](/docs/operator/mtb/block-network-access-across-tenant-namespaces)|L1|v0.1.0|✓|MTB draft|
+|[Allow self-service management of Network Policies](/docs/operator/mtb/allow-self-service-management-of-network-policies)|L2|v0.1.0|✓|---|
+|[Allow self-service management of Roles](/docs/operator/mtb/allow-self-service-management-of-roles)|L2|v0.1.0|✓|MTB draft|
+|[Allow self-service management of Role Bindings](/docs/operator/mtb/allow-self-service-management-of-rolebindings)|L2|v0.1.0|✓|MTB draft|

docs/content/operator/overview.md

@@ -0,0 +1,10 @@
+# Kubernetes Operator
+
+* [Getting Started](/docs/operator/getting-started)
+* [Use Cases](/docs/operator/use-cases/overview)
+* [SIG Multi-tenancy benchmark](/docs/operator/mtb/sig-multitenancy-bench)
+* [Run on Managed Kubernetes Services](/docs/operator/managed-kubernetes/overview)
+* [Monitoring Capsule](/docs/operator/monitoring)
+* [References](/docs/operator/references)
+* [Contributing](/docs/operator/contributing)
+