chore(deps): update zgosalvez/github-actions-ensure-sha-pinned-actions action to v5 (#1865 )

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
chore(deps): update actions/stale digest to b5d41d4 (#1866 )
2026-02-14 18:09:58 +00:00 · 2026-02-13 00:28:34 +02:00 · 2026-02-13 00:28:10 +02:00 · 2026-02-10 08:54:08 +01:00 · 2026-02-06 22:53:08 +02:00 · 2026-02-03 22:05:00 +01:00
555 changed files with 38340 additions and 8058 deletions
--- a/.github/actions/setup-caches/action.yaml
+++ b/.github/actions/setup-caches/action.yaml
@@ -9,11 +9,11 @@ inputs:
 runs:
  using: composite
  steps:
-    - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+    - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
      with:
        path: ~/go/pkg/mod
        key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
-    - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+    - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
      if: ${{ inputs.build-cache-key }}
      with:
        path: ~/.cache/go-build
--- a/.github/workflows/check-actions.yml
+++ b/.github/workflows/check-actions.yml
@@ -15,9 +15,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@d5d20e15f2736816ee0e001ba8b24b54d9ffcff4 # v5.0.0
        with:
          # slsa-github-generator requires using a semver tag for reusable workflows.
          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
--- a/.github/workflows/check-commit.yml
+++ b/.github/workflows/check-commit.yml
@@ -16,7 +16,7 @@ jobs:
  commit_lint:
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
--- a/.github/workflows/check-pr.yml
+++ b/.github/workflows/check-pr.yml
@@ -15,7 +15,7 @@ jobs:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
-      - uses: amannn/action-semantic-pull-request@e49f57ce06c1747542fce2243c7a98682384bc0e
+      - uses: amannn/action-semantic-pull-request@b439535a8eb2122b748ed2b45d1693aaabe5b0aa
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout Code"
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check secret
        id: checksecret
        uses: ./.github/actions/exists
@@ -47,16 +47,16 @@ jobs:
      contents: read
    steps:
      - name: Checkout Source
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: 'go.mod'
      - name: Run Gosec Security Scanner
-        uses: securego/gosec@6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
+        uses: securego/gosec@424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f # v2.22.11
        with:
          args: '-no-fail -fmt sarif -out gosec.sarif ./...'
      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@ae78991f558bb4195cb8a727cb6679c362b9cf24
+        uses: github/codeql-action/upload-sarif@8aac4e47ac8ace7d9e0e0b4ef7407aff0ceb5e87
        with:
          sarif_file: gosec.sarif
  unit_tests:
@@ -64,8 +64,8 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: 'go.mod'
      - name: Unit Test
@@ -77,7 +77,7 @@ jobs:
          value: ${{ secrets.CODECOV_TOKEN }}
      - name: Upload Report to Codecov
        if: ${{ steps.checksecret.outputs.result == 'true' }}
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: projectcapsule/capsule
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -24,7 +24,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: ko build
        run: VERSION=${{ github.sha }} make ko-build-all
      - name: Trivy Scan Image
@@ -40,6 +40,6 @@ jobs:
          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@ae78991f558bb4195cb8a727cb6679c362b9cf24
+        uses: github/codeql-action/upload-sarif@8aac4e47ac8ace7d9e0e0b4ef7407aff0ceb5e87
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -20,7 +20,7 @@ jobs:
      capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup caches
        uses: ./.github/actions/setup-caches
        timeout-minutes: 5
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -9,6 +9,7 @@ on:
      - '.github/workflows/e2e.yml'
      - 'api/**'
      - 'controllers/**'
+      - 'internal/**'
      - 'pkg/**'
      - 'e2e/*'
      - 'Dockerfile'
@@ -22,18 +23,45 @@ concurrency:

 jobs:
  e2e:
-    name: E2E Testing
+    name: E2E Testing (CE)
    runs-on:
      labels: ubuntu-latest-8-cores
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: 'go.mod'
+
      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
-        with:
-          version: v3.14.2
+
      - name: e2e
        run: sudo make e2e
+  run-e2e:
+    name: E2E Testing
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version:
+          - 'v1.31.0'
+          - 'v1.32.0'
+          - 'v1.33.0'
+          - 'v1.34.0'
+    runs-on:
+      labels: ubuntu-latest-8-cores
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.event.client_payload.repo }}
+          ref: ${{ github.event.client_payload.sha }}
+
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version-file: 'go.mod'
+
+      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+
+      - name: e2e (Enterprise)
+        run: sudo KUBERNETES_SUPPORTED_VERSION=${{ matrix.k8s-version }} make e2e
--- a/.github/workflows/helm-publish.yml
+++ b/.github/workflows/helm-publish.yml
@@ -16,7 +16,7 @@ jobs:
    if: github.repository_owner == 'projectcapsule'
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: "Extract Version"
        id: extract_version
        run: |
@@ -45,7 +45,7 @@ jobs:
    outputs:
      chart-digest: ${{ steps.helm_publish.outputs.digest }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
      - name: "Extract Version"
        id: extract_version
--- a/.github/workflows/helm-test.yml
+++ b/.github/workflows/helm-test.yml
@@ -23,14 +23,14 @@ jobs:
      options: --user root
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Run ah lint
        working-directory: ./charts/
        run: ah lint
  lint:
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -15,14 +15,15 @@ jobs:
    name: diff
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: 'go.mod'
      - name: Generate manifests
        run: |
+          make generate
          make manifests
          if [[ $(git diff --stat) != '' ]]; then
            echo -e '\033[0;31mManifests outdated! (Run make manifests locally and commit)\033[0m ❌'
@@ -35,7 +36,7 @@ jobs:
    name: yamllint
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install yamllint
        run: pip install yamllint
      - name: Lint YAML files
@@ -44,8 +45,8 @@ jobs:
    name: lint
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: 'go.mod'
      - name: Run golangci-lint
--- a/.github/workflows/releaser.yml
+++ b/.github/workflows/releaser.yml
@@ -18,11 +18,11 @@ jobs:
      id-token: write
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - name: Install Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: 'go.mod'
      - name: Setup caches
@@ -30,7 +30,7 @@ jobs:
        timeout-minutes: 5
        continue-on-error: true
      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-      - uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84
+      - uses: anchore/sbom-action/download-syft@5620efe7f17de3b70cbc020fc49ce9048f1bbacf
      - name: Install Cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
      - name: Run GoReleaser
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -20,7 +20,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Run analysis
@@ -31,12 +31,12 @@ jobs:
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          publish_results: true
      - name: Upload artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
        with:
          sarif_file: results.sarif
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -15,7 +15,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Close stale pull requests
-        uses: actions/stale@e46bbabb3ede15841d25946157759558dd16306e
+        uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
          stale-pr-message: 'This pull request has been marked as stale because it has been inactive for more than 30 days. Please update this pull request or it will be automatically closed in 30 days.'
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@
 bin
 dist/
 config/
+builds/

 # Test binary, build with `go test -c`
 *.test
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -39,7 +39,7 @@ linters:
      min-occurrences: 2
    goheader:
      template: |-
-        Copyright 2020-2025 Project Capsule Authors
+        Copyright 2020-2026 Project Capsule Authors
        SPDX-License-Identifier: Apache-2.0
    inamedparam:
      skip-single-param: true
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -54,6 +54,8 @@ release:
  footer: |
    **Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}

+    [Check out what's new in this release](https://projectcapsule.dev/docs/whats-new/)
+
    **Docker Images**
    - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Version }}`
    - `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
@@ -73,7 +75,7 @@ release:
    >
    > | Kubernetes version | Minimum required |
    > |--------------------|------------------|
-    > | `v1.34`            | `>= 1.34.0`      |
+    > | `v1.35`            | `>= 1.35.0`      |


    Thanks to all the contributors! 🚀 🦄
--- a/.nwa-config
+++ b/.nwa-config
@@ -1,12 +1,13 @@
 nwa:
  cmd: "update"
  holder: "Project Capsule Authors"
-  year: "2020-2025"
+  year: "2020-2026"
  spdxids: "Apache-2.0"
  path:
    - "pkg/**/*.go"
    - "cmd/**/*.go"
    - "api/**/*.go"
+    - "internal/**/*.go"
    - "controllers/**/*.go"
    - "main.go"
  mute: false
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
-  rev: v9.23.0
+  rev: v9.24.0
  hooks:
  - id: commitlint
    stages: [commit-msg]
@@ -13,7 +13,7 @@ repos:
  - id: end-of-file-fixer
  - id: trailing-whitespace
 - repo: https://github.com/adrienverge/yamllint
-  rev: v1.37.1
+  rev: v1.38.0
  hooks:
  - id: yamllint
    args: [-c=.github/configs/lintconf.yaml]
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -63,16 +63,19 @@ So the TL;DR answer is:
 **Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup.

 ```bash
-# If you haven't installed or run `make deploy` before, do it first
-# Note: please retry if you saw errors
-$ make deploy
+# Create a KinD cluster if not already created
+$ make dev-cluster

 # To retrieve your laptop's IP and execute `make dev-setup` to setup dev env
 # For example: LAPTOP_HOST_IP=192.168.10.101 make dev-setup
 $ LAPTOP_HOST_IP="<YOUR_LAPTOP_IP>" make dev-setup
+
+
+# Monitoring Setup (Grafana/Prometheus/Pyroscope)
+$ LAPTOP_HOST_IP="<YOUR_LAPTOP_IP>" make dev-setup-monitoring
 ```

-### Explenation
+### Setup

 We recommend to setup the development environment with the make `dev-setup` target. However here is a step by step guide to setup the development environment for understanding.

--- a/163
+++ b/163
@@ -19,7 +19,7 @@ CAPSULE_IMG     ?= $(REGISTRY)/$(IMG_BASE)
 CLUSTER_NAME    ?= capsule

 ## Kubernetes Version Support
-KUBERNETES_SUPPORTED_VERSION ?= "v1.34.0"
+KUBERNETES_SUPPORTED_VERSION ?= "v1.35.0"

 ## Tool Binaries
 KUBECTL ?= kubectl
@@ -46,7 +46,7 @@ all: manager
 # Run tests
 .PHONY: test
 test: test-clean generate manifests test-clean
-	@GO111MODULE=on go test -v $(shell go list ./... | grep -v "e2e") -coverprofile coverage.out
+	@GO111MODULE=on go test -race -v $(shell go list ./... | grep -v "e2e") -coverprofile coverage.out

 .PHONY: test-clean
 test-clean: ## Clean tests cache
@@ -92,21 +92,47 @@ helm-schema: helm-plugin-schema
 helm-test: HELM_KIND_CONFIG ?= ""
 helm-test: kind
 	@mkdir -p /tmp/results || true
-	@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config $(HELM_KIND_CONFIG)
+	@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config ./hack/kind-cluster.yaml
 	@make helm-test-exec
 	@$(KIND) delete cluster --name capsule-charts

 helm-test-exec: ct helm-controller-version ko-build-all
-	$(MAKE) docker-build-capsule-trace
 	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
-	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
 	@$(KUBECTL) create ns capsule-system || true
-	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/v5.18.0/crds.yaml
-	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
-	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+	$(MAKE) dev-install-deps
+	$(MAKE) dev-install-grafana-operator-crds
 	@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug

 # Setup development env
+dev-build: kind
+	$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config ./hack/kind-cluster.yaml
+	$(MAKE) dev-install-deps
+
+.PHONY: dev-destroy
+dev-destroy: kind
+	$(KIND) delete cluster --name capsule
+
+dev-install-deps: dev-setup-fluxcd dev-setup-cert-manager dev-install-gw-api-crds  wait-for-helmreleases
+
+API_GW         := none
+API_GW_VERSION := v1.3.0
+API_GW_LOOKUP  := kubernetes-sigs/gateway-api
+dev-install-gw-api-crds:
+	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml
+
+GRAFANA         := none
+GRAFANA_VERSION := v5.18.0
+GRAFANA_LOOKUP  := grafana/grafana-operator
+dev-install-grafana-operator-crds:
+	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/$(GRAFANA_VERSION)/crds.yaml
+
+PROMETHEUS         := none
+PROMETHEUS_VERSION := v0.88.0
+PROMETHEUS_LOOKUP  := prometheus-operator/prometheus-operator
+dev-install-prometheus-crds:
+	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/$(PROMETHEUS_VERSION)/bundle.yaml
+
+
 # Usage:
 # 	LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
 # For example:
@@ -129,6 +155,7 @@ IP.1   = $(LAPTOP_HOST_IP)
 endef
 export TLS_CNF
 dev-setup:
+	$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
 	mkdir -p /tmp/k8s-webhook-server/serving-certs
 	echo "$${TLS_CNF}" > _tls.cnf
 	openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
@@ -145,6 +172,7 @@ dev-setup:
 	export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
 	$(HELM) upgrade \
 	    --dependency-update \
+		--force-conflicts \
 		--debug \
 		--install \
 		--namespace capsule-system \
@@ -152,12 +180,99 @@ dev-setup:
 		--set 'crds.install=true' \
 		--set 'crds.exclusive=true'\
        --set 'crds.createConfig=true'\
+        --set "tls.enableController=false"\
 		--set "webhooks.exclusive=true"\
+		--set "webhooks.hooks.nodes.enabled=true"\
 		--set "webhooks.service.url=$${WEBHOOK_URL}" \
 		--set "webhooks.service.caBundle=$${CA_BUNDLE}" \
 		capsule \
-		./charts/capsule
-	$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
+		./charts/capsule || true
+
+setup-monitoring: dev-setup-fluxcd
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/monitoring | envsubst | kubectl apply -f -
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/monitoring/dashboards | kubectl apply -f -
+	@$(MAKE) wait-for-helmreleases
+	@printf "\n\033[32mAccess Grafana:\033[0m\n\n"
+	@printf "  \033[1mkubectl port-forward svc/kube-prometheus-stack-grafana 9090:80 -n monitoring-system\033[0m\n\n"
+
+dev-setup-monitoring: setup-monitoring
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/host-proxy | envsubst | kubectl apply -f -
+
+dev-setup-argocd: dev-setup-fluxcd
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/argocd | envsubst | kubectl apply -f -
+	@$(MAKE) wait-for-helmreleases
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/argocd/application | envsubst | kubectl apply -f -
+	@printf "\n\033[32mAccess ArgoCD:\033[0m\n\n"
+	@printf "  \033[1mkubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d\033[0m\n\n"
+	@printf "  \033[1mkubectl port-forward svc/argocd-server 9091:80 -n argocd\033[0m\n\n"
+
+dev-setup-cert-manager:
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/cert-manager | envsubst | kubectl apply -f -
+
+dev-setup-fluxcd:
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f -
+
+
+# Here to setup the current capsule version
+# Intended to test updates to new version
+dev-setup-capsule: dev-setup-fluxcd
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/capsule | envsubst | kubectl apply -f -
+	@$(MAKE) wait-for-helmreleases
+	@$(MAKE) dev-setup-capsule-example
+
+dev-setup-capsule-example: dev-setup-fluxcd
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/capsule/example-setup | envsubst | kubectl apply -f -
+	@$(KUBECTL) create ns wind-test --as joe --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns wind-prod --as joe --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns green-test --as bob --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns green-prod --as bob --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns solar-test --as alice --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns solar-prod --as alice --as-group projectcapsule.dev || true
+	@$(KUBECTL) apply -f hack/distro/capsule/example-setup/claims.yaml
+
+
+wait-for-helmreleases:
+	@ echo "Waiting for all HelmReleases to have observedGeneration >= 0..."
+	@while [ "$$($(KUBECTL) get helmrelease -A -o jsonpath='{range .items[?(@.status.observedGeneration<0)]}{.metadata.namespace}{" "}{.metadata.name}{"\n"}{end}' | wc -l)" -ne 0 ]; do \
+	  sleep 5; \
+	done
+
+
+ENTERPRISE_VERSION  ?= "0.13.0-rc.2"
+ENTERPRISE_REGISTRY ?= "oci.peakscale.ch"
+
+enterprise-prerelease:
+	mkdir -p ./builds
+	$(MAKE) CAPSULE_IMG=$(ENTERPRISE_REGISTRY)/prereleases/images/capsule VERSION=$(ENTERPRISE_VERSION) ko-publish-capsule
+	$(HELM) package ./charts/capsule --app-version=$(ENTERPRISE_VERSION) --version=$(ENTERPRISE_VERSION) --destination ./builds/
+	$(HELM) push ./builds/capsule-$(ENTERPRISE_VERSION).tgz oci://$(ENTERPRISE_REGISTRY)/prereleases/charts/
+	$(MAKE) deploy-enterprise
+	rm -rf ./builds
+
+deploy-enterprise:
+	@echo ""
+	@echo "Deploying Capsule Prerelease (Enterprise) $(ENTERPRISE_VERSION)"
+	@echo ""
+	@echo "1) Create image pull secret (Change the credentials with the ones provided to you):"
+	@echo ""
+	@echo "kubectl create secret docker-registry capsule-enterprise -n capsule-system \\"
+	@echo "  --docker-username='robot\$$name' \\"
+	@echo "  --docker-password='serviceaccount-password' \\"
+	@echo "  --docker-server='$(ENTERPRISE_REGISTRY)'"
+	@echo ""
+	@echo "2) Deploy Capsule:"
+	@echo ""
+	@echo "helm upgrade --install capsule \\"
+	@echo "  oci://$(ENTERPRISE_REGISTRY)/prereleases/charts/capsule \\"
+	@echo "  --namespace capsule-system \\"
+	@echo "  --version $(ENTERPRISE_VERSION) \\"
+	@echo "  --reuse-values \\"
+	@echo "  --set manager.image.registry=$(ENTERPRISE_REGISTRY) \\"
+	@echo "  --set manager.image.repository=prereleases/images/capsule \\"
+	@echo "  --set manager.image.tag=$(ENTERPRISE_VERSION) \\"
+	@echo "  --set manager.image.pullPolicy=Always \\"
+	@echo "  --set 'serviceAccount.imagePullSecrets={capsule-enterprise}'"
+	@echo ""

 ####################
 # -- Docker
@@ -236,19 +351,12 @@ golint-fix: golangci-lint
 e2e: ginkgo
 	$(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy

-API_GW         := none
-API_GW_VERSION := v1.3.0
-API_GW_LOOKUP  := kubernetes-sigs/gateway-api/
-e2e-install-deps:
-	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml
-
 e2e-build: kind
-	$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
-	$(MAKE) e2e-install-deps
+	$(MAKE) dev-build
 	$(MAKE) e2e-install

 .PHONY: e2e-install
-e2e-install: ko-build-all
+e2e-install: helm-controller-version ko-build-all
 	$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
 	$(HELM) upgrade \
 	    --dependency-update \
@@ -256,12 +364,14 @@ e2e-install: ko-build-all
 		--install \
 		--namespace capsule-system \
 		--create-namespace \
+		--set 'replicaCount=2'\
 		--set 'manager.image.pullPolicy=Never' \
 		--set 'manager.resources=null'\
 		--set "manager.image.tag=$(VERSION)" \
 		--set 'manager.livenessProbe.failureThreshold=10' \
 		--set 'webhooks.hooks.nodes.enabled=true' \
 		--set "webhooks.exclusive=true"\
+		--set "manager.options.logLevel=debug"\
 		capsule \
 		./charts/capsule

@@ -308,8 +418,7 @@ e2e-exec: ginkgo
 	$(GINKGO) -v -tags e2e ./e2e

 .PHONY: e2e-destroy
-e2e-destroy: kind
-	$(KIND) delete cluster --name capsule
+e2e-destroy: dev-destroy

 SPELL_CHECKER = npx spellchecker-cli
 docs-lint:
@@ -333,7 +442,7 @@ $(LOCALBIN):

 HELM_SCHEMA_VERSION   := ""
 helm-plugin-schema:
-	@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
+	@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) --verify=false || true

 HELM_DOCS         := $(LOCALBIN)/helm-docs
 HELM_DOCS_VERSION := v1.14.1
@@ -346,7 +455,7 @@ helm-doc:
 # -- Tools
 ####################
 CONTROLLER_GEN         := $(LOCALBIN)/controller-gen
-CONTROLLER_GEN_VERSION ?= v0.19.0
+CONTROLLER_GEN_VERSION ?= v0.20.0
 CONTROLLER_GEN_LOOKUP  := kubernetes-sigs/controller-tools
 controller-gen:
 	@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
@@ -364,28 +473,28 @@ ct:
 	$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))

 KIND         := $(LOCALBIN)/kind
-KIND_VERSION := v0.30.0
+KIND_VERSION := v0.31.0
 KIND_LOOKUP  := kubernetes-sigs/kind
 kind:
 	@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
 	$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))

 KO           := $(LOCALBIN)/ko
-KO_VERSION   := v0.18.0
+KO_VERSION   := v0.18.1
 KO_LOOKUP    := google/ko
 ko:
 	@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
 	$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))

 NWA           := $(LOCALBIN)/nwa
-NWA_VERSION   := v0.7.6
+NWA_VERSION   := v0.7.7
 NWA_LOOKUP    := B1NARY-GR0UP/nwa
 nwa:
 	@test -s $(NWA) && $(NWA) -h | grep -q $(NWA_VERSION) || \
 	$(call go-install-tool,$(NWA),github.com/$(NWA_LOOKUP)@$(NWA_VERSION))

 GOLANGCI_LINT          := $(LOCALBIN)/golangci-lint
-GOLANGCI_LINT_VERSION  := v2.5.0
+GOLANGCI_LINT_VERSION  := v2.8.0
 GOLANGCI_LINT_LOOKUP   := golangci/golangci-lint
 golangci-lint: ## Download golangci-lint locally if necessary.
 	@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
--- a/7
+++ b/7
@@ -64,4 +64,11 @@ resources:
  kind: ResourcePoolClaim
  path: github.com/projectcapsule/capsule/api/v1beta2
  version: v1beta2
+- api:
+    crdVersion: v1
+  domain: clastix.io
+  group: capsule
+  kind: TenantOwner
+  path: github.com/projectcapsule/capsule/api/v1beta2
+  version: v1beta2
 version: "3"
--- a/api/v1beta1/custom_resource_quota.go
+++ b/api/v1beta1/custom_resource_quota.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/deny_wildcard.go
+++ b/api/v1beta1/deny_wildcard.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/groupversion_info.go
+++ b/api/v1beta1/groupversion_info.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 // Package v1beta1 contains API Schema definitions for the capsule v1beta1 API group
--- a/api/v1beta1/ingress_options.go
+++ b/api/v1beta1/ingress_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/namespace_options.go
+++ b/api/v1beta1/namespace_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
@@ -7,6 +7,7 @@ import (
 	"strings"

 	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

 type NamespaceOptions struct {
@@ -18,11 +19,11 @@ type NamespaceOptions struct {
 }

 func (in *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
-	if _, ok := in.Annotations[api.ForbiddenNamespaceLabelsAnnotation]; ok {
+	if _, ok := in.Annotations[meta.ForbiddenNamespaceLabelsAnnotation]; ok {
 		return true
 	}

-	if _, ok := in.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
+	if _, ok := in.Annotations[meta.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
 		return true
 	}

@@ -30,11 +31,11 @@ func (in *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
 }

 func (in *Tenant) hasForbiddenNamespaceAnnotationsAnnotations() bool {
-	if _, ok := in.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; ok {
+	if _, ok := in.Annotations[meta.ForbiddenNamespaceAnnotationsAnnotation]; ok {
 		return true
 	}

-	if _, ok := in.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
+	if _, ok := in.Annotations[meta.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
 		return true
 	}

@@ -47,8 +48,8 @@ func (in *Tenant) ForbiddenUserNamespaceLabels() *api.ForbiddenListSpec {
 	}

 	return &api.ForbiddenListSpec{
-		Exact: strings.Split(in.Annotations[api.ForbiddenNamespaceLabelsAnnotation], ","),
-		Regex: in.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation],
+		Exact: strings.Split(in.Annotations[meta.ForbiddenNamespaceLabelsAnnotation], ","),
+		Regex: in.Annotations[meta.ForbiddenNamespaceLabelsRegexpAnnotation],
 	}
 }

@@ -58,7 +59,7 @@ func (in *Tenant) ForbiddenUserNamespaceAnnotations() *api.ForbiddenListSpec {
 	}

 	return &api.ForbiddenListSpec{
-		Exact: strings.Split(in.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation], ","),
-		Regex: in.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation],
+		Exact: strings.Split(in.Annotations[meta.ForbiddenNamespaceAnnotationsAnnotation], ","),
+		Regex: in.Annotations[meta.ForbiddenNamespaceAnnotationsRegexpAnnotation],
 	}
 }
--- a/api/v1beta1/owner.go
+++ b/api/v1beta1/owner.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_list.go
+++ b/api/v1beta1/owner_list.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_list_test.go
+++ b/api/v1beta1/owner_list_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_role.go
+++ b/api/v1beta1/owner_role.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/service_allowed_types.go
+++ b/api/v1beta1/service_allowed_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/service_options.go
+++ b/api/v1beta1/service_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/tenant_func.go
+++ b/api/v1beta1/tenant_func.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/tenant_status.go
+++ b/api/v1beta1/tenant_status.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/tenant_types.go
+++ b/api/v1beta1/tenant_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
@@ -20,17 +20,21 @@ type TenantSpec struct {
 	// Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.
 	StorageClasses *api.AllowedListSpec `json:"storageClasses,omitempty"`
 	// Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
-	IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
+	// +optional
+	IngressOptions IngressOptions `json:"ingressOptions,omitzero"`
 	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
 	ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
 	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
-	NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitempty"`
+	// +optional
+	NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitzero"`
 	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
-	LimitRanges api.LimitRangesSpec `json:"limitRanges,omitempty"`
+	// +optional
+	LimitRanges api.LimitRangesSpec `json:"limitRanges,omitzero"`
 	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
-	ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
+	// +optional
+	ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitzero"`
 	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
 	AdditionalRoleBindings []api.AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
 	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
@@ -50,11 +54,13 @@ type TenantSpec struct {

 // Tenant is the Schema for the tenants API.
 type Tenant struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`

-	Spec   TenantSpec   `json:"spec,omitempty"`
-	Status TenantStatus `json:"status,omitempty"`
+	Spec TenantSpec `json:"spec"`
+	// +optional
+	Status TenantStatus `json:"status,omitzero"`
 }

 func (in *Tenant) Hub() {}
@@ -64,7 +70,8 @@ func (in *Tenant) Hub() {}
 // TenantList contains a list of Tenant.
 type TenantList struct {
 	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
+	// +optional
+	metav1.ListMeta `json:"metadata,omitzero"`

 	Items []Tenant `json:"items"`
 }
--- a/api/v1beta1/tenant_webhook.go
+++ b/api/v1beta1/tenant_webhook.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
@@ -15,7 +15,6 @@ func (in *Tenant) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		return nil
 	}

-	return ctrl.NewWebhookManagedBy(mgr).
-		For(in).
+	return ctrl.NewWebhookManagedBy(mgr, in).
 		Complete()
 }
--- a/api/v1beta2/additional_role_bindings.go
+++ b/api/v1beta2/additional_role_bindings.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/capsuleconfiguration_status.go
+++ b/api/v1beta2/capsuleconfiguration_status.go
@@ -0,0 +1,19 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+// CapsuleConfigurationStatus defines the Capsule configuration status.
+type CapsuleConfigurationStatus struct {
+	// Last time all caches were invalided
+	LastCacheInvalidation metav1.Time `json:"lastCacheInvalidation,omitempty"`
+
+	// Users which are considered Capsule Users and are bound to the Capsule Tenant construct.
+	Users api.UserListSpec `json:"users,omitempty"`
+}
--- a/api/v1beta2/capsuleconfiguration_types.go
+++ b/api/v1beta2/capsuleconfiguration_types.go
@@ -1,20 +1,28 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2

 import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

 // CapsuleConfigurationSpec defines the Capsule configuration.
 type CapsuleConfigurationSpec struct {
+	// Define entities which are considered part of the Capsule construct
+	// Users not mentioned here will be ignored by Capsule
+	Users api.UserListSpec `json:"users,omitempty"`
+	// Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)
+	//
 	// Names of the users considered as Capsule users.
 	UserNames []string `json:"userNames,omitempty"`
+	// Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)
+	//
 	// Names of the groups considered as Capsule users.
-	// +kubebuilder:default={capsule.clastix.io}
 	UserGroups []string `json:"userGroups,omitempty"`
 	// Define groups which when found in the request of a user will be ignored by the Capsule
 	// this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.
@@ -33,21 +41,73 @@ type CapsuleConfigurationSpec struct {
 	// Allows to set different name rather than the canonical one for the Capsule configuration objects,
 	// such as webhook secret or configurations.
 	// +kubebuilder:default={TLSSecretName:"capsule-tls",mutatingWebhookConfigurationName:"capsule-mutating-webhook-configuration",validatingWebhookConfigurationName:"capsule-validating-webhook-configuration"}
-	CapsuleResources CapsuleResources `json:"overrides,omitempty"`
+	// +optional
+	CapsuleResources CapsuleResources `json:"overrides,omitzero"`
 	// Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
 	// This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
 	NodeMetadata *NodeMetadata `json:"nodeMetadata,omitempty"`
 	// Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
 	// when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
-	// +kubebuilder:default=true
+	// +kubebuilder:default=false
 	EnableTLSReconciler bool `json:"enableTLSReconciler"` //nolint:tagliatelle
+	// Define entities which can act as Administrators in the capsule construct
+	// These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label
+	// for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor
+	// be ignored by capsule.
+	Administrators api.UserListSpec `json:"administrators,omitempty"`
+	// Configuration for dynamic Validating and Mutating Admission webhooks managed by Capsule.
+	Admission DynamicAdmission `json:"admission,omitempty"`
+	// Define Properties for managed ClusterRoles by Capsule
+	// +kubebuilder:default={}
+	RBAC *RBACConfiguration `json:"rbac"`
+	// Define the period of time upon a cache invalidation is executed for all caches.
+	// +kubebuilder:default="24h"
+	CacheInvalidation metav1.Duration `json:"cacheInvalidation"`
+}
+
+type RBACConfiguration struct {
+	// The ClusterRoles applied for Administrators
+	// +kubebuilder:default={capsule-namespace-deleter}
+	AdministrationClusterRoles []string `json:"administrationClusterRoles,omitempty"`
+	// The ClusterRoles applied for ServiceAccounts which had owner Promotion
+	// +kubebuilder:default={capsule-namespace-provisioner,capsule-namespace-deleter}
+	PromotionClusterRoles []string `json:"promotionClusterRoles,omitempty"`
+	// Name for the ClusterRole required to grant Namespace Deletion permissions.
+	// +kubebuilder:default=capsule-namespace-deleter
+	DeleterClusterRole string `json:"deleter,omitempty"`
+	// Name for the ClusterRole required to grant Namespace Provision permissions.
+	// +kubebuilder:default=capsule-namespace-provisioner
+	ProvisionerClusterRole string `json:"provisioner,omitempty"`
+}
+
+type DynamicAdmission struct {
+	// Configure dynamic Mutating Admission for Capsule
+	Mutating DynamicAdmissionConfig `json:"mutating,omitempty"`
+
+	// Configure dynamic Validating Admission for Capsule
+	Validating DynamicAdmissionConfig `json:"validating,omitempty"`
+}
+
+type DynamicAdmissionConfig struct {
+	// Name the Admission Webhook
+	Name meta.RFC1123Name `json:"name,omitempty"`
+	// Labels added to the Admission Webhook
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+	// Annotations added to the Admission Webhook
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// From the upstram struct
+	Client admissionregistrationv1.WebhookClientConfig `json:"client"`
 }

 type NodeMetadata struct {
 	// Define the labels that a Tenant Owner cannot set for their nodes.
-	ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels"`
+	// +optional
+	ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitzero"`
 	// Define the annotations that a Tenant Owner cannot set for their nodes.
-	ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations"`
+	// +optional
+	ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations,omitzero"`
 }

 type CapsuleResources struct {
@@ -64,15 +124,21 @@ type CapsuleResources struct {
 }

 // +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 // +kubebuilder:resource:scope=Cluster
 // +kubebuilder:storageversion

 // CapsuleConfiguration is the Schema for the Capsule configuration API.
 type CapsuleConfiguration struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`

-	Spec CapsuleConfigurationSpec `json:"spec,omitempty"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	Spec CapsuleConfigurationSpec `json:"spec"`
+
+	// +optional
+	Status CapsuleConfigurationStatus `json:"status,omitzero"`
 }

 // +kubebuilder:object:root=true
@@ -80,7 +146,7 @@ type CapsuleConfiguration struct {
 // CapsuleConfigurationList contains a list of CapsuleConfiguration.
 type CapsuleConfigurationList struct {
 	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
+	metav1.ListMeta `json:"metadata,omitzero"`

 	Items []CapsuleConfiguration `json:"items"`
 }
--- a/api/v1beta2/custom_resource_quota.go
+++ b/api/v1beta2/custom_resource_quota.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/gateway_options.go
+++ b/api/v1beta2/gateway_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -8,5 +8,5 @@ import (
 )

 type GatewayOptions struct {
-	AllowedClasses *api.SelectionListWithDefaultSpec `json:"allowedClasses,omitempty"`
+	AllowedClasses *api.DefaultAllowedListSpec `json:"allowedClasses,omitempty"`
 }
--- a/api/v1beta2/groupversion_info.go
+++ b/api/v1beta2/groupversion_info.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 // Package v1beta2 contains API Schema definitions for the capsule v1beta2 API group
--- a/api/v1beta2/ingress_options.go
+++ b/api/v1beta2/ingress_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/namespace_options.go
+++ b/api/v1beta2/namespace_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -11,16 +11,32 @@ type NamespaceOptions struct {
 	// +kubebuilder:validation:Minimum=1
 	// Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
 	Quota *int32 `json:"quota,omitempty"`
+	// Deprecated: Use additionalMetadataList instead (https://projectcapsule.dev/docs/tenants/metadata/#additionalmetadatalist)
+	//
 	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
-	// Deprecated: Use additionalMetadataList instead
 	AdditionalMetadata *api.AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
 	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional.
 	AdditionalMetadataList []api.AdditionalMetadataSelectorSpec `json:"additionalMetadataList,omitempty"`
+	// Required Metadata for namespace within this tenant
+	// +optional
+	RequiredMetadata *RequiredMetadata `json:"requiredMetadata,omitzero"`
 	// Define the labels that a Tenant Owner cannot set for their Namespace resources.
-	ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitempty"`
+	// +optional
+	ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitzero"`
 	// Define the annotations that a Tenant Owner cannot set for their Namespace resources.
-	ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations,omitempty"`
+	// +optional
+	ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations,omitzero"`
 	// If enabled only metadata from additionalMetadata is reconciled to the namespaces.
 	//+kubebuilder:default:=false
 	ManagedMetadataOnly bool `json:"managedMetadataOnly,omitempty"`
 }
+
+type RequiredMetadata struct {
+	// Labels that must be defined for each namespace
+	// +optional
+	Labels map[string]string `json:"labels,omitzero"`
+
+	// Annotations that must be defined for each namespace
+	// +optional
+	Annotations map[string]string `json:"annotations,omitzero"`
+}
--- a/api/v1beta2/namespace_rule_type.go
+++ b/api/v1beta2/namespace_rule_type.go
@@ -0,0 +1,33 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+// +kubebuilder:object:generate=true
+type NamespaceRule struct {
+	// Enforce these properties via Rules
+	NamespaceRuleBody `json:",inline"`
+
+	// Select namespaces which are going to usese
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type NamespaceRuleBody struct {
+	// Enforcement Rules applied
+	//+optional
+	Enforce NamespaceRuleEnforceBody `json:"enforce,omitzero"`
+}
+
+// +kubebuilder:object:generate=true
+type NamespaceRuleEnforceBody struct {
+	// Define registries which are allowed to be used within this tenant
+	// The rules are aggregated, since you can use Regular Expressions the match registry endpoints
+	Registries []api.OCIRegistry `json:"registries,omitempty"`
+}
--- a/api/v1beta2/owner_list_test.go
+++ b/api/v1beta2/owner_list_test.go
@@ -1,86 +0,0 @@
-// Copyright 2020-2025 Project Capsule Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package v1beta2
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestOwnerListSpec_FindOwner(t *testing.T) {
-	bla := OwnerSpec{
-		Kind: UserOwner,
-		Name: "bla",
-		ProxyOperations: []ProxySettings{
-			{
-				Kind:       IngressClassesProxy,
-				Operations: []ProxyOperation{"Delete"},
-			},
-		},
-	}
-	bar := OwnerSpec{
-		Kind: GroupOwner,
-		Name: "bar",
-		ProxyOperations: []ProxySettings{
-			{
-				Kind:       StorageClassesProxy,
-				Operations: []ProxyOperation{"Delete"},
-			},
-		},
-	}
-	baz := OwnerSpec{
-		Kind: UserOwner,
-		Name: "baz",
-		ProxyOperations: []ProxySettings{
-			{
-				Kind:       StorageClassesProxy,
-				Operations: []ProxyOperation{"Update"},
-			},
-		},
-	}
-	fim := OwnerSpec{
-		Kind: ServiceAccountOwner,
-		Name: "fim",
-		ProxyOperations: []ProxySettings{
-			{
-				Kind:       NodesProxy,
-				Operations: []ProxyOperation{"List"},
-			},
-		},
-	}
-	bom := OwnerSpec{
-		Kind: GroupOwner,
-		Name: "bom",
-		ProxyOperations: []ProxySettings{
-			{
-				Kind:       StorageClassesProxy,
-				Operations: []ProxyOperation{"Delete"},
-			},
-			{
-				Kind:       NodesProxy,
-				Operations: []ProxyOperation{"Delete"},
-			},
-		},
-	}
-	qip := OwnerSpec{
-		Kind: ServiceAccountOwner,
-		Name: "qip",
-		ProxyOperations: []ProxySettings{
-			{
-				Kind:       StorageClassesProxy,
-				Operations: []ProxyOperation{"List", "Delete"},
-			},
-		},
-	}
-	owners := OwnerListSpec{bom, qip, bla, bar, baz, fim}
-
-	assert.Equal(t, owners.FindOwner("bom", GroupOwner), bom)
-	assert.Equal(t, owners.FindOwner("qip", ServiceAccountOwner), qip)
-	assert.Equal(t, owners.FindOwner("bla", UserOwner), bla)
-	assert.Equal(t, owners.FindOwner("bar", GroupOwner), bar)
-	assert.Equal(t, owners.FindOwner("baz", UserOwner), baz)
-	assert.Equal(t, owners.FindOwner("fim", ServiceAccountOwner), fim)
-	assert.Equal(t, owners.FindOwner("notfound", ServiceAccountOwner), OwnerSpec{})
-}
--- a/api/v1beta2/resourcepool_func.go
+++ b/api/v1beta2/resourcepool_func.go
@@ -1,18 +1,23 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2

 import (
 	"errors"
+	"fmt"
 	"sort"

 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

+func (r *ResourcePool) GetQuotaName() string {
+	return fmt.Sprintf("capsule-pool-%s", r.GetName())
+}
+
 func (r *ResourcePool) AssignNamespaces(namespaces []corev1.Namespace) {
 	var l []string

@@ -74,9 +79,10 @@ func (r *ResourcePool) AddClaimToStatus(claim *ResourcePoolClaim) {
 	}

 	scl := &ResourcePoolClaimsItem{
-		StatusNameUID: api.StatusNameUID{
-			UID:  claim.UID,
-			Name: api.Name(claim.Name),
+		NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{
+			UID:       claim.UID,
+			Name:      meta.RFC1123Name(claim.Name),
+			Namespace: meta.RFC1123SubdomainName(claim.Namespace),
 		},
 		Claims: claim.Spec.ResourceClaims,
 	}
--- a/api/v1beta2/resourcepool_func_test.go
+++ b/api/v1beta2/resourcepool_func_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -11,8 +11,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"

-	"github.com/projectcapsule/capsule/pkg/api"
-	"github.com/projectcapsule/capsule/pkg/meta"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 	"github.com/stretchr/testify/assert"
 )

@@ -34,7 +33,7 @@ func TestGetClaimFromStatus(t *testing.T) {
 			Claims: ResourcePoolNamespaceClaimsStatus{
 				ns: {
 					&ResourcePoolClaimsItem{
-						StatusNameUID: api.StatusNameUID{
+						NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{
 							UID: testUID,
 						},
 						Claims: corev1.ResourceList{
@@ -127,8 +126,9 @@ func TestAddRemoveClaimToStatus(t *testing.T) {
 	pool.AddClaimToStatus(claim)

 	stored := pool.GetClaimFromStatus(claim)
+
 	assert.NotNil(t, stored)
-	assert.Equal(t, api.Name("claim-1"), stored.Name)
+	assert.Equal(t, meta.RFC1123Name("claim-1"), stored.Name)

 	pool.RemoveClaimFromStatus(claim)
 	assert.Nil(t, pool.GetClaimFromStatus(claim))
@@ -219,7 +219,7 @@ func TestGetNamespaceClaims(t *testing.T) {
 			Claims: ResourcePoolNamespaceClaimsStatus{
 				"ns": {
 					&ResourcePoolClaimsItem{
-						StatusNameUID: api.StatusNameUID{UID: "uid1"},
+						NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{UID: "uid1"},
 						Claims: corev1.ResourceList{
 							corev1.ResourceLimitsCPU: resource.MustParse("1"),
 						},
@@ -260,36 +260,59 @@ func TestIsBoundToResourcePool_2(t *testing.T) {
 	t.Run("bound to resource pool (Assigned=True)", func(t *testing.T) {
 		claim := &ResourcePoolClaim{
 			Status: ResourcePoolClaimStatus{
-				Condition: metav1.Condition{
-					Type:   meta.BoundCondition,
-					Status: metav1.ConditionTrue,
-				},
+				Conditions: meta.ConditionList{},
 			},
 		}
-		assert.Equal(t, true, claim.IsBoundToResourcePool())
+
+		assert.Equal(t, false, claim.IsBoundInResourcePool())
 	})

 	t.Run("not bound - wrong condition type", func(t *testing.T) {
 		claim := &ResourcePoolClaim{
 			Status: ResourcePoolClaimStatus{
-				Condition: metav1.Condition{
-					Type:   "Other",
-					Status: metav1.ConditionTrue,
+				Conditions: meta.ConditionList{
+					meta.Condition{},
 				},
 			},
 		}
-		assert.Equal(t, false, claim.IsBoundToResourcePool())
+
+		cond := meta.NewAssignedCondition(claim)
+		cond.Status = metav1.ConditionFalse
+		claim.Status.Conditions.UpdateConditionByType(cond)
+
+		assert.Equal(t, false, claim.IsBoundInResourcePool())
 	})

 	t.Run("not bound - condition not true", func(t *testing.T) {
 		claim := &ResourcePoolClaim{
 			Status: ResourcePoolClaimStatus{
-				Condition: metav1.Condition{
-					Type:   meta.BoundCondition,
-					Status: metav1.ConditionFalse,
+				Conditions: meta.ConditionList{
+					meta.Condition{},
 				},
 			},
 		}
-		assert.Equal(t, false, claim.IsBoundToResourcePool())
+
+		cond := meta.NewBoundCondition(claim)
+		cond.Status = metav1.ConditionFalse
+		claim.Status.Conditions.UpdateConditionByType(cond)
+
+		assert.Equal(t, false, claim.IsBoundInResourcePool())
 	})
+
+	t.Run("not bound - condition not true", func(t *testing.T) {
+		claim := &ResourcePoolClaim{
+			Status: ResourcePoolClaimStatus{
+				Conditions: meta.ConditionList{
+					meta.Condition{},
+				},
+			},
+		}
+
+		cond := meta.NewBoundCondition(claim)
+		cond.Status = metav1.ConditionTrue
+		claim.Status.Conditions.UpdateConditionByType(cond)
+
+		assert.Equal(t, true, claim.IsBoundInResourcePool())
+	})
+
 }
--- a/api/v1beta2/resourcepool_status.go
+++ b/api/v1beta2/resourcepool_status.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"

 	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

 // GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.
@@ -21,11 +22,15 @@ type ResourcePoolStatus struct {
 	// Namespaces which are considered for claims
 	Namespaces []string `json:"namespaces,omitempty"`
 	// Tracks the quotas for the Resource.
-	Claims ResourcePoolNamespaceClaimsStatus `json:"claims,omitempty"`
+	// +optional
+	Claims ResourcePoolNamespaceClaimsStatus `json:"claims,omitzero"`
 	// Tracks the Usage from Claimed against what has been granted from the pool
-	Allocation ResourcePoolQuotaStatus `json:"allocation,omitempty"`
+	// +optional
+	Allocation ResourcePoolQuotaStatus `json:"allocation,omitzero"`
 	// Exhaustions from claims associated with the pool
 	Exhaustions map[string]api.PoolExhaustionResource `json:"exhaustions,omitempty"`
+	// Conditions for the resource claim
+	Conditions meta.ConditionList `json:"conditions,omitzero"`
 }

 type ResourcePoolNamespaceClaimsStatus map[string]ResourcePoolClaimsList
@@ -58,7 +63,7 @@ func (r *ResourcePoolClaimsList) GetClaimByUID(uid types.UID) *ResourcePoolClaim
 // ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
 type ResourcePoolClaimsItem struct {
 	// Reference to the GlobalQuota being claimed from
-	api.StatusNameUID `json:",inline"`
+	meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID `json:",inline"`

 	// Claimed resources
 	Claims corev1.ResourceList `json:"claims,omitempty"`
--- a/api/v1beta2/resourcepool_types.go
+++ b/api/v1beta2/resourcepool_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -7,25 +7,27 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/runtime/selectors"
 )

 // ResourcePoolSpec.
 type ResourcePoolSpec struct {
 	// Selector to match the namespaces that should be managed by the GlobalResourceQuota
-	Selectors []api.NamespaceSelector `json:"selectors,omitempty"`
+	Selectors []selectors.NamespaceSelector `json:"selectors,omitempty"`
 	// Define the resourcequota served by this resourcepool.
 	Quota corev1.ResourceQuotaSpec `json:"quota"`
 	// The Defaults given for each namespace, the default is not counted towards the total allocation
 	// When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources
-	Defaults corev1.ResourceList `json:"defaults,omitempty"`
+	// +optional
+	Defaults corev1.ResourceList `json:"defaults,omitzero"`
 	// Additional Configuration
 	//+kubebuilder:default:={}
-	Config ResourcePoolSpecConfiguration `json:"config,omitempty"`
+	// +optional
+	Config ResourcePoolSpecConfiguration `json:"config,omitzero"`
 }

 type ResourcePoolSpecConfiguration struct {
-	// With this option all resources which can be allocated are set to 0 for the resourcequota defaults.
+	// With this option all resources which can be allocated are set to 0 for the resourcequota defaults. (Default false)
 	// +kubebuilder:default=false
 	DefaultsAssignZero *bool `json:"defaultsZero,omitempty"`
 	// Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
@@ -33,11 +35,11 @@ type ResourcePoolSpecConfiguration struct {
 	// but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
 	// it's priority was lower
 	// Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
-	// other claim can claim the same resources with lower priority.
+	// other claim can claim the same resources with lower priority. (Default false)
 	// +kubebuilder:default=false
 	OrderedQueue *bool `json:"orderedQueue,omitempty"`
 	// When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
-	// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
+	// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state. (Default false)
 	// +kubebuilder:default=false
 	DeleteBoundResources *bool `json:"deleteBoundResources,omitempty"`
 }
@@ -47,6 +49,8 @@ type ResourcePoolSpecConfiguration struct {
 // +kubebuilder:resource:scope=Cluster,shortName=quotapool
 // +kubebuilder:printcolumn:name="Claims",type="integer",JSONPath=".status.claimCount",description="The total amount of Claims bound"
 // +kubebuilder:printcolumn:name="Namespaces",type="integer",JSONPath=".status.namespaceCount",description="The total amount of Namespaces considered"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Reconcile Status"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description="Reconcile Message"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"

 // Resourcepools allows you to define a set of resources as known from ResoureQuotas. The Resourcepools are defined at cluster-scope an should
@@ -55,11 +59,15 @@ type ResourcePoolSpecConfiguration struct {
 // it's up the group of users within these namespaces, to manage the resources they consume per namespace. Each Resourcepool provisions a ResourceQuotainto all the selected namespaces. Then essentially the ResourcePoolClaims, when they can be assigned to the ResourcePool stack resources on top of that
 // ResourceQuota based on the namspace, where the ResourcePoolClaim was made from.
 type ResourcePool struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`

-	Spec   ResourcePoolSpec   `json:"spec,omitempty"`
-	Status ResourcePoolStatus `json:"status,omitempty"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	Spec ResourcePoolSpec `json:"spec"`
+
+	// +optional
+	Status ResourcePoolStatus `json:"status,omitzero"`
 }

 // +kubebuilder:object:root=true
@@ -67,7 +75,9 @@ type ResourcePool struct {
 // ResourcePoolList contains a list of ResourcePool.
 type ResourcePoolList struct {
 	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// +optional
+	metav1.ListMeta `json:"metadata,omitzero"`

 	Items []ResourcePool `json:"items"`
 }
--- a/api/v1beta2/resourcepoolclaim_func.go
+++ b/api/v1beta2/resourcepoolclaim_func.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -6,15 +6,56 @@ package v1beta2
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/projectcapsule/capsule/pkg/meta"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

 // Indicate the claim is bound to a resource pool.
-func (r *ResourcePoolClaim) IsBoundToResourcePool() bool {
-	if r.Status.Condition.Type == meta.BoundCondition &&
-		r.Status.Condition.Status == metav1.ConditionTrue {
+func (r *ResourcePoolClaim) IsExhaustedInResourcePool() bool {
+	condition := r.Status.Conditions.GetConditionByType(meta.ExhaustedCondition)
+
+	if condition == nil {
+		return false
+	}
+
+	if condition.Status == metav1.ConditionTrue {
 		return true
 	}

 	return false
 }
+
+func (r *ResourcePoolClaim) IsAssignedInResourcePool() bool {
+	condition := r.Status.Conditions.GetConditionByType(meta.AssignedCondition)
+
+	if condition == nil {
+		return false
+	}
+
+	if condition.Status == metav1.ConditionTrue {
+		return true
+	}
+
+	return false
+}
+
+func (r *ResourcePoolClaim) IsBoundInResourcePool() bool {
+	condition := r.Status.Conditions.GetConditionByType(meta.BoundCondition)
+
+	if condition == nil {
+		return false
+	}
+
+	if condition.Status == metav1.ConditionTrue {
+		return true
+	}
+
+	return false
+}
+
+func (r *ResourcePoolClaim) GetPool() string {
+	if name := string(r.Status.Pool.Name); name != "" {
+		return name
+	}
+
+	return r.Spec.Pool
+}
--- a/api/v1beta2/resourcepoolclaim_func_test.go
+++ b/api/v1beta2/resourcepoolclaim_func_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -6,9 +6,10 @@ package v1beta2
 import (
 	"testing"

-	"github.com/projectcapsule/capsule/pkg/meta"
 	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

 func TestIsBoundToResourcePool(t *testing.T) {
@@ -21,9 +22,14 @@ func TestIsBoundToResourcePool(t *testing.T) {
 			name: "bound to resource pool (Assigned=True)",
 			claim: ResourcePoolClaim{
 				Status: ResourcePoolClaimStatus{
-					Condition: metav1.Condition{
-						Type:   meta.BoundCondition,
-						Status: metav1.ConditionTrue,
+					Conditions: meta.ConditionList{
+						meta.Condition{
+							Type:               meta.BoundCondition,
+							Status:             metav1.ConditionTrue,
+							Reason:             meta.SucceededReason,
+							Message:            "reconciled",
+							LastTransitionTime: metav1.Now(),
+						},
 					},
 				},
 			},
@@ -33,9 +39,14 @@ func TestIsBoundToResourcePool(t *testing.T) {
 			name: "not bound - wrong condition type",
 			claim: ResourcePoolClaim{
 				Status: ResourcePoolClaimStatus{
-					Condition: metav1.Condition{
-						Type:   "SomethingElse",
-						Status: metav1.ConditionTrue,
+					Conditions: meta.ConditionList{
+						meta.Condition{
+							Type:               meta.AssignedCondition,
+							Status:             metav1.ConditionTrue,
+							Reason:             meta.SucceededReason,
+							Message:            "reconciled",
+							LastTransitionTime: metav1.Now(),
+						},
 					},
 				},
 			},
@@ -45,9 +56,14 @@ func TestIsBoundToResourcePool(t *testing.T) {
 			name: "not bound - status not true",
 			claim: ResourcePoolClaim{
 				Status: ResourcePoolClaimStatus{
-					Condition: metav1.Condition{
-						Type:   meta.BoundCondition,
-						Status: metav1.ConditionFalse,
+					Conditions: meta.ConditionList{
+						meta.Condition{
+							Type:               meta.AssignedCondition,
+							Status:             metav1.ConditionTrue,
+							Reason:             meta.SucceededReason,
+							Message:            "reconciled",
+							LastTransitionTime: metav1.Now(),
+						},
 					},
 				},
 			},
@@ -64,7 +80,91 @@ func TestIsBoundToResourcePool(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			actual := tt.claim.IsBoundToResourcePool()
+			actual := tt.claim.IsBoundInResourcePool()
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}
+
+func TestGetPool(t *testing.T) {
+	tests := []struct {
+		name     string
+		claim    ResourcePoolClaim
+		expected string
+	}{
+		{
+			name: "returns status pool name when set",
+			claim: ResourcePoolClaim{
+				Spec: ResourcePoolClaimSpec{
+					Pool: "spec-pool",
+				},
+				Status: ResourcePoolClaimStatus{
+					Pool: meta.LocalRFC1123ObjectReferenceWithUID{
+						Name: meta.RFC1123Name("status-pool"),
+					},
+				},
+			},
+			expected: "status-pool",
+		},
+		{
+			name: "falls back to spec pool when status pool name is empty",
+			claim: ResourcePoolClaim{
+				Spec: ResourcePoolClaimSpec{
+					Pool: "spec-pool",
+				},
+				Status: ResourcePoolClaimStatus{
+					Pool: meta.LocalRFC1123ObjectReferenceWithUID{
+						Name: meta.RFC1123Name(""),
+					},
+				},
+			},
+			expected: "spec-pool",
+		},
+		{
+			name: "falls back to spec pool when status pool struct is zero-value",
+			claim: ResourcePoolClaim{
+				Spec: ResourcePoolClaimSpec{
+					Pool: "spec-pool",
+				},
+				Status: ResourcePoolClaimStatus{
+					Pool: meta.LocalRFC1123ObjectReferenceWithUID{},
+				},
+			},
+			expected: "spec-pool",
+		},
+		{
+			name: "returns empty when both status and spec are empty",
+			claim: ResourcePoolClaim{
+				Spec: ResourcePoolClaimSpec{
+					Pool: "",
+				},
+				Status: ResourcePoolClaimStatus{
+					Pool: meta.LocalRFC1123ObjectReferenceWithUID{
+						Name: meta.RFC1123Name(""),
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name: "status wins even if spec differs",
+			claim: ResourcePoolClaim{
+				Spec: ResourcePoolClaimSpec{
+					Pool: "spec-pool",
+				},
+				Status: ResourcePoolClaimStatus{
+					Pool: meta.LocalRFC1123ObjectReferenceWithUID{
+						Name: meta.RFC1123Name("status-pool"),
+					},
+				},
+			},
+			expected: "status-pool",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := tt.claim.GetPool()
 			assert.Equal(t, tt.expected, actual)
 		})
 	}
--- a/api/v1beta2/resourcepoolclaim_types.go
+++ b/api/v1beta2/resourcepoolclaim_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -7,7 +7,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

 type ResourcePoolClaimSpec struct {
@@ -22,34 +22,47 @@ type ResourcePoolClaimSpec struct {
 // ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
 type ResourcePoolClaimStatus struct {
 	// Reference to the GlobalQuota being claimed from
-	Pool api.StatusNameUID `json:"pool,omitempty"`
-	// Condtion for this resource claim
-	Condition metav1.Condition `json:"condition,omitempty"`
+	// +optional
+	Pool meta.LocalRFC1123ObjectReferenceWithUID `json:"pool,omitzero"`
+	// Deprecated: Use Conditions
+	//
+	// +optional
+	Condition metav1.Condition `json:"condition,omitzero"`
+	// Conditions for the resource claim
+	Conditions meta.ConditionList `json:"conditions,omitzero"`
+	// Tracks the Usage from Claimed from this claim and available resources
+	// +optional
+	Allocation ResourcePoolQuotaStatus `json:"allocation,omitzero"`
 }

 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Pool",type="string",JSONPath=".status.pool.name",description="The ResourcePool being claimed from"
-// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.condition.type",description="Status for claim"
-// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.condition.reason",description="Reason for status"
-// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.condition.message",description="Condition Message"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Ready Status"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description="Ready Message"
+// +kubebuilder:printcolumn:name="Bound",type="string",JSONPath=".status.conditions[?(@.type==\"Bound\")].status",description="Bound Status"
+// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.conditions[?(@.type==\"Bound\")].message",description="Bound Message"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
-
 // ResourcePoolClaim is the Schema for the resourcepoolclaims API.
 type ResourcePoolClaim struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`

-	Spec   ResourcePoolClaimSpec   `json:"spec,omitempty"`
-	Status ResourcePoolClaimStatus `json:"status,omitempty"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	Spec ResourcePoolClaimSpec `json:"spec"`
+
+	// +optional
+	Status ResourcePoolClaimStatus `json:"status,omitzero"`
 }

 // +kubebuilder:object:root=true
-
 // ResourceQuotaClaimList contains a list of ResourceQuotaClaim.
 type ResourcePoolClaimList struct {
 	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// +optional
+	metav1.ListMeta `json:"metadata,omitzero"`

 	Items []ResourcePoolClaim `json:"items"`
 }
--- a/api/v1beta2/rule_status_type.go
+++ b/api/v1beta2/rule_status_type.go
@@ -0,0 +1,44 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
+type RuleStatus struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	// +optional
+	Status RuleStatusSpec `json:"status,omitzero"`
+}
+
+// +kubebuilder:object:root=true
+
+// RuleStatusList contains a list of RuleStatus.
+type RuleStatusList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitzero"`
+
+	Items []RuleStatus `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&RuleStatus{}, &RuleStatusList{})
+}
+
+// RuleStatus contains the accumulated rules applying to namespace it's deployed in.
+// +kubebuilder:object:generate=true
+type RuleStatusSpec struct {
+	// Managed Enforcement properties per Namespace (aggregated from rules)
+	//+optional
+	Rule NamespaceRuleBody `json:"rule,omitzero"`
+}
--- a/api/v1beta2/tenant_annotations.go
+++ b/api/v1beta2/tenant_annotations.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_conversion_hub.go
+++ b/api/v1beta2/tenant_conversion_hub.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -12,6 +12,7 @@ import (

 	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
 	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

 func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
@@ -26,28 +27,32 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
 	}

 	in.ObjectMeta = src.ObjectMeta
-	in.Spec.Owners = make(OwnerListSpec, 0, len(src.Spec.Owners))
+	in.Spec.Owners = make(api.OwnerListSpec, 0, len(src.Spec.Owners))

 	for index, owner := range src.Spec.Owners {
-		proxySettings := make([]ProxySettings, 0, len(owner.ProxyOperations))
+		proxySettings := make([]api.ProxySettings, 0, len(owner.ProxyOperations))

 		for _, proxyOp := range owner.ProxyOperations {
-			ops := make([]ProxyOperation, 0, len(proxyOp.Operations))
+			ops := make([]api.ProxyOperation, 0, len(proxyOp.Operations))

 			for _, op := range proxyOp.Operations {
-				ops = append(ops, ProxyOperation(op))
+				ops = append(ops, api.ProxyOperation(op))
 			}

-			proxySettings = append(proxySettings, ProxySettings{
-				Kind:       ProxyServiceKind(proxyOp.Kind),
+			proxySettings = append(proxySettings, api.ProxySettings{
+				Kind:       api.ProxyServiceKind(proxyOp.Kind),
 				Operations: ops,
 			})
 		}

-		in.Spec.Owners = append(in.Spec.Owners, OwnerSpec{
-			Kind:            OwnerKind(owner.Kind),
-			Name:            owner.Name,
-			ClusterRoles:    owner.GetRoles(*src, index),
+		in.Spec.Owners = append(in.Spec.Owners, api.OwnerSpec{
+			CoreOwnerSpec: api.CoreOwnerSpec{
+				UserSpec: api.UserSpec{
+					Kind: api.OwnerKind(owner.Kind),
+					Name: owner.Name,
+				},
+				ClusterRoles: owner.GetRoles(*src, index),
+			},
 			ProxyOperations: proxySettings,
 		})
 	}
@@ -59,28 +64,28 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {

 		in.Spec.NamespaceOptions.AdditionalMetadata = nsOpts.AdditionalMetadata

-		if value, found := annotations[api.ForbiddenNamespaceLabelsAnnotation]; found {
+		if value, found := annotations[meta.ForbiddenNamespaceLabelsAnnotation]; found {
 			in.Spec.NamespaceOptions.ForbiddenLabels.Exact = strings.Split(value, ",")

-			delete(annotations, api.ForbiddenNamespaceLabelsAnnotation)
+			delete(annotations, meta.ForbiddenNamespaceLabelsAnnotation)
 		}

-		if value, found := annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; found {
+		if value, found := annotations[meta.ForbiddenNamespaceLabelsRegexpAnnotation]; found {
 			in.Spec.NamespaceOptions.ForbiddenLabels.Regex = value

-			delete(annotations, api.ForbiddenNamespaceLabelsRegexpAnnotation)
+			delete(annotations, meta.ForbiddenNamespaceLabelsRegexpAnnotation)
 		}

-		if value, found := annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; found {
+		if value, found := annotations[meta.ForbiddenNamespaceAnnotationsAnnotation]; found {
 			in.Spec.NamespaceOptions.ForbiddenAnnotations.Exact = strings.Split(value, ",")

-			delete(annotations, api.ForbiddenNamespaceAnnotationsAnnotation)
+			delete(annotations, meta.ForbiddenNamespaceAnnotationsAnnotation)
 		}

-		if value, found := annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; found {
+		if value, found := annotations[meta.ForbiddenNamespaceAnnotationsRegexpAnnotation]; found {
 			in.Spec.NamespaceOptions.ForbiddenAnnotations.Regex = value

-			delete(annotations, api.ForbiddenNamespaceAnnotationsRegexpAnnotation)
+			delete(annotations, meta.ForbiddenNamespaceAnnotationsRegexpAnnotation)
 		}
 	}

@@ -144,10 +149,10 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
 		in.Spec.Cordoned = value
 	}

-	if _, found := annotations[api.ProtectedTenantAnnotation]; found {
+	if _, found := annotations[meta.ProtectedTenantAnnotation]; found {
 		in.Spec.PreventDeletion = true

-		delete(annotations, api.ProtectedTenantAnnotation)
+		delete(annotations, meta.ProtectedTenantAnnotation)
 	}

 	in.SetAnnotations(annotations)
@@ -215,19 +220,19 @@ func (in *Tenant) ConvertTo(raw conversion.Hub) error {
 		dst.Spec.NamespaceOptions.AdditionalMetadata = nsOpts.AdditionalMetadata

 		if exact := nsOpts.ForbiddenAnnotations.Exact; len(exact) > 0 {
-			annotations[api.ForbiddenNamespaceAnnotationsAnnotation] = strings.Join(exact, ",")
+			annotations[meta.ForbiddenNamespaceAnnotationsAnnotation] = strings.Join(exact, ",")
 		}

 		if regex := nsOpts.ForbiddenAnnotations.Regex; len(regex) > 0 {
-			annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation] = regex
+			annotations[meta.ForbiddenNamespaceAnnotationsRegexpAnnotation] = regex
 		}

 		if exact := nsOpts.ForbiddenLabels.Exact; len(exact) > 0 {
-			annotations[api.ForbiddenNamespaceLabelsAnnotation] = strings.Join(exact, ",")
+			annotations[meta.ForbiddenNamespaceLabelsAnnotation] = strings.Join(exact, ",")
 		}

 		if regex := nsOpts.ForbiddenLabels.Regex; len(regex) > 0 {
-			annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation] = regex
+			annotations[meta.ForbiddenNamespaceLabelsRegexpAnnotation] = regex
 		}
 	}

@@ -264,7 +269,7 @@ func (in *Tenant) ConvertTo(raw conversion.Hub) error {
 	}

 	if in.Spec.PreventDeletion {
-		annotations[api.ProtectedTenantAnnotation] = "true" //nolint:goconst
+		annotations[meta.ProtectedTenantAnnotation] = "true" //nolint:goconst
 	}

 	if in.Spec.Cordoned {
--- a/api/v1beta2/tenant_func.go
+++ b/api/v1beta2/tenant_func.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -13,6 +13,18 @@ import (
 	"github.com/projectcapsule/capsule/pkg/api"
 )

+func (in *Tenant) GetRoleBindings() []api.AdditionalRoleBindingsSpec {
+	roleBindings := make([]api.AdditionalRoleBindingsSpec, 0, len(in.Spec.AdditionalRoleBindings))
+
+	for _, owner := range in.Status.Owners {
+		roleBindings = append(roleBindings, owner.ToAdditionalRolebindings()...)
+	}
+
+	roleBindings = append(roleBindings, in.Spec.AdditionalRoleBindings...)
+
+	return roleBindings
+}
+
 func (in *Tenant) IsFull() bool {
 	// we don't have limits on assigned Namespaces
 	if in.Spec.NamespaceOptions == nil || in.Spec.NamespaceOptions.Quota == nil {
@@ -37,14 +49,14 @@ func (in *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
 	in.Status.Size = uint(len(l))
 }

-func (in *Tenant) GetOwnerProxySettings(name string, kind OwnerKind) []ProxySettings {
+func (in *Tenant) GetOwnerProxySettings(name string, kind api.OwnerKind) []api.ProxySettings {
 	return in.Spec.Owners.FindOwner(name, kind).ProxyOperations
 }

 // GetClusterRolePermissions returns a map where the clusterRole is the key
 // and the value is a list of permission subjects (kind and name) that reference that role.
 // These mappings are gathered from the owners and additionalRolebindings spec.
-func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []OwnerKind) (rolePerms map[string][]rbacv1.Subject) {
+func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []api.OwnerKind) (rolePerms map[string][]rbacv1.Subject) {
 	rolePerms = make(map[string][]rbacv1.Subject)

 	// Helper to add permissions for a given clusterRole
@@ -97,7 +109,7 @@ func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []OwnerKind) (rolePe
 }

 // Get the permissions for a tenant ordered by groups and users.
-func (in *Tenant) GetClusterRolesBySubject(ignoreOwnerKind []OwnerKind) (maps map[string]map[string]api.TenantSubjectRoles) {
+func (in *Tenant) GetClusterRolesBySubject(ignoreOwnerKind []api.OwnerKind) (maps map[string]map[string]api.TenantSubjectRoles) {
 	maps = make(map[string]map[string]api.TenantSubjectRoles)

 	// Initialize a nested map for kind ("User", "Group") and name
--- a/api/v1beta2/tenant_func_test.go
+++ b/api/v1beta2/tenant_func_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -13,21 +13,33 @@ import (

 var tenant = &Tenant{
 	Spec: TenantSpec{
-		Owners: []OwnerSpec{
+		Owners: []api.OwnerSpec{
 			{
-				Kind:         "User",
-				Name:         "user1",
-				ClusterRoles: []string{"cluster-admin", "read-only"},
+				CoreOwnerSpec: api.CoreOwnerSpec{
+					UserSpec: api.UserSpec{
+						Kind: "User",
+						Name: "user1",
+					},
+					ClusterRoles: []string{"cluster-admin", "read-only"},
+				},
 			},
 			{
-				Kind:         "Group",
-				Name:         "group1",
-				ClusterRoles: []string{"edit"},
+				CoreOwnerSpec: api.CoreOwnerSpec{
+					UserSpec: api.UserSpec{
+						Kind: "Group",
+						Name: "group1",
+					},
+					ClusterRoles: []string{"edit"},
+				},
 			},
 			{
-				Kind:         ServiceAccountOwner,
-				Name:         "service",
-				ClusterRoles: []string{"read-only"},
+				CoreOwnerSpec: api.CoreOwnerSpec{
+					UserSpec: api.UserSpec{
+						Kind: api.ServiceAccountOwner,
+						Name: "service",
+					},
+					ClusterRoles: []string{"read-only"},
+				},
 			},
 		},
 		AdditionalRoleBindings: []api.AdditionalRoleBindingsSpec{
@@ -96,7 +108,7 @@ func TestGetSubjectsByClusterRoles(t *testing.T) {
 	}

 	// Ignore SubjectTypes (Ignores ServiceAccounts)
-	ignored := tenant.GetSubjectsByClusterRoles([]OwnerKind{"ServiceAccount"})
+	ignored := tenant.GetSubjectsByClusterRoles([]api.OwnerKind{"ServiceAccount"})
 	expectedIgnored := map[string][]rbacv1.Subject{
 		"cluster-admin": {
 			{Kind: "User", Name: "user1"},
@@ -156,7 +168,7 @@ func TestGetClusterRolesBySubject(t *testing.T) {
 	}

 	delete(expected, "ServiceAccount")
-	ignored := tenant.GetClusterRolesBySubject([]OwnerKind{"ServiceAccount"})
+	ignored := tenant.GetClusterRolesBySubject([]api.OwnerKind{"ServiceAccount"})

 	if !reflect.DeepEqual(ignored, expected) {
 		t.Errorf("Expected %v, but got %v", expected, ignored)
--- a/api/v1beta2/tenant_labels.go
+++ b/api/v1beta2/tenant_labels.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_status.go
+++ b/api/v1beta2/tenant_status.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -6,7 +6,8 @@ package v1beta2
 import (
 	k8stypes "k8s.io/apimachinery/pkg/types"

-	"github.com/projectcapsule/capsule/pkg/meta"
+	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )

 // +kubebuilder:validation:Enum=Cordoned;Active
@@ -19,6 +20,11 @@ const (

 // Returns the observed state of the Tenant.
 type TenantStatus struct {
+	// Allowed Cluster Objects within Tenant
+	TenantAvailableStatus `json:",inline"`
+
+	// Collected owners for this tenant
+	Owners api.OwnerStatusListSpec `json:"owners,omitempty"`
 	// +kubebuilder:default=Active
 	// The operational state of the Tenant. Possible values are "Active", "Cordoned".
 	State tenantState `json:"state"`
@@ -41,6 +47,14 @@ type TenantStatusNamespaceItem struct {
 	UID k8stypes.UID `json:"uid,omitempty"`
 	// Managed Metadata
 	Metadata *TenantStatusNamespaceMetadata `json:"metadata,omitempty"`
+	// Managed Metadata
+	//+optional
+	Enforce TenantStatusNamespaceEnforcement `json:"enforce,omitzero"`
+}
+
+type TenantStatusNamespaceEnforcement struct {
+	// Registries which are allowed within this namespace
+	Registries []api.OCIRegistry `json:"registry,omitempty"`
 }

 type TenantStatusNamespaceMetadata struct {
@@ -50,6 +64,25 @@ type TenantStatusNamespaceMetadata struct {
 	Annotations map[string]string `json:"annotations,omitempty"`
 }

+type TenantAvailableStatus struct {
+	// Available Class Types within Tenant
+	// +optional
+	Classes TenantAvailableClassesStatus `json:"classes,omitzero"`
+}
+
+type TenantAvailableClassesStatus struct {
+	// Available Storageclasses (Only collected if any matching condition is specified)
+	StorageClasses []string `json:"storage,omitempty"`
+	// Available PriorityClasses
+	PriorityClasses []string `json:"priority,omitempty"`
+	// Available StorageClasses
+	RuntimeClasses []string `json:"runtime,omitempty"`
+	// Available GatewayClasses
+	GatewayClasses []string `json:"gateway,omitempty"`
+	// Available DeviceClasses
+	DeviceClasses []string `json:"device,omitempty"`
+}
+
 func (ms *TenantStatus) GetInstance(stat *TenantStatusNamespaceItem) *TenantStatusNamespaceItem {
 	for _, source := range ms.Spaces {
 		if ms.instancequal(source, stat) {
--- a/api/v1beta2/tenant_types.go
+++ b/api/v1beta2/tenant_types.go
@@ -1,19 +1,35 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2

 import (
+	"context"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
+	"github.com/projectcapsule/capsule/pkg/runtime/selectors"
 )

 // TenantSpec defines the desired state of Tenant.
 type TenantSpec struct {
+	// Specify Permissions for the Tenant.
+	// +optional
+	Permissions Permissions `json:"permissions,omitzero"`
+	// Specify enforcement specifications for the scope of the Tenant.
+	//  We are moving all configuration enforcement. per namespace into a rule construct.
+	//  It's currently not final.
+	//
+	// Read More: https://projectcapsule.dev/docs/tenants/rules/
+	//+optional
+	Rules []*NamespaceRule `json:"rules,omitzero"`
+
 	// Specifies the owners of the Tenant.
 	// Optional
-	Owners OwnerListSpec `json:"owners,omitempty"`
+	Owners api.OwnerListSpec `json:"owners,omitempty"`
 	// Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
 	NamespaceOptions *NamespaceOptions `json:"namespaceOptions,omitempty"`
 	// Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
@@ -26,23 +42,15 @@ type TenantSpec struct {
 	// Optional.
 	StorageClasses *api.DefaultAllowedListSpec `json:"storageClasses,omitempty"`
 	// Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
-	IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
-	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
-	ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
+	// +optional
+	IngressOptions IngressOptions `json:"ingressOptions,omitzero"`
 	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
-	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
-	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
-	NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitempty"`
-	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
-	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
-	LimitRanges api.LimitRangesSpec `json:"limitRanges,omitempty"`
 	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
-	ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
+	// +optional
+	ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitzero"`
 	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
 	AdditionalRoleBindings []api.AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
-	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
-	ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
 	// Specifies the allowed RuntimeClasses assigned to the Tenant.
 	// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
 	// Optional.
@@ -52,8 +60,11 @@ type TenantSpec struct {
 	// A default value can be specified, and all the Pod resources created will inherit the declared class.
 	// Optional.
 	PriorityClasses *api.DefaultAllowedListSpec `json:"priorityClasses,omitempty"`
+	// Specifies options for the DeviceClass resources.
+	DeviceClasses *api.SelectorAllowedListSpec `json:"deviceClasses,omitempty"`
 	// Specifies options for the GatewayClass resources.
-	GatewayOptions GatewayOptions `json:"gatewayOptions,omitempty"`
+	// +optional
+	GatewayOptions GatewayOptions `json:"gatewayOptions,omitzero"`
 	// Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
 	//+kubebuilder:default:=false
 	Cordoned bool `json:"cordoned,omitempty"`
@@ -70,6 +81,48 @@ type TenantSpec struct {
 	// If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
 	// Optional
 	ForceTenantPrefix *bool `json:"forceTenantPrefix,omitempty"`
+
+	// Deprecated: Use Enforcement.Registries instead
+	//
+	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
+	ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
+	// Deprecated: Use Enforcement.Registries instead
+	//
+	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
+	ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
+
+	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
+	//
+	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+	// +optional
+	NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitzero"`
+	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
+	//
+	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
+	// +optional
+	LimitRanges api.LimitRangesSpec `json:"limitRanges,omitzero"`
+}
+
+type Permissions struct {
+	// Matches TenantOwner objects which are promoted to owners of this tenant
+	// The elements are OR operations and independent. You can see the resulting Tenant Owners
+	// in the Status.Owners specification of the Tenant.
+	MatchOwners []*metav1.LabelSelector `json:"matchOwners,omitempty"`
+}
+
+func (p *Permissions) ListMatchingOwners(
+	ctx context.Context,
+	c client.Client,
+	tnt string,
+	opts ...client.ListOption,
+) ([]*TenantOwner, error) {
+	defaultSelector := &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			meta.NewTenantLabel: tnt,
+		},
+	}
+
+	return selectors.ListBySelectors[*TenantOwner](ctx, c, &TenantOwnerList{}, append(p.MatchOwners, defaultSelector))
 }

 // +kubebuilder:object:root=true
@@ -85,19 +138,20 @@ type TenantSpec struct {
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
 // Tenant is the Schema for the tenants API.
 type Tenant struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`

-	Spec   TenantSpec   `json:"spec,omitempty"`
-	Status TenantStatus `json:"status,omitempty"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	// +optional
+	Spec TenantSpec `json:"spec,omitzero"`
+
+	// +optional
+	Status TenantStatus `json:"status,omitzero"`
 }

 func (in *Tenant) GetNamespaces() (res []string) {
-	res = make([]string, 0, len(in.Status.Namespaces))
-
-	res = append(res, in.Status.Namespaces...)
-
-	return res
+	return in.Status.Namespaces
 }

 // +kubebuilder:object:root=true
@@ -105,7 +159,7 @@ func (in *Tenant) GetNamespaces() (res []string) {
 // TenantList contains a list of Tenant.
 type TenantList struct {
 	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
+	metav1.ListMeta `json:"metadata,omitzero"`

 	Items []Tenant `json:"items"`
 }
--- a/api/v1beta2/tenantowner_types.go
+++ b/api/v1beta2/tenantowner_types.go
@@ -0,0 +1,60 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+// TenantOwnerSpec defines the desired state of TenantOwner.
+type TenantOwnerSpec struct {
+	// Subject
+	api.CoreOwnerSpec `json:",inline"`
+
+	// Adds the given subject as capsule user. When enabled this subject does not have to be
+	// mentioned in the CapsuleConfiguration as Capsule User. In almost all scenarios Tenant Owners
+	// must be Capsule Users.
+	//+kubebuilder:default:=true
+	Aggregate bool `json:"aggregate"`
+}
+
+// TenantOwnerStatus defines the observed state of TenantOwner.
+type TenantOwnerStatus struct{}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+
+// TenantOwner is the Schema for the tenantowners API.
+type TenantOwner struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is a standard object metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	// spec defines the desired state of TenantOwner.
+	// +required
+	Spec TenantOwnerSpec `json:"spec"`
+
+	// status defines the observed state of TenantOwner.
+	// +optional
+	Status TenantOwnerStatus `json:"status,omitzero"`
+}
+
+// +kubebuilder:object:root=true
+
+// TenantOwnerList contains a list of TenantOwner.
+type TenantOwnerList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitzero"`
+
+	Items []TenantOwner `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&TenantOwner{}, &TenantOwnerList{})
+}
--- a/api/v1beta2/tenantresource_global.go
+++ b/api/v1beta2/tenantresource_global.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -13,7 +13,8 @@ type GlobalTenantResourceSpec struct {
 	TenantResourceSpec `json:",inline"`

 	// Defines the Tenant selector used target the tenants on which resources must be propagated.
-	TenantSelector metav1.LabelSelector `json:"tenantSelector,omitempty"`
+	// +optional
+	TenantSelector metav1.LabelSelector `json:"tenantSelector,omitzero"`
 }

 // GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
@@ -21,7 +22,7 @@ type GlobalTenantResourceStatus struct {
 	// List of Tenants addressed by the GlobalTenantResource.
 	SelectedTenants []string `json:"selectedTenants"`
 	// List of the replicated resources for the given TenantResource.
-	ProcessedItems ProcessedItems `json:"processedItems"`
+	ProcessedItems ProcessedItems `json:"processedItems,omitzero"`
 }

 type ProcessedItems []ObjectReferenceStatus
@@ -42,11 +43,15 @@ func (p *ProcessedItems) AsSet() sets.Set[string] {

 // GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.
 type GlobalTenantResource struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`

-	Spec   GlobalTenantResourceSpec   `json:"spec,omitempty"`
-	Status GlobalTenantResourceStatus `json:"status,omitempty"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	Spec GlobalTenantResourceSpec `json:"spec"`
+
+	// +optional
+	Status GlobalTenantResourceStatus `json:"status,omitzero"`
 }

 // +kubebuilder:object:root=true
@@ -54,7 +59,7 @@ type GlobalTenantResource struct {
 // GlobalTenantResourceList contains a list of GlobalTenantResource.
 type GlobalTenantResourceList struct {
 	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
+	metav1.ListMeta `json:"metadata,omitzero"`

 	Items []GlobalTenantResource `json:"items"`
 }
--- a/api/v1beta2/tenantresource_namespaced.go
+++ b/api/v1beta2/tenantresource_namespaced.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -56,11 +56,15 @@ type TenantResourceStatus struct {
 // The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
 // For such cases, the GlobalTenantResource must be used.
 type TenantResource struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`

-	Spec   TenantResourceSpec   `json:"spec,omitempty"`
-	Status TenantResourceStatus `json:"status,omitempty"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	Spec TenantResourceSpec `json:"spec"`
+
+	// +optional
+	Status TenantResourceStatus `json:"status,omitzero"`
 }

 // +kubebuilder:object:root=true
@@ -68,7 +72,7 @@ type TenantResource struct {
 // TenantResourceList contains a list of TenantResource.
 type TenantResourceList struct {
 	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
+	metav1.ListMeta `json:"metadata,omitzero"`

 	Items []TenantResource `json:"items"`
 }
--- a/api/v1beta2/tenantresource_types.go
+++ b/api/v1beta2/tenantresource_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/zz_generated.deepcopy.go
+++ b/api/v1beta2/zz_generated.deepcopy.go
@@ -9,7 +9,8 @@ package v1beta2

 import (
 	"github.com/projectcapsule/capsule/pkg/api"
-	"github.com/projectcapsule/capsule/pkg/meta"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
+	"github.com/projectcapsule/capsule/pkg/runtime/selectors"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -36,33 +37,13 @@ func (in *AdditionalRoleBindingsSpec) DeepCopy() *AdditionalRoleBindingsSpec {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in ByKindAndName) DeepCopyInto(out *ByKindAndName) {
-	{
-		in := &in
-		*out = make(ByKindAndName, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ByKindAndName.
-func (in ByKindAndName) DeepCopy() ByKindAndName {
-	if in == nil {
-		return nil
-	}
-	out := new(ByKindAndName)
-	in.DeepCopyInto(out)
-	return *out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapsuleConfiguration) DeepCopyInto(out *CapsuleConfiguration) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfiguration.
@@ -118,6 +99,11 @@ func (in *CapsuleConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapsuleConfigurationSpec) DeepCopyInto(out *CapsuleConfigurationSpec) {
 	*out = *in
+	if in.Users != nil {
+		in, out := &in.Users, &out.Users
+		*out = make(api.UserListSpec, len(*in))
+		copy(*out, *in)
+	}
 	if in.UserNames != nil {
 		in, out := &in.UserNames, &out.UserNames
 		*out = make([]string, len(*in))
@@ -139,6 +125,18 @@ func (in *CapsuleConfigurationSpec) DeepCopyInto(out *CapsuleConfigurationSpec)
 		*out = new(NodeMetadata)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Administrators != nil {
+		in, out := &in.Administrators, &out.Administrators
+		*out = make(api.UserListSpec, len(*in))
+		copy(*out, *in)
+	}
+	in.Admission.DeepCopyInto(&out.Admission)
+	if in.RBAC != nil {
+		in, out := &in.RBAC, &out.RBAC
+		*out = new(RBACConfiguration)
+		(*in).DeepCopyInto(*out)
+	}
+	out.CacheInvalidation = in.CacheInvalidation
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationSpec.
@@ -151,6 +149,27 @@ func (in *CapsuleConfigurationSpec) DeepCopy() *CapsuleConfigurationSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CapsuleConfigurationStatus) DeepCopyInto(out *CapsuleConfigurationStatus) {
+	*out = *in
+	in.LastCacheInvalidation.DeepCopyInto(&out.LastCacheInvalidation)
+	if in.Users != nil {
+		in, out := &in.Users, &out.Users
+		*out = make(api.UserListSpec, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationStatus.
+func (in *CapsuleConfigurationStatus) DeepCopy() *CapsuleConfigurationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CapsuleConfigurationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapsuleResources) DeepCopyInto(out *CapsuleResources) {
 	*out = *in
@@ -166,12 +185,59 @@ func (in *CapsuleResources) DeepCopy() *CapsuleResources {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DynamicAdmission) DeepCopyInto(out *DynamicAdmission) {
+	*out = *in
+	in.Mutating.DeepCopyInto(&out.Mutating)
+	in.Validating.DeepCopyInto(&out.Validating)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicAdmission.
+func (in *DynamicAdmission) DeepCopy() *DynamicAdmission {
+	if in == nil {
+		return nil
+	}
+	out := new(DynamicAdmission)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DynamicAdmissionConfig) DeepCopyInto(out *DynamicAdmissionConfig) {
+	*out = *in
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	in.Client.DeepCopyInto(&out.Client)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicAdmissionConfig.
+func (in *DynamicAdmissionConfig) DeepCopy() *DynamicAdmissionConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(DynamicAdmissionConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatewayOptions) DeepCopyInto(out *GatewayOptions) {
 	*out = *in
 	if in.AllowedClasses != nil {
 		in, out := &in.AllowedClasses, &out.AllowedClasses
-		*out = new(api.SelectionListWithDefaultSpec)
+		*out = new(api.DefaultAllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
 }
@@ -332,6 +398,11 @@ func (in *NamespaceOptions) DeepCopyInto(out *NamespaceOptions) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.RequiredMetadata != nil {
+		in, out := &in.RequiredMetadata, &out.RequiredMetadata
+		*out = new(RequiredMetadata)
+		(*in).DeepCopyInto(*out)
+	}
 	in.ForbiddenLabels.DeepCopyInto(&out.ForbiddenLabels)
 	in.ForbiddenAnnotations.DeepCopyInto(&out.ForbiddenAnnotations)
 }
@@ -346,6 +417,65 @@ func (in *NamespaceOptions) DeepCopy() *NamespaceOptions {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceRule) DeepCopyInto(out *NamespaceRule) {
+	*out = *in
+	in.NamespaceRuleBody.DeepCopyInto(&out.NamespaceRuleBody)
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRule.
+func (in *NamespaceRule) DeepCopy() *NamespaceRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceRuleBody) DeepCopyInto(out *NamespaceRuleBody) {
+	*out = *in
+	in.Enforce.DeepCopyInto(&out.Enforce)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRuleBody.
+func (in *NamespaceRuleBody) DeepCopy() *NamespaceRuleBody {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceRuleBody)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceRuleEnforceBody) DeepCopyInto(out *NamespaceRuleEnforceBody) {
+	*out = *in
+	if in.Registries != nil {
+		in, out := &in.Registries, &out.Registries
+		*out = make([]api.OCIRegistry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceRuleEnforceBody.
+func (in *NamespaceRuleEnforceBody) DeepCopy() *NamespaceRuleEnforceBody {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceRuleEnforceBody)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeMetadata) DeepCopyInto(out *NodeMetadata) {
 	*out = *in
@@ -427,63 +557,27 @@ func (in *ObjectReferenceStatus) DeepCopy() *ObjectReferenceStatus {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in OwnerListSpec) DeepCopyInto(out *OwnerListSpec) {
-	{
-		in := &in
-		*out = make(OwnerListSpec, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerListSpec.
-func (in OwnerListSpec) DeepCopy() OwnerListSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(OwnerListSpec)
-	in.DeepCopyInto(out)
-	return *out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OwnerSpec) DeepCopyInto(out *OwnerSpec) {
+func (in *Permissions) DeepCopyInto(out *Permissions) {
 	*out = *in
-	if in.ClusterRoles != nil {
-		in, out := &in.ClusterRoles, &out.ClusterRoles
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.ProxyOperations != nil {
-		in, out := &in.ProxyOperations, &out.ProxyOperations
-		*out = make([]ProxySettings, len(*in))
+	if in.MatchOwners != nil {
+		in, out := &in.MatchOwners, &out.MatchOwners
+		*out = make([]*metav1.LabelSelector, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Labels != nil {
-		in, out := &in.Labels, &out.Labels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.Annotations != nil {
-		in, out := &in.Annotations, &out.Annotations
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(metav1.LabelSelector)
+				(*in).DeepCopyInto(*out)
+			}
 		}
 	}
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerSpec.
-func (in *OwnerSpec) DeepCopy() *OwnerSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Permissions.
+func (in *Permissions) DeepCopy() *Permissions {
 	if in == nil {
 		return nil
 	}
-	out := new(OwnerSpec)
+	out := new(Permissions)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -508,21 +602,26 @@ func (in ProcessedItems) DeepCopy() ProcessedItems {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ProxySettings) DeepCopyInto(out *ProxySettings) {
+func (in *RBACConfiguration) DeepCopyInto(out *RBACConfiguration) {
 	*out = *in
-	if in.Operations != nil {
-		in, out := &in.Operations, &out.Operations
-		*out = make([]ProxyOperation, len(*in))
+	if in.AdministrationClusterRoles != nil {
+		in, out := &in.AdministrationClusterRoles, &out.AdministrationClusterRoles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.PromotionClusterRoles != nil {
+		in, out := &in.PromotionClusterRoles, &out.PromotionClusterRoles
+		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxySettings.
-func (in *ProxySettings) DeepCopy() *ProxySettings {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RBACConfiguration.
+func (in *RBACConfiguration) DeepCopy() *RBACConfiguration {
 	if in == nil {
 		return nil
 	}
-	out := new(ProxySettings)
+	out := new(RBACConfiguration)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -543,6 +642,35 @@ func (in *RawExtension) DeepCopy() *RawExtension {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequiredMetadata) DeepCopyInto(out *RequiredMetadata) {
+	*out = *in
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequiredMetadata.
+func (in *RequiredMetadata) DeepCopy() *RequiredMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(RequiredMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourcePool) DeepCopyInto(out *ResourcePool) {
 	*out = *in
@@ -656,6 +784,14 @@ func (in *ResourcePoolClaimStatus) DeepCopyInto(out *ResourcePoolClaimStatus) {
 	*out = *in
 	out.Pool = in.Pool
 	in.Condition.DeepCopyInto(&out.Condition)
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make(meta.ConditionList, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.Allocation.DeepCopyInto(&out.Allocation)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimStatus.
@@ -671,7 +807,7 @@ func (in *ResourcePoolClaimStatus) DeepCopy() *ResourcePoolClaimStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourcePoolClaimsItem) DeepCopyInto(out *ResourcePoolClaimsItem) {
 	*out = *in
-	out.StatusNameUID = in.StatusNameUID
+	out.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID = in.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID
 	if in.Claims != nil {
 		in, out := &in.Claims, &out.Claims
 		*out = make(corev1.ResourceList, len(*in))
@@ -825,7 +961,7 @@ func (in *ResourcePoolSpec) DeepCopyInto(out *ResourcePoolSpec) {
 	*out = *in
 	if in.Selectors != nil {
 		in, out := &in.Selectors, &out.Selectors
-		*out = make([]api.NamespaceSelector, len(*in))
+		*out = make([]selectors.NamespaceSelector, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -919,6 +1055,13 @@ func (in *ResourcePoolStatus) DeepCopyInto(out *ResourcePoolStatus) {
 			(*out)[key] = *val.DeepCopy()
 		}
 	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make(meta.ConditionList, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolStatus.
@@ -970,6 +1113,80 @@ func (in *ResourceSpec) DeepCopy() *ResourceSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleStatus) DeepCopyInto(out *RuleStatus) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatus.
+func (in *RuleStatus) DeepCopy() *RuleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RuleStatus) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleStatusList) DeepCopyInto(out *RuleStatusList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RuleStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatusList.
+func (in *RuleStatusList) DeepCopy() *RuleStatusList {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleStatusList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RuleStatusList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleStatusSpec) DeepCopyInto(out *RuleStatusSpec) {
+	*out = *in
+	in.Rule.DeepCopyInto(&out.Rule)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatusSpec.
+func (in *RuleStatusSpec) DeepCopy() *RuleStatusSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleStatusSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Tenant) DeepCopyInto(out *Tenant) {
 	*out = *in
@@ -997,6 +1214,62 @@ func (in *Tenant) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantAvailableClassesStatus) DeepCopyInto(out *TenantAvailableClassesStatus) {
+	*out = *in
+	if in.StorageClasses != nil {
+		in, out := &in.StorageClasses, &out.StorageClasses
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.PriorityClasses != nil {
+		in, out := &in.PriorityClasses, &out.PriorityClasses
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.RuntimeClasses != nil {
+		in, out := &in.RuntimeClasses, &out.RuntimeClasses
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.GatewayClasses != nil {
+		in, out := &in.GatewayClasses, &out.GatewayClasses
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.DeviceClasses != nil {
+		in, out := &in.DeviceClasses, &out.DeviceClasses
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantAvailableClassesStatus.
+func (in *TenantAvailableClassesStatus) DeepCopy() *TenantAvailableClassesStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantAvailableClassesStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantAvailableStatus) DeepCopyInto(out *TenantAvailableStatus) {
+	*out = *in
+	in.Classes.DeepCopyInto(&out.Classes)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantAvailableStatus.
+func (in *TenantAvailableStatus) DeepCopy() *TenantAvailableStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantAvailableStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TenantList) DeepCopyInto(out *TenantList) {
 	*out = *in
@@ -1029,6 +1302,96 @@ func (in *TenantList) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantOwner) DeepCopyInto(out *TenantOwner) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOwner.
+func (in *TenantOwner) DeepCopy() *TenantOwner {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantOwner)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TenantOwner) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantOwnerList) DeepCopyInto(out *TenantOwnerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TenantOwner, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOwnerList.
+func (in *TenantOwnerList) DeepCopy() *TenantOwnerList {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantOwnerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TenantOwnerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantOwnerSpec) DeepCopyInto(out *TenantOwnerSpec) {
+	*out = *in
+	in.CoreOwnerSpec.DeepCopyInto(&out.CoreOwnerSpec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOwnerSpec.
+func (in *TenantOwnerSpec) DeepCopy() *TenantOwnerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantOwnerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantOwnerStatus) DeepCopyInto(out *TenantOwnerStatus) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOwnerStatus.
+func (in *TenantOwnerStatus) DeepCopy() *TenantOwnerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantOwnerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TenantResource) DeepCopyInto(out *TenantResource) {
 	*out = *in
@@ -1139,9 +1502,21 @@ func (in *TenantResourceStatus) DeepCopy() *TenantResourceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 	*out = *in
+	in.Permissions.DeepCopyInto(&out.Permissions)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]*NamespaceRule, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(NamespaceRule)
+				(*in).DeepCopyInto(*out)
+			}
+		}
+	}
 	if in.Owners != nil {
 		in, out := &in.Owners, &out.Owners
-		*out = make(OwnerListSpec, len(*in))
+		*out = make(api.OwnerListSpec, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1167,11 +1542,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		(*in).DeepCopyInto(*out)
 	}
 	in.IngressOptions.DeepCopyInto(&out.IngressOptions)
-	if in.ContainerRegistries != nil {
-		in, out := &in.ContainerRegistries, &out.ContainerRegistries
-		*out = new(api.AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.NodeSelector != nil {
 		in, out := &in.NodeSelector, &out.NodeSelector
 		*out = make(map[string]string, len(*in))
@@ -1179,8 +1549,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*out)[key] = val
 		}
 	}
-	in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
-	in.LimitRanges.DeepCopyInto(&out.LimitRanges)
 	in.ResourceQuota.DeepCopyInto(&out.ResourceQuota)
 	if in.AdditionalRoleBindings != nil {
 		in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
@@ -1189,11 +1557,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.ImagePullPolicies != nil {
-		in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
-		*out = make([]api.ImagePullPolicySpec, len(*in))
-		copy(*out, *in)
-	}
 	if in.RuntimeClasses != nil {
 		in, out := &in.RuntimeClasses, &out.RuntimeClasses
 		*out = new(api.DefaultAllowedListSpec)
@@ -1204,12 +1567,29 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(api.DefaultAllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.DeviceClasses != nil {
+		in, out := &in.DeviceClasses, &out.DeviceClasses
+		*out = new(api.SelectorAllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
 	in.GatewayOptions.DeepCopyInto(&out.GatewayOptions)
 	if in.ForceTenantPrefix != nil {
 		in, out := &in.ForceTenantPrefix, &out.ForceTenantPrefix
 		*out = new(bool)
 		**out = **in
 	}
+	if in.ContainerRegistries != nil {
+		in, out := &in.ContainerRegistries, &out.ContainerRegistries
+		*out = new(api.AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ImagePullPolicies != nil {
+		in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
+		*out = make([]api.ImagePullPolicySpec, len(*in))
+		copy(*out, *in)
+	}
+	in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
+	in.LimitRanges.DeepCopyInto(&out.LimitRanges)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.
@@ -1225,6 +1605,14 @@ func (in *TenantSpec) DeepCopy() *TenantSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TenantStatus) DeepCopyInto(out *TenantStatus) {
 	*out = *in
+	in.TenantAvailableStatus.DeepCopyInto(&out.TenantAvailableStatus)
+	if in.Owners != nil {
+		in, out := &in.Owners, &out.Owners
+		*out = make(api.OwnerStatusListSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Namespaces != nil {
 		in, out := &in.Namespaces, &out.Namespaces
 		*out = make([]string, len(*in))
@@ -1260,6 +1648,28 @@ func (in *TenantStatus) DeepCopy() *TenantStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantStatusNamespaceEnforcement) DeepCopyInto(out *TenantStatusNamespaceEnforcement) {
+	*out = *in
+	if in.Registries != nil {
+		in, out := &in.Registries, &out.Registries
+		*out = make([]api.OCIRegistry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantStatusNamespaceEnforcement.
+func (in *TenantStatusNamespaceEnforcement) DeepCopy() *TenantStatusNamespaceEnforcement {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantStatusNamespaceEnforcement)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TenantStatusNamespaceItem) DeepCopyInto(out *TenantStatusNamespaceItem) {
 	*out = *in
@@ -1275,6 +1685,7 @@ func (in *TenantStatusNamespaceItem) DeepCopyInto(out *TenantStatusNamespaceItem
 		*out = new(TenantStatusNamespaceMetadata)
 		(*in).DeepCopyInto(*out)
 	}
+	in.Enforce.DeepCopyInto(&out.Enforce)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantStatusNamespaceItem.
--- a/charts/capsule/Chart.lock
+++ b/charts/capsule/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: capsule-proxy
  repository: oci://ghcr.io/projectcapsule/charts
-  version: 0.9.13
-digest: sha256:dbca86ef4afef07c79c0d5e049c6666a70d2b8990262224970f662531fffd9c3
-generated: "2025-09-03T20:29:41.043265755Z"
+  version: 0.10.0
+digest: sha256:b268fe0a87e4fa4d0196e5dac82c7e8ae20e96053f5ca860b1f7c44e3a357406
+generated: "2025-12-09T15:58:45.796317945Z"
--- a/charts/capsule/Chart.yaml
+++ b/charts/capsule/Chart.yaml
@@ -1,12 +1,12 @@
 apiVersion: v2
 type: application
 description: A Helm chart to deploy the Capsule Operator for easily implementing,
-  managing, and maintaining mutitenancy and access control in Kubernetes.
-home: https://github.com/projectcapsule/capsule
+  managing, and maintaining multitenancy and access control in Kubernetes.
+home: https://projectcapsule.dev/
 icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
 dependencies:
  - name: capsule-proxy
-    version: 0.9.13
+    version: 0.10.0
    repository: "oci://ghcr.io/projectcapsule/charts"
    condition: proxy.enabled
    alias: proxy
--- a/charts/capsule/README.md
+++ b/charts/capsule/README.md
@@ -67,7 +67,7 @@ The following Values have changed key or Value:
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Set affinity rules for the Capsule pod |
 | certManager.additionalSANS | list | `[]` | Specify additional SANS to add to the certificate |
-| certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
+| certManager.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
 | customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
 | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
 | extraManifests | list | `[]` | Array of additional resources to be created alongside Capsule helm chart |
@@ -88,9 +88,10 @@ The following Values have changed key or Value:
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| serviceAccount.imagePullSecrets | list | `[]` |  |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
-| tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
-| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
+| tls.create | bool | `false` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
+| tls.enableController | bool | `false` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
 | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
 | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
 | topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
@@ -112,19 +113,27 @@ The following Values have changed key or Value:
 | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
 | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
+| manager.options.administrators | list | `[]` | Define entities which can act as Administrators in the capsule construct These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor be ignored by capsule. May also be handy in GitOps scenarios where certain service accounts need to be able to manage namespaces for all tenants. |
 | manager.options.allowServiceAccountPromotion | bool | `false` | ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant. However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts. |
 | manager.options.annotations | object | `{}` | Additional annotations to add to the CapsuleConfiguration resource |
+| manager.options.cacheInvalidation | string | `"24h0m0s"` | Duration after which the in-memory cache is invalidated (based on usaage) and re-fetched from the API server |
 | manager.options.capsuleConfiguration | string | `"default"` | Change the default name of the capsule configuration name |
-| manager.options.capsuleUserGroups | list | `["projectcapsule.dev"]` | Names of the groups considered as Capsule users. |
+| manager.options.capsuleUserGroups | list | `[]` | DEPRECATED: use users properties. Names of the users considered as Capsule users. |
 | manager.options.createConfiguration | bool | `true` | Create Configuration |
 | manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
 | manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator |
 | manager.options.ignoreUserWithGroups | list | `[]` | Define groups which when found in the request of a user will be ignored by the Capsule this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups. |
 | manager.options.labels | object | `{}` | Additional labels to add to the CapsuleConfiguration resource |
-| manager.options.logLevel | string | `"3"` | Set the log verbosity of the capsule with a value from 1 to 5 |
+| manager.options.logLevel | string | `"info"` | Set the log verbosity of the capsule with a value from 1 to 5 |
 | manager.options.nodeMetadata | object | `{"forbiddenAnnotations":{"denied":[],"deniedRegex":""},"forbiddenLabels":{"denied":[],"deniedRegex":""}}` | Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant |
 | manager.options.protectedNamespaceRegex | string | `""` | If specified, disallows creation of namespaces matching the passed regexp |
-| manager.options.userNames | list | `[]` | Names of the users considered as Capsule users. |
+| manager.options.rbac | object | `{"administrationClusterRoles":["capsule-namespace-deleter"],"deleter":"capsule-namespace-deleter","promotionClusterRoles":["capsule-namespace-provisioner","capsule-namespace-deleter"],"provisioner":"capsule-namespace-provisioner"}` | Managed RBAC configuration for the controller |
+| manager.options.rbac.administrationClusterRoles | list | `["capsule-namespace-deleter"]` | The ClusterRoles applied for Administrators |
+| manager.options.rbac.deleter | string | `"capsule-namespace-deleter"` | Name for the ClusterRole required to grant Namespace Deletion permissions. |
+| manager.options.rbac.promotionClusterRoles | list | `["capsule-namespace-provisioner","capsule-namespace-deleter"]` | The ClusterRoles applied for ServiceAccounts which had owner Promotion |
+| manager.options.rbac.provisioner | string | `"capsule-namespace-provisioner"` | Name for the ClusterRole required to grant Namespace Provision permissions. |
+| manager.options.userNames | list | `[]` | DEPRECATED: use users properties. Names of the users considered as Capsule users. |
+| manager.options.users | list | `[{"kind":"Group","name":"projectcapsule.dev"}]` | Define entities which are considered part of the Capsule construct. Users not mentioned here will be ignored by Capsule |
 | manager.options.workers | int | `1` | Workers (MaxConcurrentReconciles) is the maximum number of concurrent Reconciles which can be run (ALPHA). |
 | manager.rbac.create | bool | `true` | Specifies whether RBAC resources should be created. |
 | manager.rbac.existingClusterRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
@@ -149,6 +158,14 @@ The following Values have changed key or Value:
 | monitoring.dashboards.operator.folder | string | `""` | folder assignment for dashboard |
 | monitoring.dashboards.operator.instanceSelector | object | `{}` | Selects Grafana instances for import |
 | monitoring.dashboards.operator.resyncPeriod | string | `"10m"` | How often the resource is synced, defaults to 10m0s if not set |
+| monitoring.diagnostics.annotations | object | `{}` | Annotations for dashboard configmaps |
+| monitoring.diagnostics.enabled | bool | `false` | Enable Diagnostic Dashboards to be deployed |
+| monitoring.diagnostics.labels | object | `{}` | Labels for dashboard configmaps |
+| monitoring.diagnostics.operator.allowCrossNamespaceImport | bool | `true` | Allow the Operator to match this resource with Grafanas outside the current namespace |
+| monitoring.diagnostics.operator.enabled | bool | `false` | Enable Operator Resources (GrafanaDashboard) |
+| monitoring.diagnostics.operator.folder | string | `""` | folder assignment for dashboard |
+| monitoring.diagnostics.operator.instanceSelector | object | `{}` | Selects Grafana instances for import |
+| monitoring.diagnostics.operator.resyncPeriod | string | `"10m"` | How often the resource is synced, defaults to 10m0s if not set |
 | monitoring.serviceMonitor.annotations | object | `{}` | Assign additional Annotations |
 | monitoring.serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor |
 | monitoring.serviceMonitor.endpoint.interval | string | `"15s"` | Set the scrape interval for the endpoint of the serviceMonitor |
@@ -164,23 +181,38 @@ The following Values have changed key or Value:

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| webhooks.annotations | object | `{}` | Additional Annotations for all webhooks |
 | webhooks.exclusive | bool | `false` | When `crds.exclusive` is `true` the webhooks will be installed |
+| webhooks.hooks.config.enabled | bool | `true` | Enable the Hook |
+| webhooks.hooks.config.failurePolicy | string | `"Ignore"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
+| webhooks.hooks.config.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.config.matchPolicy | string | `"Exact"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.config.namespaceSelector | object | `{}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
+| webhooks.hooks.config.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
+| webhooks.hooks.config.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
 | webhooks.hooks.cordoning.enabled | bool | `true` | Enable the Hook |
 | webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
-| webhooks.hooks.cordoning.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.cordoning.matchConditions | list | `[{"expression":"!has(request.subResource) || request.subResource == \"\"","name":"ignore-subresources"},{"expression":"request.resource.resource != \"events\"","name":"ignore-events"}]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
 | webhooks.hooks.cordoning.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
-| webhooks.hooks.cordoning.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"},{"key":"projectcapsule.dev/cordoned","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
+| webhooks.hooks.cordoning.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"},{"key":"projectcapsule.dev/cordoned","operator":"In","values":["true"]}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
 | webhooks.hooks.cordoning.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
 | webhooks.hooks.cordoning.rules | list | `[{"apiGroups":["*"],"apiVersions":["*"],"operations":["CREATE","UPDATE","DELETE"],"resources":["*"],"scope":"Namespaced"}]` | [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) |
 | webhooks.hooks.customresources.enabled | bool | `true` | Enable the Hook |
 | webhooks.hooks.customresources.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
-| webhooks.hooks.customresources.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.customresources.matchConditions | list | `[{"expression":"!has(request.subResource) || request.subResource == \"\"","name":"ignore-subresources"},{"expression":"request.resource.resource != \"events\"","name":"ignore-events"}]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
 | webhooks.hooks.customresources.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
-| webhooks.hooks.customresources.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
+| webhooks.hooks.customresources.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"},{"key":"projectcapsule.dev/custom-resources","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
 | webhooks.hooks.customresources.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
 | webhooks.hooks.defaults.ingress | object | `{}` | Deprecated, use webhooks.hooks.ingresses instead |
 | webhooks.hooks.defaults.pods | object | `{}` | Deprecated, use webhooks.hooks.pods instead |
 | webhooks.hooks.defaults.pvc | object | `{}` | Deprecated, use webhooks.hooks.persistentvolumeclaims instead |
+| webhooks.hooks.devices.enabled | bool | `true` | Enable the Hook |
+| webhooks.hooks.devices.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
+| webhooks.hooks.devices.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.devices.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.devices.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
+| webhooks.hooks.devices.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
+| webhooks.hooks.devices.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
 | webhooks.hooks.gateways.enabled | bool | `true` | Enable the Hook |
 | webhooks.hooks.gateways.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
 | webhooks.hooks.gateways.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
@@ -194,6 +226,13 @@ The following Values have changed key or Value:
 | webhooks.hooks.ingresses.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
 | webhooks.hooks.ingresses.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
 | webhooks.hooks.ingresses.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
+| webhooks.hooks.managed.enabled | bool | `true` | Enable the Hook |
+| webhooks.hooks.managed.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
+| webhooks.hooks.managed.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.managed.matchPolicy | string | `"Exact"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.managed.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
+| webhooks.hooks.managed.objectSelector | object | `{"matchExpressions":[{"key":"projectcapsule.dev/managed-by","operator":"Exists"}]}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
+| webhooks.hooks.managed.rules | list | `[{"apiGroups":["*"],"apiVersions":["*"],"operations":["CREATE","UPDATE","DELETE"],"resources":["*"],"scope":"*"}]` | [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) |
 | webhooks.hooks.namespaceOwnerReference | object | `{}` | Deprecated, use webhooks.hooks.namespaces instead |
 | webhooks.hooks.namespaces.enabled | bool | `true` | Enable the Hook |
 | webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
@@ -202,12 +241,6 @@ The following Values have changed key or Value:
 | webhooks.hooks.namespaces.namespaceSelector | object | `{}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
 | webhooks.hooks.namespaces.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
 | webhooks.hooks.namespaces.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
-| webhooks.hooks.networkpolicies.enabled | bool | `true` | Enable the Hook |
-| webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
-| webhooks.hooks.networkpolicies.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
-| webhooks.hooks.networkpolicies.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
-| webhooks.hooks.networkpolicies.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
-| webhooks.hooks.networkpolicies.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
 | webhooks.hooks.nodes.enabled | bool | `false` | Enable the Hook |
 | webhooks.hooks.nodes.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
 | webhooks.hooks.nodes.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
@@ -252,12 +285,15 @@ The following Values have changed key or Value:
 | webhooks.hooks.services.matchPolicy | string | `"Exact"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
 | webhooks.hooks.services.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
 | webhooks.hooks.services.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
-| webhooks.hooks.tenantResourceObjects.enabled | bool | `true` | Enable the Hook |
-| webhooks.hooks.tenantResourceObjects.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
-| webhooks.hooks.tenantResourceObjects.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
-| webhooks.hooks.tenantResourceObjects.matchPolicy | string | `"Exact"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
-| webhooks.hooks.tenantResourceObjects.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
-| webhooks.hooks.tenantResourceObjects.objectSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
+| webhooks.hooks.tenantLabel.enabled | bool | `true` | Enable the Hook |
+| webhooks.hooks.tenantLabel.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
+| webhooks.hooks.tenantLabel.matchConditions | list | `[{"expression":"!has(request.subResource) || request.subResource == \"\"","name":"ignore-subresources"},{"expression":"request.resource.resource != \"events\"","name":"ignore-events"}]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.tenantLabel.matchPolicy | string | `"Equivalent"` | [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
+| webhooks.hooks.tenantLabel.namespaceSelector | object | `{"matchExpressions":[{"key":"capsule.clastix.io/tenant","operator":"Exists"}]}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
+| webhooks.hooks.tenantLabel.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
+| webhooks.hooks.tenantLabel.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
+| webhooks.hooks.tenantLabel.rules | list | `[{"apiGroups":["*"],"apiVersions":["*"],"operations":["CREATE","UPDATE"],"resources":["*"],"scope":"Namespaced"}]` | [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) |
+| webhooks.hooks.tenantResourceObjects | object | `{}` | Deprecated, use webhooks.hooks.managed instead |
 | webhooks.hooks.tenants.enabled | bool | `true` | Enable the Hook |
 | webhooks.hooks.tenants.failurePolicy | string | `"Fail"` | [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) |
 | webhooks.hooks.tenants.matchConditions | list | `[]` | [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) |
@@ -265,6 +301,7 @@ The following Values have changed key or Value:
 | webhooks.hooks.tenants.namespaceSelector | object | `{}` | [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) |
 | webhooks.hooks.tenants.objectSelector | object | `{}` | [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) |
 | webhooks.hooks.tenants.reinvocationPolicy | string | `"Never"` | [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy) |
+| webhooks.labels | object | `{}` | Additional Labels for all webhooks |
 | webhooks.mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
 | webhooks.service.caBundle | string | `""` | CABundle for the webhook service |
 | webhooks.service.name | string | `""` | Custom service name for the webhook service |
--- a/charts/capsule/ci/ha-values.yaml
+++ b/charts/capsule/ci/ha-values.yaml
@@ -0,0 +1,4 @@
+replicaCount: 2
+manager:
+  extraArgs:
+  - "--enable-leader-election=true"
--- a/charts/capsule/ci/tracing-values.yaml
+++ b/charts/capsule/ci/tracing-values.yaml
--- a/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
  name: capsuleconfigurations.capsule.clastix.io
 spec:
  group: capsule.clastix.io
@@ -40,6 +40,219 @@ spec:
          spec:
            description: CapsuleConfigurationSpec defines the Capsule configuration.
            properties:
+              administrators:
+                description: |-
+                  Define entities which can act as Administrators in the capsule construct
+                  These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label
+                  for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor
+                  be ignored by capsule.
+                items:
+                  properties:
+                    kind:
+                      description: Kind of entity. Possible values are "User", "Group",
+                        and "ServiceAccount"
+                      enum:
+                      - User
+                      - Group
+                      - ServiceAccount
+                      type: string
+                    name:
+                      description: Name of the entity.
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+              admission:
+                description: Configuration for dynamic Validating and Mutating Admission
+                  webhooks managed by Capsule.
+                properties:
+                  mutating:
+                    description: Configure dynamic Mutating Admission for Capsule
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations added to the Admission Webhook
+                        type: object
+                      client:
+                        description: From the upstram struct
+                        properties:
+                          caBundle:
+                            description: |-
+                              `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+                              If unspecified, system trust roots on the apiserver are used.
+                            format: byte
+                            type: string
+                          service:
+                            description: |-
+                              `service` is a reference to the service for this webhook. Either
+                              `service` or `url` must be specified.
+
+                              If the webhook is running within the cluster, then you should use `service`.
+                            properties:
+                              name:
+                                description: |-
+                                  `name` is the name of the service.
+                                  Required
+                                type: string
+                              namespace:
+                                description: |-
+                                  `namespace` is the namespace of the service.
+                                  Required
+                                type: string
+                              path:
+                                description: |-
+                                  `path` is an optional URL path which will be sent in any request to
+                                  this service.
+                                type: string
+                              port:
+                                description: |-
+                                  If specified, the port on the service that hosting webhook.
+                                  Default to 443 for backward compatibility.
+                                  `port` should be a valid port number (1-65535, inclusive).
+                                format: int32
+                                type: integer
+                            required:
+                            - name
+                            - namespace
+                            type: object
+                          url:
+                            description: |-
+                              `url` gives the location of the webhook, in standard URL form
+                              (`scheme://host:port/path`). Exactly one of `url` or `service`
+                              must be specified.
+
+                              The `host` should not refer to a service running in the cluster; use
+                              the `service` field instead. The host might be resolved via external
+                              DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+                              in-cluster DNS as that would be a layering violation). `host` may
+                              also be an IP address.
+
+                              Please note that using `localhost` or `127.0.0.1` as a `host` is
+                              risky unless you take great care to run this webhook on all hosts
+                              which run an apiserver which might need to make calls to this
+                              webhook. Such installs are likely to be non-portable, i.e., not easy
+                              to turn up in a new cluster.
+
+                              The scheme must be "https"; the URL must begin with "https://".
+
+                              A path is optional, and if present may be any string permissible in
+                              a URL. You may use the path to pass an arbitrary string to the
+                              webhook, for example, a cluster identifier.
+
+                              Attempting to use a user or basic auth e.g. "user:password@" is not
+                              allowed. Fragments ("#...") and query parameters ("?...") are not
+                              allowed, either.
+                            type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: Labels added to the Admission Webhook
+                        type: object
+                      name:
+                        description: Name the Admission Webhook
+                        maxLength: 63
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - client
+                    type: object
+                  validating:
+                    description: Configure dynamic Validating Admission for Capsule
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations added to the Admission Webhook
+                        type: object
+                      client:
+                        description: From the upstram struct
+                        properties:
+                          caBundle:
+                            description: |-
+                              `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+                              If unspecified, system trust roots on the apiserver are used.
+                            format: byte
+                            type: string
+                          service:
+                            description: |-
+                              `service` is a reference to the service for this webhook. Either
+                              `service` or `url` must be specified.
+
+                              If the webhook is running within the cluster, then you should use `service`.
+                            properties:
+                              name:
+                                description: |-
+                                  `name` is the name of the service.
+                                  Required
+                                type: string
+                              namespace:
+                                description: |-
+                                  `namespace` is the namespace of the service.
+                                  Required
+                                type: string
+                              path:
+                                description: |-
+                                  `path` is an optional URL path which will be sent in any request to
+                                  this service.
+                                type: string
+                              port:
+                                description: |-
+                                  If specified, the port on the service that hosting webhook.
+                                  Default to 443 for backward compatibility.
+                                  `port` should be a valid port number (1-65535, inclusive).
+                                format: int32
+                                type: integer
+                            required:
+                            - name
+                            - namespace
+                            type: object
+                          url:
+                            description: |-
+                              `url` gives the location of the webhook, in standard URL form
+                              (`scheme://host:port/path`). Exactly one of `url` or `service`
+                              must be specified.
+
+                              The `host` should not refer to a service running in the cluster; use
+                              the `service` field instead. The host might be resolved via external
+                              DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+                              in-cluster DNS as that would be a layering violation). `host` may
+                              also be an IP address.
+
+                              Please note that using `localhost` or `127.0.0.1` as a `host` is
+                              risky unless you take great care to run this webhook on all hosts
+                              which run an apiserver which might need to make calls to this
+                              webhook. Such installs are likely to be non-portable, i.e., not easy
+                              to turn up in a new cluster.
+
+                              The scheme must be "https"; the URL must begin with "https://".
+
+                              A path is optional, and if present may be any string permissible in
+                              a URL. You may use the path to pass an arbitrary string to the
+                              webhook, for example, a cluster identifier.
+
+                              Attempting to use a user or basic auth e.g. "user:password@" is not
+                              allowed. Fragments ("#...") and query parameters ("?...") are not
+                              allowed, either.
+                            type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: Labels added to the Admission Webhook
+                        type: object
+                      name:
+                        description: Name the Admission Webhook
+                        maxLength: 63
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - client
+                    type: object
+                type: object
              allowServiceAccountPromotion:
                default: false
                description: |-
@@ -47,8 +260,13 @@ spec:
                  this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.
                  However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.
                type: boolean
+              cacheInvalidation:
+                default: 24h
+                description: Define the period of time upon a cache invalidation is
+                  executed for all caches.
+                type: string
              enableTLSReconciler:
-                default: true
+                default: false
                description: |-
                  Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
                  when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
@@ -93,9 +311,6 @@ spec:
                      deniedRegex:
                        type: string
                    type: object
-                required:
-                - forbiddenAnnotations
-                - forbiddenLabels
                type: object
              overrides:
                default:
@@ -131,21 +346,114 @@ spec:
                description: Disallow creation of namespaces, whose name matches this
                  regexp
                type: string
+              rbac:
+                default: {}
+                description: Define Properties for managed ClusterRoles by Capsule
+                properties:
+                  administrationClusterRoles:
+                    default:
+                    - capsule-namespace-deleter
+                    description: The ClusterRoles applied for Administrators
+                    items:
+                      type: string
+                    type: array
+                  deleter:
+                    default: capsule-namespace-deleter
+                    description: Name for the ClusterRole required to grant Namespace
+                      Deletion permissions.
+                    type: string
+                  promotionClusterRoles:
+                    default:
+                    - capsule-namespace-provisioner
+                    - capsule-namespace-deleter
+                    description: The ClusterRoles applied for ServiceAccounts which
+                      had owner Promotion
+                    items:
+                      type: string
+                    type: array
+                  provisioner:
+                    default: capsule-namespace-provisioner
+                    description: Name for the ClusterRole required to grant Namespace
+                      Provision permissions.
+                    type: string
+                type: object
              userGroups:
-                default:
-                - capsule.clastix.io
-                description: Names of the groups considered as Capsule users.
+                description: |-
+                  Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)
+
+                  Names of the groups considered as Capsule users.
                items:
                  type: string
                type: array
              userNames:
-                description: Names of the users considered as Capsule users.
+                description: |-
+                  Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)
+
+                  Names of the users considered as Capsule users.
                items:
                  type: string
                type: array
+              users:
+                description: |-
+                  Define entities which are considered part of the Capsule construct
+                  Users not mentioned here will be ignored by Capsule
+                items:
+                  properties:
+                    kind:
+                      description: Kind of entity. Possible values are "User", "Group",
+                        and "ServiceAccount"
+                      enum:
+                      - User
+                      - Group
+                      - ServiceAccount
+                      type: string
+                    name:
+                      description: Name of the entity.
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
            required:
+            - cacheInvalidation
            - enableTLSReconciler
+            - rbac
            type: object
+          status:
+            description: CapsuleConfigurationStatus defines the Capsule configuration
+              status.
+            properties:
+              lastCacheInvalidation:
+                description: Last time all caches were invalided
+                format: date-time
+                type: string
+              users:
+                description: Users which are considered Capsule Users and are bound
+                  to the Capsule Tenant construct.
+                items:
+                  properties:
+                    kind:
+                      description: Kind of entity. Possible values are "User", "Group",
+                        and "ServiceAccount"
+                      enum:
+                      - User
+                      - Group
+                      - ServiceAccount
+                      type: string
+                    name:
+                      description: Name of the entity.
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
+    subresources:
+      status: {}
--- a/charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
  name: globaltenantresources.capsule.clastix.io
 spec:
  group: capsule.clastix.io
@@ -291,6 +291,8 @@ spec:
            - processedItems
            - selectedTenants
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
--- a/charts/capsule/crds/capsule.clastix.io_resourcepoolclaims.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_resourcepoolclaims.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
  name: resourcepoolclaims.capsule.clastix.io
 spec:
  group: capsule.clastix.io
@@ -19,18 +19,22 @@ spec:
      jsonPath: .status.pool.name
      name: Pool
      type: string
-    - description: Status for claim
-      jsonPath: .status.condition.type
-      name: Status
+    - description: Ready Status
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
      type: string
-    - description: Reason for status
-      jsonPath: .status.condition.reason
-      name: Reason
-      type: string
-    - description: Condition Message
-      jsonPath: .status.condition.message
+    - description: Ready Message
+      jsonPath: .status.conditions[?(@.type=="Ready")].message
      name: Message
      type: string
+    - description: Bound Status
+      jsonPath: .status.conditions[?(@.type=="Bound")].status
+      name: Bound
+      type: string
+    - description: Bound Message
+      jsonPath: .status.conditions[?(@.type=="Bound")].message
+      name: Reason
+      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
@@ -80,8 +84,44 @@ spec:
          status:
            description: ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
            properties:
+              allocation:
+                description: Tracks the Usage from Claimed from this claim and available
+                  resources
+                properties:
+                  available:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: Used to track the usage of the resource in the pool
+                      (diff hard - claimed). May be used for further automation
+                    type: object
+                  hard:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: |-
+                      Hard is the set of enforced hard limits for each named resource.
+                      More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
+                    type: object
+                  used:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: Used is the current observed total usage of the resource
+                      in the namespace.
+                    type: object
+                type: object
              condition:
-                description: Condtion for this resource claim
+                description: 'Deprecated: Use Conditions'
                properties:
                  lastTransitionTime:
                    description: |-
@@ -133,24 +173,83 @@ spec:
                - status
                - type
                type: object
+              conditions:
+                description: Conditions for the resource claim
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
              pool:
                description: Reference to the GlobalQuota being claimed from
                properties:
                  name:
-                    description: Name
-                    maxLength: 253
-                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                    type: string
-                  namespace:
-                    description: Namespace
-                    maxLength: 253
+                    description: Name of the referent.
+                    maxLength: 63
                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                    type: string
                  uid:
                    description: UID of the tracked Tenant to pin point tracking
                    type: string
+                required:
+                - name
+                - uid
                type: object
+            required:
+            - conditions
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
--- a/charts/capsule/crds/capsule.clastix.io_resourcepools.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_resourcepools.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
  name: resourcepools.capsule.clastix.io
 spec:
  group: capsule.clastix.io
@@ -25,6 +25,14 @@ spec:
      jsonPath: .status.namespaceCount
      name: Namespaces
      type: integer
+    - description: Reconcile Status
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - description: Reconcile Message
+      jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
@@ -66,13 +74,13 @@ spec:
                  defaultsZero:
                    default: false
                    description: With this option all resources which can be allocated
-                      are set to 0 for the resourcequota defaults.
+                      are set to 0 for the resourcequota defaults. (Default false)
                    type: boolean
                  deleteBoundResources:
                    default: false
                    description: |-
                      When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
-                      By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
+                      By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state. (Default false)
                    type: boolean
                  orderedQueue:
                    default: false
@@ -82,7 +90,7 @@ spec:
                      but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
                      it's priority was lower
                      Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
-                      other claim can claim the same resources with lower priority.
+                      other claim can claim the same resources with lower priority. (Default false)
                    type: boolean
                type: object
              defaults:
@@ -275,22 +283,83 @@ spec:
                        description: Claimed resources
                        type: object
                      name:
-                        description: Name
-                        maxLength: 253
+                        description: Name of the referent.
+                        maxLength: 63
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                        type: string
                      namespace:
-                        description: Namespace
+                        description: Namespace of the referent.
                        maxLength: 253
-                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                        type: string
                      uid:
                        description: UID of the tracked Tenant to pin point tracking
                        type: string
+                    required:
+                    - name
+                    - namespace
+                    - uid
                    type: object
                  type: array
                description: Tracks the quotas for the Resource.
                type: object
+              conditions:
+                description: Conditions for the resource claim
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
              exhaustions:
                additionalProperties:
                  properties:
@@ -320,7 +389,11 @@ spec:
                items:
                  type: string
                type: array
+            required:
+            - conditions
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
--- a/charts/capsule/crds/capsule.clastix.io_rulestatuses.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_rulestatuses.yaml
@@ -0,0 +1,94 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.20.0
+  name: rulestatuses.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: RuleStatus
+    listKind: RuleStatusList
+    plural: rulestatuses
+    singular: rulestatus
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Age
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          status:
+            description: RuleStatus contains the accumulated rules applying to namespace
+              it's deployed in.
+            properties:
+              rule:
+                description: Managed Enforcement properties per Namespace (aggregated
+                  from rules)
+                properties:
+                  enforce:
+                    description: Enforcement Rules applied
+                    properties:
+                      registries:
+                        description: |-
+                          Define registries which are allowed to be used within this tenant
+                          The rules are aggregated, since you can use Regular Expressions the match registry endpoints
+                        items:
+                          properties:
+                            policy:
+                              description: Allowed PullPolicy for the given registry.
+                                Supplying no value allows all policies.
+                              items:
+                                description: PullPolicy describes a policy for if/when
+                                  to pull a container image
+                                type: string
+                              type: array
+                            url:
+                              description: OCI Registry endpoint, is treated as regular
+                                expression.
+                              type: string
+                            validation:
+                              default:
+                              - pod/images
+                              - pod/volumes
+                              description: Requesting Resources
+                              items:
+                                enum:
+                                - pod/images
+                                - pod/volumes
+                                type: string
+                              type: array
+                          required:
+                          - url
+                          type: object
+                        type: array
+                    type: object
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
--- a/charts/capsule/crds/capsule.clastix.io_tenantowners.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_tenantowners.yaml
@@ -0,0 +1,82 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.20.0
+  name: tenantowners.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: TenantOwner
+    listKind: TenantOwnerList
+    plural: tenantowners
+    singular: tenantowner
+  scope: Cluster
+  versions:
+  - name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: TenantOwner is the Schema for the tenantowners API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of TenantOwner.
+            properties:
+              aggregate:
+                default: true
+                description: |-
+                  Adds the given subject as capsule user. When enabled this subject does not have to be
+                  mentioned in the CapsuleConfiguration as Capsule User. In almost all scenarios Tenant Owners
+                  must be Capsule Users.
+                type: boolean
+              clusterRoles:
+                default:
+                - admin
+                - capsule-namespace-deleter
+                description: Defines additional cluster-roles for the specific Owner.
+                items:
+                  type: string
+                type: array
+              kind:
+                description: Kind of entity. Possible values are "User", "Group",
+                  and "ServiceAccount"
+                enum:
+                - User
+                - Group
+                - ServiceAccount
+                type: string
+              name:
+                description: Name of the entity.
+                type: string
+            required:
+            - aggregate
+            - kind
+            - name
+            type: object
+          status:
+            description: status defines the observed state of TenantOwner.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
--- a/charts/capsule/crds/capsule.clastix.io_tenantresources.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_tenantresources.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
  name: tenantresources.capsule.clastix.io
 spec:
  group: capsule.clastix.io
@@ -239,6 +239,8 @@ spec:
            required:
            - processedItems
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
--- a/charts/capsule/crds/capsule.clastix.io_tenants.yaml
+++ b/charts/capsule/crds/capsule.clastix.io_tenants.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
  name: tenants.capsule.clastix.io
 spec:
  group: capsule.clastix.io
@@ -123,10 +123,16 @@ spec:
                  can use only one of the allowed trusted registries. Optional.
                properties:
                  allowed:
+                    description: Match exact elements which are allowed as class names
+                      within this tenant
                    items:
                      type: string
                    type: array
                  allowedRegex:
+                    description: |-
+                      Deprecated: will be removed in a future release
+
+                      Match elements by regex.
                    type: string
                type: object
              imagePullPolicies:
@@ -151,10 +157,16 @@ spec:
                      Optional.
                    properties:
                      allowed:
+                        description: Match exact elements which are allowed as class
+                          names within this tenant
                        items:
                          type: string
                        type: array
                      allowedRegex:
+                        description: |-
+                          Deprecated: will be removed in a future release
+
+                          Match elements by regex.
                        type: string
                    type: object
                  allowedHostnames:
@@ -164,10 +176,16 @@ spec:
                      Optional.
                    properties:
                      allowed:
+                        description: Match exact elements which are allowed as class
+                          names within this tenant
                        items:
                          type: string
                        type: array
                      allowedRegex:
+                        description: |-
+                          Deprecated: will be removed in a future release
+
+                          Match elements by regex.
                        type: string
                    type: object
                  hostnameCollisionScope:
@@ -840,10 +858,16 @@ spec:
                  can use only one of the allowed PriorityClasses. Optional.
                properties:
                  allowed:
+                    description: Match exact elements which are allowed as class names
+                      within this tenant
                    items:
                      type: string
                    type: array
                  allowedRegex:
+                    description: |-
+                      Deprecated: will be removed in a future release
+
+                      Match elements by regex.
                    type: string
                type: object
              resourceQuotas:
@@ -1012,10 +1036,16 @@ spec:
                  Optional.
                properties:
                  allowed:
+                    description: Match exact elements which are allowed as class names
+                      within this tenant
                    items:
                      type: string
                    type: array
                  allowedRegex:
+                    description: |-
+                      Deprecated: will be removed in a future release
+
+                      Match elements by regex.
                    type: string
                type: object
            required:
@@ -1044,6 +1074,8 @@ spec:
            - size
            - state
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: false
@@ -1159,15 +1191,22 @@ spec:
                  type: object
                type: array
              containerRegistries:
-                description: Specifies the trusted Image Registries assigned to the
-                  Tenant. Capsule assures that all Pods resources created in the Tenant
-                  can use only one of the allowed trusted registries. Optional.
+                description: |-
+                  Deprecated: Use Enforcement.Registries instead
+
+                  Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
                properties:
                  allowed:
+                    description: Match exact elements which are allowed as class names
+                      within this tenant
                    items:
                      type: string
                    type: array
                  allowedRegex:
+                    description: |-
+                      Deprecated: will be removed in a future release
+
+                      Match elements by regex.
                    type: string
                type: object
              cordoned:
@@ -1175,6 +1214,64 @@ spec:
                description: Toggling the Tenant resources cordoning, when enable
                  resources cannot be deleted.
                type: boolean
+              deviceClasses:
+                description: Specifies options for the DeviceClass resources.
+                properties:
+                  allowed:
+                    description: Match exact elements which are allowed as class names
+                      within this tenant
+                    items:
+                      type: string
+                    type: array
+                  allowedRegex:
+                    description: |-
+                      Deprecated: will be removed in a future release
+
+                      Match elements by regex.
+                    type: string
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
              forceTenantPrefix:
                description: |-
                  Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
@@ -1191,6 +1288,18 @@ spec:
                properties:
                  allowedClasses:
                    properties:
+                      allowed:
+                        description: Match exact elements which are allowed as class
+                          names within this tenant
+                        items:
+                          type: string
+                        type: array
+                      allowedRegex:
+                        description: |-
+                          Deprecated: will be removed in a future release
+
+                          Match elements by regex.
+                        type: string
                      default:
                        type: string
                      matchExpressions:
@@ -1238,9 +1347,10 @@ spec:
                    x-kubernetes-map-type: atomic
                type: object
              imagePullPolicies:
-                description: Specify the allowed values for the imagePullPolicies
-                  option in Pod resources. Capsule assures that all Pod resources
-                  created in the Tenant can use only one of the allowed policy. Optional.
+                description: |-
+                  Deprecated: Use Enforcement.Registries instead
+
+                  Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
                items:
                  enum:
                  - Always
@@ -1264,10 +1374,16 @@ spec:
                      Optional.
                    properties:
                      allowed:
+                        description: Match exact elements which are allowed as class
+                          names within this tenant
                        items:
                          type: string
                        type: array
                      allowedRegex:
+                        description: |-
+                          Deprecated: will be removed in a future release
+
+                          Match elements by regex.
                        type: string
                      default:
                        type: string
@@ -1321,10 +1437,16 @@ spec:
                      Optional.
                    properties:
                      allowed:
+                        description: Match exact elements which are allowed as class
+                          names within this tenant
                        items:
                          type: string
                        type: array
                      allowedRegex:
+                        description: |-
+                          Deprecated: will be removed in a future release
+
+                          Match elements by regex.
                        type: string
                    type: object
                  hostnameCollisionScope:
@@ -1348,8 +1470,9 @@ spec:
                type: object
              limitRanges:
                description: |-
-                  Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                  Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
+
+                  Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                properties:
                  items:
                    items:
@@ -1439,8 +1562,9 @@ spec:
                properties:
                  additionalMetadata:
                    description: |-
+                      Deprecated: Use additionalMetadataList instead (https://projectcapsule.dev/docs/tenants/metadata/#additionalmetadatalist)
+
                      Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
-                      Deprecated: Use additionalMetadataList instead
                    properties:
                      annotations:
                        additionalProperties:
@@ -1551,11 +1675,26 @@ spec:
                    format: int32
                    minimum: 1
                    type: integer
+                  requiredMetadata:
+                    description: Required Metadata for namespace within this tenant
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations that must be defined for each namespace
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: Labels that must be defined for each namespace
+                        type: object
+                    type: object
                type: object
              networkPolicies:
                description: |-
-                  Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
                  Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
+
+                  Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
                properties:
                  items:
                    items:
@@ -2061,8 +2200,8 @@ spec:
                        type: string
                      type: array
                    kind:
-                      description: Kind of tenant owner. Possible values are "User",
-                        "Group", and "ServiceAccount"
+                      description: Kind of entity. Possible values are "User", "Group",
+                        and "ServiceAccount"
                      enum:
                      - User
                      - Group
@@ -2074,7 +2213,7 @@ spec:
                      description: Additional Labels for the synchronized rolebindings
                      type: object
                    name:
-                      description: Name of tenant owner.
+                      description: Name of the entity.
                      type: string
                    proxySettings:
                      description: Proxy settings for tenant owner.
@@ -2107,6 +2246,65 @@ spec:
                  - name
                  type: object
                type: array
+              permissions:
+                description: Specify Permissions for the Tenant.
+                properties:
+                  matchOwners:
+                    description: |-
+                      Matches TenantOwner objects which are promoted to owners of this tenant
+                      The elements are OR operations and independent. You can see the resulting Tenant Owners
+                      in the Status.Owners specification of the Tenant.
+                    items:
+                      description: |-
+                        A label selector is a label query over a set of resources. The result of matchLabels and
+                        matchExpressions are ANDed. An empty label selector matches all objects. A null
+                        label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    type: array
+                type: object
              podOptions:
                description: Specifies options for the Pods deployed in the Tenant
                  namespaces, such as additional metadata.
@@ -2139,10 +2337,16 @@ spec:
                  Optional.
                properties:
                  allowed:
+                    description: Match exact elements which are allowed as class names
+                      within this tenant
                    items:
                      type: string
                    type: array
                  allowedRegex:
+                    description: |-
+                      Deprecated: will be removed in a future release
+
+                      Match elements by regex.
                    type: string
                  default:
                    type: string
@@ -2276,6 +2480,100 @@ spec:
                    - Namespace
                    type: string
                type: object
+              rules:
+                description: |-
+                  Specify enforcement specifications for the scope of the Tenant.
+                   We are moving all configuration enforcement. per namespace into a rule construct.
+                   It's currently not final.
+
+                  Read More: https://projectcapsule.dev/docs/tenants/rules/
+                items:
+                  properties:
+                    enforce:
+                      description: Enforcement Rules applied
+                      properties:
+                        registries:
+                          description: |-
+                            Define registries which are allowed to be used within this tenant
+                            The rules are aggregated, since you can use Regular Expressions the match registry endpoints
+                          items:
+                            properties:
+                              policy:
+                                description: Allowed PullPolicy for the given registry.
+                                  Supplying no value allows all policies.
+                                items:
+                                  description: PullPolicy describes a policy for if/when
+                                    to pull a container image
+                                  type: string
+                                type: array
+                              url:
+                                description: OCI Registry endpoint, is treated as
+                                  regular expression.
+                                type: string
+                              validation:
+                                default:
+                                - pod/images
+                                - pod/volumes
+                                description: Requesting Resources
+                                items:
+                                  enum:
+                                  - pod/images
+                                  - pod/volumes
+                                  type: string
+                                type: array
+                            required:
+                            - url
+                            type: object
+                          type: array
+                      type: object
+                    namespaceSelector:
+                      description: Select namespaces which are going to usese
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                  type: object
+                type: array
              runtimeClasses:
                description: |-
                  Specifies the allowed RuntimeClasses assigned to the Tenant.
@@ -2283,10 +2581,16 @@ spec:
                  Optional.
                properties:
                  allowed:
+                    description: Match exact elements which are allowed as class names
+                      within this tenant
                    items:
                      type: string
                    type: array
                  allowedRegex:
+                    description: |-
+                      Deprecated: will be removed in a future release
+
+                      Match elements by regex.
                    type: string
                  default:
                    type: string
@@ -2413,10 +2717,16 @@ spec:
                  Optional.
                properties:
                  allowed:
+                    description: Match exact elements which are allowed as class names
+                      within this tenant
                    items:
                      type: string
                    type: array
                  allowedRegex:
+                    description: |-
+                      Deprecated: will be removed in a future release
+
+                      Match elements by regex.
                    type: string
                  default:
                    type: string
@@ -2467,6 +2777,36 @@ spec:
          status:
            description: Returns the observed state of the Tenant.
            properties:
+              classes:
+                description: Available Class Types within Tenant
+                properties:
+                  device:
+                    description: Available DeviceClasses
+                    items:
+                      type: string
+                    type: array
+                  gateway:
+                    description: Available GatewayClasses
+                    items:
+                      type: string
+                    type: array
+                  priority:
+                    description: Available PriorityClasses
+                    items:
+                      type: string
+                    type: array
+                  runtime:
+                    description: Available StorageClasses
+                    items:
+                      type: string
+                    type: array
+                  storage:
+                    description: Available Storageclasses (Only collected if any matching
+                      condition is specified)
+                    items:
+                      type: string
+                    type: array
+                type: object
              conditions:
                description: Tenant Condition
                items:
@@ -2529,6 +2869,35 @@ spec:
                items:
                  type: string
                type: array
+              owners:
+                description: Collected owners for this tenant
+                items:
+                  properties:
+                    clusterRoles:
+                      default:
+                      - admin
+                      - capsule-namespace-deleter
+                      description: Defines additional cluster-roles for the specific
+                        Owner.
+                      items:
+                        type: string
+                      type: array
+                    kind:
+                      description: Kind of entity. Possible values are "User", "Group",
+                        and "ServiceAccount"
+                      enum:
+                      - User
+                      - Group
+                      - ServiceAccount
+                      type: string
+                    name:
+                      description: Name of the entity.
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
              size:
                description: How many namespaces are assigned to the Tenant.
                type: integer
@@ -2595,6 +2964,41 @@ spec:
                        - type
                        type: object
                      type: array
+                    enforce:
+                      description: Managed Metadata
+                      properties:
+                        registry:
+                          description: Registries which are allowed within this namespace
+                          items:
+                            properties:
+                              policy:
+                                description: Allowed PullPolicy for the given registry.
+                                  Supplying no value allows all policies.
+                                items:
+                                  description: PullPolicy describes a policy for if/when
+                                    to pull a container image
+                                  type: string
+                                type: array
+                              url:
+                                description: OCI Registry endpoint, is treated as
+                                  regular expression.
+                                type: string
+                              validation:
+                                default:
+                                - pod/images
+                                - pod/volumes
+                                description: Requesting Resources
+                                items:
+                                  enum:
+                                  - pod/images
+                                  - pod/volumes
+                                  type: string
+                                type: array
+                            required:
+                            - url
+                            type: object
+                          type: array
+                      type: object
                    metadata:
                      description: Managed Metadata
                      properties:
--- a/charts/capsule/diagnostics/admission-dashboard.json
+++ b/charts/capsule/diagnostics/admission-dashboard.json
--- a/charts/capsule/templates/_helpers.tpl
+++ b/charts/capsule/templates/_helpers.tpl
@@ -155,6 +155,24 @@ service:
  {{- end }}
 {{- end }}

+
+{{/*
+Capsule Webhook service (Without Path)
+
+*/}}
+{{- define "capsule.webhooks.serviceConfig" -}}
+  {{- include "capsule.webhooks.cabundle" $ | nindent 0 }}
+  {{- if $.Values.webhooks.service.url }}
+url: {{ trimSuffix "/" $.Values.webhooks.service.url }}
+  {{- else }}
+service:
+  name: {{ default (printf "%s-webhook-service" (include "capsule.fullname" $)) $.Values.webhooks.service.name }}
+  namespace: {{ default $.Release.Namespace $.Values.webhooks.service.namespace }}
+  port: {{ default 443 $.Values.webhooks.service.port }}
+  {{- end }}
+{{- end }}
+
+
 {{/*
 Capsule Webhook endpoint CA Bundle
 */}}
@@ -180,3 +198,22 @@ caBundle: {{ $.Values.webhooks.service.caBundle -}}
 {{- $joined := join "," $sizes -}}
 {{- sha256sum $joined -}}
 {{- end -}}
+
+{{- define "admission.labels" -}}
+  {{- with $.Values.webhooks.labels }}
+    {{- toYaml . | nindent 0 }}
+  {{- end }}
+{{- end }}
+
+
+{{- define "admission.annotations" -}}
+  {{- if and ($.Values.certManager.generateCertificates) (not $.Values.webhooks.service.caBundle) }}
+cert-manager.io/inject-ca-from: {{ $.Release.Namespace }}/{{ include "capsule.fullname" $ }}-webhook-cert
+  {{-  end }}
+  {{- with $.Values.customAnnotations }}
+    {{- toYaml . | nindent 0 }}
+  {{- end }}
+  {{- with $.Values.webhooks.annotations }}
+    {{- toYaml . | nindent 0 }}
+  {{- end }}
+{{- end }}
--- a/charts/capsule/templates/configuration.yaml
+++ b/charts/capsule/templates/configuration.yaml
@@ -14,6 +14,38 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
+  cacheInvalidation: {{ .Values.manager.options.cacheInvalidation }}
+  rbac:
+    {{- toYaml .Values.manager.options.rbac | nindent 4 }}
+  admission:
+    validating:
+      name: "{{ include "capsule.fullname" . }}-dynamic"
+      client:
+        {{- include "capsule.webhooks.serviceConfig" $ | nindent 8 }}
+      {{- if (include "admission.labels" $) }}
+      labels:
+        {{- include "admission.labels" $ | nindent 8 }}
+      {{- end }}
+      {{- if (include "admission.annotations" $) }}
+      annotations:
+        {{- include "admission.annotations" $ | nindent 8 }}
+      {{- end }}
+    mutating:
+      name: "{{ include "capsule.fullname" . }}-dynamic"
+      client:
+        {{- include "capsule.webhooks.serviceConfig" $ | nindent 8 }}
+      {{- if (include "admission.labels" $) }}
+      labels:
+        {{- include "admission.labels" $ | nindent 8 }}
+      {{- end }}
+      {{- if (include "admission.annotations" $) }}
+      annotations:
+        {{- include "admission.annotations" $ | nindent 8 }}
+      {{- end }}
+  administrators:
+    {{- toYaml .Values.manager.options.administrators | nindent 4 }}
+  users:
+    {{- toYaml .Values.manager.options.users | nindent 4 }}
  enableTLSReconciler: {{ .Values.tls.enableController }}
  overrides:
    mutatingWebhookConfigurationName: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
--- a/charts/capsule/templates/crd-lifecycle/job.yaml
+++ b/charts/capsule/templates/crd-lifecycle/job.yaml
@@ -87,7 +87,7 @@ spec:
          # piping stderr to stdout means kubectl's errors are surfaced
          # in the pod's logs.

-          kubectl apply --server-side=true --overwrite=true --force-conflicts=true -f /data/ 2>&1
+          kubectl apply --server-side=true --overwrite=true --force-conflicts=true --field-manager='capsule/crd-lifecycle' -f /data/ 2>&1
        volumeMounts:
 {{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
        - name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
--- a/charts/capsule/templates/crd-lifecycle/rbac.yaml
+++ b/charts/capsule/templates/crd-lifecycle/rbac.yaml
@@ -31,6 +31,8 @@ rules:
  - tenantresources.capsule.clastix.io
  - globaltenantresources.capsule.clastix.io
  - tenants.capsule.clastix.io
+  - tenantowners.capsule.clastix.io
+  - rulestatuses.capsule.clastix.io
  verbs:
  - create
  - delete
--- a/charts/capsule/templates/dashboards/diagnostics.yaml
+++ b/charts/capsule/templates/dashboards/diagnostics.yaml
@@ -0,0 +1,51 @@
+
+{{- if $.Values.monitoring.diagnostics.enabled }}
+  {{ range $path, $_ :=  .Files.Glob "dashboards/**-dashboard.json" }}
+    {{- with $ }}
+      {{- $content := (.Files.Get $path) }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "capsule.fullname" . }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$"  }}-dashboard
+  namespace: {{ default $.Release.Namespace $.Values.monitoring.diagnostics.namespace | quote }}
+  annotations:
+    {{- with $.Values.monitoring.diagnostics.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "capsule.labels" $ | nindent 4 }}
+    {{- with $.Values.monitoring.diagnostics.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  {{ base $path }}: |-
+    {{- $content | nindent 4 }}
+
+  {{- if $.Values.monitoring.diagnostics.operator.enabled }}
+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: {{ include "capsule.fullname" $ }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$"  }}
+  namespace: {{ default $.Release.Namespace $.Values.monitoring.diagnostics.namespace | quote }}
+  annotations:
+    {{- with $.Values.monitoring.diagnostics.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "capsule.labels" $ | nindent 4 }}
+    {{- with $.Values.monitoring.diagnostics.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  configMapRef:
+    name: {{ include "capsule.fullname" $ }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$"  }}-dashboard
+    key: {{ base $path }}
+    {{- with (omit $.Values.monitoring.diagnostics.operator "enabled") }}
+      {{- toYaml . | nindent 2 }}
+    {{- end }}
+  {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/charts/capsule/templates/dashboards/operations.yaml
+++ b/charts/capsule/templates/dashboards/operations.yaml
--- a/charts/capsule/templates/mutatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/mutatingwebhookconfiguration.yaml
@@ -3,15 +3,12 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
  name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
+  namespace: {{ $.Release.Namespace }}
  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
+    {{- include "capsule.labels" $ | nindent 4 }}
+    {{- include "admission.labels" . | nindent 4 }}
  annotations:
-  {{- if .Values.certManager.generateCertificates }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
-  {{-  end }}
-  {{- with .Values.customAnnotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- include "admission.annotations" . | nindent 4 }}
 webhooks:
 {{- with (mergeOverwrite .Values.webhooks.hooks.pods .Values.webhooks.hooks.defaults.pods) }}
  {{- if .enabled }}
@@ -167,7 +164,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/namespace-patch" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/namespaces/mutating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  reinvocationPolicy: {{ .reinvocationPolicy }}
@@ -205,7 +202,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/mutating" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/resourcepools/mutating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  reinvocationPolicy: {{ .reinvocationPolicy }}
@@ -243,7 +240,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/mutating" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/resourcepools/claim/mutating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  reinvocationPolicy: {{ .reinvocationPolicy }}
@@ -301,7 +298,7 @@ webhooks:
    - apiGroups:
        - capsule.clastix.io
      apiVersions:
-        - v1beta2
+        - "*"
      operations:
        - CREATE
        - UPDATE
@@ -313,5 +310,33 @@ webhooks:
  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
  {{- end }}
 {{- end }}
-
+{{- with .Values.webhooks.hooks.tenantLabel }}
+  {{- if .enabled }}
+- name: assign.misc.projectcapsule.dev
+  admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/misc/tenant-label" "ctx" $) | nindent 4 }}
+  failurePolicy:  {{ .failurePolicy }}
+  matchPolicy: {{ .matchPolicy }}
+  reinvocationPolicy: {{ .reinvocationPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  rules:
+    {{- toYaml .rules |  nindent 4 }}
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+  {{- end }}
+{{- end }}
 {{- end }}
--- a/charts/capsule/templates/serviceaccount.yaml
+++ b/charts/capsule/templates/serviceaccount.yaml
@@ -11,5 +11,11 @@ metadata:
  annotations:
      {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
    {{- end }}
+{{- with .Values.serviceAccount.imagePullSecrets }}
+imagePullSecrets:
+{{- range . }}
+  - name: {{ . | quote }}
+{{- end }}
+{{- end }}
  {{- end }}
 {{- end }}
--- a/charts/capsule/templates/validatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/validatingwebhookconfiguration.yaml
@@ -5,23 +5,57 @@ metadata:
  name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
  namespace: {{ $.Release.Namespace }}
  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
+    {{- include "capsule.labels" $ | nindent 4 }}
+    {{- include "admission.labels" . | nindent 4 }}
  annotations:
-  {{- if .Values.certManager.generateCertificates }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
-  {{-  end }}
-  {{- with .Values.customAnnotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- include "admission.annotations" . | nindent 4 }}
 webhooks:
-{{- with .Values.webhooks.hooks.cordoning }}
+{{- with .Values.webhooks.hooks.customresources }}
  {{- if .enabled }}
- name: cordoning.tenant.projectcapsule.dev
+- name: customresources.misc.projectcapsule.dev
  admissionReviewVersions:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/cordoning" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/misc/customresources" "ctx" $) | nindent 4 }}
+  failurePolicy:  {{ .failurePolicy }}
+  matchPolicy: {{ .matchPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  rules:
+    - apiGroups:
+        - '*'
+      apiVersions:
+        - '*'
+      operations:
+        - CREATE
+        - UPDATE
+        - DELETE
+      resources:
+        - '*'
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+  {{- end }}
+{{- end }}
+{{- with .Values.webhooks.hooks.cordoning }}
+  {{- if .enabled }}
+- name: cordoning.misc.projectcapsule.dev
+  admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/misc/cordoning" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -44,6 +78,44 @@ webhooks:
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
  {{- end }}
 {{- end }}
+{{- with .Values.webhooks.hooks.devices }}
+  {{- if .enabled }}
+- name: devices.projectcapsule.dev
+  admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/devices/validating" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  matchPolicy: {{ .matchPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  rules:
+    - apiGroups:
+        - resource.k8s.io
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - resourceclaimtemplates
+        - resourceclaims
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+  {{- end }}
+{{- end }}
 {{- with .Values.webhooks.hooks.gateways }}
  {{- if .enabled }}
 - name: gateway.projectcapsule.dev
@@ -51,7 +123,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/gateways" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/gateways/validating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -88,7 +160,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/ingresses" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/ingresses/validating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -127,7 +199,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/namespaces" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/namespaces/validating " "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -153,48 +225,13 @@ webhooks:
        - DELETE
      resources:
        - namespaces
+        - namespaces/status
+        - namespace/finalize
      scope: '*'
  sideEffects: None
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
  {{- end }}
 {{- end }}
-{{- with .Values.webhooks.hooks.networkpolicies }}
-  {{- if .enabled }}
- name: networkpolicies.projectcapsule.dev
-  admissionReviewVersions:
-    - v1
-    - v1beta1
-  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/networkpolicies" "ctx" $) | nindent 4 }}
-  failurePolicy: {{ .failurePolicy }}
-  matchPolicy: {{ .matchPolicy }}
-  {{- with .namespaceSelector }}
-  namespaceSelector:
-    {{- toYaml . |  nindent 4 }}
-  {{- end }}
-  {{- with .objectSelector }}
-  objectSelector:
-    {{- toYaml . |  nindent 4 }}
-  {{- end }}
-  {{- with .matchConditions }}
-  matchConditions:
-    {{- toYaml . |  nindent 4 }}
-  {{- end }}
-  rules:
-    - apiGroups:
-        - networking.k8s.io
-      apiVersions:
-        - v1
-      operations:
-        - UPDATE
-        - DELETE
-      resources:
-        - networkpolicies
-      scope: Namespaced
-  sideEffects: None
-  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
-  {{- end }}
-{{- end }}
 {{- with .Values.webhooks.hooks.nodes }}
  {{- if .enabled }}
 - name: nodes.projectcapsule.dev
@@ -202,7 +239,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/nodes" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/nodes/validating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -237,7 +274,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/pods" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/pods/validating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -275,7 +312,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/persistentvolumeclaims" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/persistentvolumeclaims/validating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -311,7 +348,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/services" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/services/validating" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -341,13 +378,13 @@ webhooks:
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
  {{- end }}
 {{- end }}
-{{- with .Values.webhooks.hooks.tenantResourceObjects }}
+{{- with (mergeOverwrite .Values.webhooks.hooks.managed .Values.webhooks.hooks.tenantResourceObjects) }}
  {{- if .enabled }}
 - name: resource-objects.tenant.projectcapsule.dev
  admissionReviewVersions:
    - v1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/tenantresource-objects" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/misc/managed" "ctx" $) | nindent 4 }}
  failurePolicy: {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -363,16 +400,7 @@ webhooks:
    {{- toYaml . |  nindent 4 }}
  {{- end }}
  rules:
-    - apiGroups:
-        - '*'
-      apiVersions:
-        - '*'
-      operations:
-        - UPDATE
-        - DELETE
-      resources:
-        - '*'
-      scope: Namespaced
+    {{- toYaml .rules | nindent 4 }}
  sideEffects: None
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
  {{- end }}
@@ -422,7 +450,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/validating" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/resourcepools/validating" "ctx" $) | nindent 4 }}
  failurePolicy:  {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -459,7 +487,7 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/validating" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/resourcepools/claim/validating" "ctx" $) | nindent 4 }}
  failurePolicy:  {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -490,52 +518,14 @@ webhooks:
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
  {{- end }}
 {{- end }}
-{{- with .Values.webhooks.hooks.customresources }}
-  {{- if .enabled }}
- name: customresources.tenant.projectcapsule.dev
-  admissionReviewVersions:
-    - v1
-    - v1beta1
-  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/customresources" "ctx" $) | nindent 4 }}
-  failurePolicy:  {{ .failurePolicy }}
-  matchPolicy: {{ .matchPolicy }}
-  {{- with .namespaceSelector }}
-  namespaceSelector:
-    {{- toYaml . |  nindent 4 }}
-  {{- end }}
-  {{- with .objectSelector }}
-  objectSelector:
-    {{- toYaml . |  nindent 4 }}
-  {{- end }}
-  {{- with .matchConditions }}
-  matchConditions:
-    {{- toYaml . |  nindent 4 }}
-  {{- end }}
-  rules:
-    - apiGroups:
-        - '*'
-      apiVersions:
-        - '*'
-      operations:
-        - CREATE
-        - UPDATE
-        - DELETE
-      resources:
-        - '*'
-      scope: Namespaced
-  sideEffects: None
-  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
-  {{- end }}
-{{- end }}
 {{- with .Values.webhooks.hooks.serviceaccounts }}
  {{- if .enabled }}
- name: serviceaccounts.tenant.projectcapsule.dev
+- name: serviceaccounts.projectcapsule.dev
  admissionReviewVersions:
    - v1
    - v1beta1
  clientConfig:
-    {{- include "capsule.webhooks.service" (dict "path" "/serviceaccounts" "ctx" $) | nindent 4 }}
+    {{- include "capsule.webhooks.service" (dict "path" "/serviceaccounts/validating" "ctx" $) | nindent 4 }}
  failurePolicy:  {{ .failurePolicy }}
  matchPolicy: {{ .matchPolicy }}
  {{- with .namespaceSelector }}
@@ -565,4 +555,40 @@ webhooks:
  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
  {{- end }}
 {{- end }}
+{{- with .Values.webhooks.hooks.config }}
+  {{- if .enabled }}
+- name: config.projectcapsule.dev
+  admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    {{- include "capsule.webhooks.service" (dict "path" "/config/validating" "ctx" $) | nindent 4 }}
+  failurePolicy:  {{ .failurePolicy }}
+  matchPolicy: {{ .matchPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  rules:
+    - apiGroups:
+        - capsule.clastix.io
+      apiVersions:
+        - v1beta2
+      operations:
+        - UPDATE
+      resources:
+        - capsuleconfigurations
+      scope: 'Cluster'
+  sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+  {{- end }}
+{{- end }}
 {{- end }}
--- a/charts/capsule/values.schema.json
+++ b/charts/capsule/values.schema.json
@@ -319,6 +319,10 @@
                "options": {
                    "type": "object",
                    "properties": {
+                        "administrators": {
+                            "description": "Define entities which can act as Administrators in the capsule construct These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor be ignored by capsule. May also be handy in GitOps scenarios where certain service accounts need to be able to manage namespaces for all tenants.",
+                            "type": "array"
+                        },
                        "allowServiceAccountPromotion": {
                            "description": "ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant. However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.",
                            "type": "boolean"
@@ -327,16 +331,17 @@
                            "description": "Additional annotations to add to the CapsuleConfiguration resource",
                            "type": "object"
                        },
+                        "cacheInvalidation": {
+                            "description": "Duration after which the in-memory cache is invalidated (based on usaage) and re-fetched from the API server",
+                            "type": "string"
+                        },
                        "capsuleConfiguration": {
                            "description": "Change the default name of the capsule configuration name",
                            "type": "string"
                        },
                        "capsuleUserGroups": {
-                            "description": "Names of the groups considered as Capsule users.",
-                            "type": "array",
-                            "items": {
-                                "type": "string"
-                            }
+                            "description": "DEPRECATED: use users properties. Names of the users considered as Capsule users.",
+                            "type": "array"
                        },
                        "createConfiguration": {
                            "description": "Create Configuration",
@@ -394,10 +399,53 @@
                            "description": "If specified, disallows creation of namespaces matching the passed regexp",
                            "type": "string"
                        },
+                        "rbac": {
+                            "description": "Managed RBAC configuration for the controller",
+                            "type": "object",
+                            "properties": {
+                                "administrationClusterRoles": {
+                                    "description": "The ClusterRoles applied for Administrators",
+                                    "type": "array",
+                                    "items": {
+                                        "type": "string"
+                                    }
+                                },
+                                "deleter": {
+                                    "description": "Name for the ClusterRole required to grant Namespace Deletion permissions.",
+                                    "type": "string"
+                                },
+                                "promotionClusterRoles": {
+                                    "description": "The ClusterRoles applied for ServiceAccounts which had owner Promotion",
+                                    "type": "array",
+                                    "items": {
+                                        "type": "string"
+                                    }
+                                },
+                                "provisioner": {
+                                    "description": "Name for the ClusterRole required to grant Namespace Provision permissions.",
+                                    "type": "string"
+                                }
+                            }
+                        },
                        "userNames": {
-                            "description": "Names of the users considered as Capsule users.",
+                            "description": "DEPRECATED: use users properties. Names of the users considered as Capsule users.",
                            "type": "array"
                        },
+                        "users": {
+                            "description": "Define entities which are considered part of the Capsule construct. Users not mentioned here will be ignored by Capsule",
+                            "type": "array",
+                            "items": {
+                                "type": "object",
+                                "properties": {
+                                    "kind": {
+                                        "type": "string"
+                                    },
+                                    "name": {
+                                        "type": "string"
+                                    }
+                                }
+                            }
+                        },
                        "workers": {
                            "description": "Workers (MaxConcurrentReconciles) is the maximum number of concurrent Reconciles which can be run (ALPHA).",
                            "type": "integer"
@@ -509,6 +557,48 @@
                        }
                    }
                },
+                "diagnostics": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "description": "Annotations for dashboard configmaps",
+                            "type": "object"
+                        },
+                        "enabled": {
+                            "description": "Enable Diagnostic Dashboards to be deployed",
+                            "type": "boolean"
+                        },
+                        "labels": {
+                            "description": "Labels for dashboard configmaps",
+                            "type": "object"
+                        },
+                        "operator": {
+                            "type": "object",
+                            "properties": {
+                                "allowCrossNamespaceImport": {
+                                    "description": "Allow the Operator to match this resource with Grafanas outside the current namespace",
+                                    "type": "boolean"
+                                },
+                                "enabled": {
+                                    "description": "Enable Operator Resources (GrafanaDashboard)",
+                                    "type": "boolean"
+                                },
+                                "folder": {
+                                    "description": "folder assignment for dashboard",
+                                    "type": "string"
+                                },
+                                "instanceSelector": {
+                                    "description": "Selects Grafana instances for import",
+                                    "type": "object"
+                                },
+                                "resyncPeriod": {
+                                    "description": "How often the resource is synced, defaults to 10m0s if not set",
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
+                },
                "serviceMonitor": {
                    "type": "object",
                    "properties": {
@@ -694,6 +784,9 @@
                    "description": "Specifies whether a service account should be created.",
                    "type": "boolean"
                },
+                "imagePullSecrets": {
+                    "type": "array"
+                },
                "name": {
                    "description": "The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template",
                    "type": "string"
@@ -728,6 +821,10 @@
        "webhooks": {
            "type": "object",
            "properties": {
+                "annotations": {
+                    "description": "Additional Annotations for all webhooks",
+                    "type": "object"
+                },
                "exclusive": {
                    "description": "When `crds.exclusive` is `true` the webhooks will be installed",
                    "type": "boolean"
@@ -735,7 +832,7 @@
                "hooks": {
                    "type": "object",
                    "properties": {
-                        "cordoning": {
+                        "config": {
                            "type": "object",
                            "properties": {
                                "enabled": {
@@ -754,6 +851,50 @@
                                    "description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
                                    "type": "string"
                                },
+                                "namespaceSelector": {
+                                    "description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
+                                    "type": "object"
+                                },
+                                "objectSelector": {
+                                    "description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
+                                    "type": "object"
+                                },
+                                "reinvocationPolicy": {
+                                    "description": "[ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)",
+                                    "type": "string"
+                                }
+                            }
+                        },
+                        "cordoning": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "description": "Enable the Hook",
+                                    "type": "boolean"
+                                },
+                                "failurePolicy": {
+                                    "description": "[FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)",
+                                    "type": "string"
+                                },
+                                "matchConditions": {
+                                    "description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
+                                    "type": "array",
+                                    "items": {
+                                        "type": "object",
+                                        "properties": {
+                                            "expression": {
+                                                "type": "string"
+                                            },
+                                            "name": {
+                                                "type": "string"
+                                            }
+                                        }
+                                    }
+                                },
+                                "matchPolicy": {
+                                    "description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
+                                    "type": "string"
+                                },
                                "namespaceSelector": {
                                    "description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
                                    "type": "object",
@@ -768,6 +909,12 @@
                                                    },
                                                    "operator": {
                                                        "type": "string"
+                                                    },
+                                                    "values": {
+                                                        "type": "array",
+                                                        "items": {
+                                                            "type": "string"
+                                                        }
                                                    }
                                                }
                                            }
@@ -829,7 +976,18 @@
                                },
                                "matchConditions": {
                                    "description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
-                                    "type": "array"
+                                    "type": "array",
+                                    "items": {
+                                        "type": "object",
+                                        "properties": {
+                                            "expression": {
+                                                "type": "string"
+                                            },
+                                            "name": {
+                                                "type": "string"
+                                            }
+                                        }
+                                    }
                                },
                                "matchPolicy": {
                                    "description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
@@ -878,6 +1036,55 @@
                                }
                            }
                        },
+                        "devices": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "description": "Enable the Hook",
+                                    "type": "boolean"
+                                },
+                                "failurePolicy": {
+                                    "description": "[FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)",
+                                    "type": "string"
+                                },
+                                "matchConditions": {
+                                    "description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
+                                    "type": "array"
+                                },
+                                "matchPolicy": {
+                                    "description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
+                                    "type": "string"
+                                },
+                                "namespaceSelector": {
+                                    "description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
+                                    "type": "object",
+                                    "properties": {
+                                        "matchExpressions": {
+                                            "type": "array",
+                                            "items": {
+                                                "type": "object",
+                                                "properties": {
+                                                    "key": {
+                                                        "type": "string"
+                                                    },
+                                                    "operator": {
+                                                        "type": "string"
+                                                    }
+                                                }
+                                            }
+                                        }
+                                    }
+                                },
+                                "objectSelector": {
+                                    "description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
+                                    "type": "object"
+                                },
+                                "reinvocationPolicy": {
+                                    "description": "[ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)",
+                                    "type": "string"
+                                }
+                            }
+                        },
                        "gateways": {
                            "type": "object",
                            "properties": {
@@ -972,44 +1179,7 @@
                                }
                            }
                        },
-                        "namespaceOwnerReference": {
-                            "description": "Deprecated, use webhooks.hooks.namespaces instead",
-                            "type": "object"
-                        },
-                        "namespaces": {
-                            "type": "object",
-                            "properties": {
-                                "enabled": {
-                                    "description": "Enable the Hook",
-                                    "type": "boolean"
-                                },
-                                "failurePolicy": {
-                                    "description": "[FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)",
-                                    "type": "string"
-                                },
-                                "matchConditions": {
-                                    "description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
-                                    "type": "array"
-                                },
-                                "matchPolicy": {
-                                    "description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
-                                    "type": "string"
-                                },
-                                "namespaceSelector": {
-                                    "description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
-                                    "type": "object"
-                                },
-                                "objectSelector": {
-                                    "description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
-                                    "type": "object"
-                                },
-                                "reinvocationPolicy": {
-                                    "description": "[ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)",
-                                    "type": "string"
-                                }
-                            }
-                        },
-                        "networkpolicies": {
+                        "managed": {
                            "type": "object",
                            "properties": {
                                "enabled": {
@@ -1050,7 +1220,96 @@
                                },
                                "objectSelector": {
                                    "description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
+                                    "type": "object",
+                                    "properties": {
+                                        "matchExpressions": {
+                                            "type": "array",
+                                            "items": {
+                                                "type": "object",
+                                                "properties": {
+                                                    "key": {
+                                                        "type": "string"
+                                                    },
+                                                    "operator": {
+                                                        "type": "string"
+                                                    }
+                                                }
+                                            }
+                                        }
+                                    }
+                                },
+                                "rules": {
+                                    "description": "[Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)",
+                                    "type": "array",
+                                    "items": {
+                                        "type": "object",
+                                        "properties": {
+                                            "apiGroups": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
+                                            "apiVersions": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
+                                            "operations": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
+                                            "resources": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
+                                            "scope": {
+                                                "type": "string"
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        },
+                        "namespaceOwnerReference": {
+                            "description": "Deprecated, use webhooks.hooks.namespaces instead",
+                            "type": "object"
+                        },
+                        "namespaces": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "description": "Enable the Hook",
+                                    "type": "boolean"
+                                },
+                                "failurePolicy": {
+                                    "description": "[FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)",
+                                    "type": "string"
+                                },
+                                "matchConditions": {
+                                    "description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
+                                    "type": "array"
+                                },
+                                "matchPolicy": {
+                                    "description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
+                                    "type": "string"
+                                },
+                                "namespaceSelector": {
+                                    "description": "[NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)",
                                    "type": "object"
+                                },
+                                "objectSelector": {
+                                    "description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
+                                    "type": "object"
+                                },
+                                "reinvocationPolicy": {
+                                    "description": "[ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)",
+                                    "type": "string"
                                }
                            }
                        },
@@ -1334,7 +1593,7 @@
                                }
                            }
                        },
-                        "tenantResourceObjects": {
+                        "tenantLabel": {
                            "type": "object",
                            "properties": {
                                "enabled": {
@@ -1347,7 +1606,18 @@
                                },
                                "matchConditions": {
                                    "description": "[MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
-                                    "type": "array"
+                                    "type": "array",
+                                    "items": {
+                                        "type": "object",
+                                        "properties": {
+                                            "expression": {
+                                                "type": "string"
+                                            },
+                                            "name": {
+                                                "type": "string"
+                                            }
+                                        }
+                                    }
                                },
                                "matchPolicy": {
                                    "description": "[MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)",
@@ -1375,26 +1645,54 @@
                                },
                                "objectSelector": {
                                    "description": "[ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)",
-                                    "type": "object",
-                                    "properties": {
-                                        "matchExpressions": {
-                                            "type": "array",
-                                            "items": {
-                                                "type": "object",
-                                                "properties": {
-                                                    "key": {
-                                                        "type": "string"
-                                                    },
-                                                    "operator": {
-                                                        "type": "string"
-                                                    }
+                                    "type": "object"
+                                },
+                                "reinvocationPolicy": {
+                                    "description": "[ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)",
+                                    "type": "string"
+                                },
+                                "rules": {
+                                    "description": "[Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)",
+                                    "type": "array",
+                                    "items": {
+                                        "type": "object",
+                                        "properties": {
+                                            "apiGroups": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
                                                }
+                                            },
+                                            "apiVersions": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
+                                            "operations": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
+                                            "resources": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
+                                            "scope": {
+                                                "type": "string"
                                            }
                                        }
                                    }
                                }
                            }
                        },
+                        "tenantResourceObjects": {
+                            "description": "Deprecated, use webhooks.hooks.managed instead",
+                            "type": "object"
+                        },
                        "tenants": {
                            "type": "object",
                            "properties": {
@@ -1430,6 +1728,10 @@
                        }
                    }
                },
+                "labels": {
+                    "description": "Additional Labels for all webhooks",
+                    "type": "object"
+                },
                "mutatingWebhooksTimeoutSeconds": {
                    "description": "Timeout in seconds for mutating webhooks",
                    "type": "integer"
--- a/charts/capsule/values.yaml
+++ b/charts/capsule/values.yaml
@@ -83,9 +83,9 @@ crds:
 # Secret Options
 tls:
  # -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well.
-  enableController: true
+  enableController: false
  # -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion.
-  create: true
+  create: false
  # -- Override name of the Capsule TLS Secret name when externally managed.
  name: ""

@@ -177,11 +177,19 @@ manager:
    # -- Workers (MaxConcurrentReconciles) is the maximum number of concurrent Reconciles which can be run (ALPHA).
    workers: 1
    # -- Set the log verbosity of the capsule with a value from 1 to 5
-    logLevel: '3'
-    # -- Names of the users considered as Capsule users.
-    userNames: []
-    # -- Names of the groups considered as Capsule users.
-    capsuleUserGroups: ["projectcapsule.dev"]
+    logLevel: "info"
+    # -- Define entities which are considered part of the Capsule construct.
+    # Users not mentioned here will be ignored by Capsule
+    users:
+      - kind: "Group"
+        name: "projectcapsule.dev"
+    # -- Define entities which can act as Administrators in the capsule construct
+    # These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label
+    # for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor
+    # be ignored by capsule. May also be handy in GitOps scenarios where certain service accounts need to be able to manage namespaces for all tenants.
+    administrators: []
+    # - kind: User
+    #   name: alice
    # -- Define groups which when found in the request of a user will be ignored by the Capsule
    # this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.
    ignoreUserWithGroups: []
@@ -204,6 +212,31 @@ manager:
        denied: []
        deniedRegex: ""

+    # -- Duration after which the in-memory cache is invalidated (based on usaage) and re-fetched from the API server
+    cacheInvalidation: 24h0m0s
+
+    # -- Managed RBAC configuration for the controller
+    rbac:
+      # -- The ClusterRoles applied for Administrators
+      administrationClusterRoles:
+        - capsule-namespace-deleter
+      # -- The ClusterRoles applied for ServiceAccounts which had owner Promotion
+      promotionClusterRoles:
+        - capsule-namespace-provisioner
+        - capsule-namespace-deleter
+      # -- Name for the ClusterRole required to grant Namespace Deletion permissions.
+      deleter: capsule-namespace-deleter
+      # -- Name for the ClusterRole required to grant Namespace Provision permissions.
+      provisioner: capsule-namespace-provisioner
+
+
+    # -- DEPRECATED: use users properties.
+    # Names of the users considered as Capsule users.
+    userNames: []
+    # -- DEPRECATED: use users properties.
+    # Names of the users considered as Capsule users.
+    capsuleUserGroups: []
+
  # -- A list of extra arguments for the capsule controller
  extraArgs:
  - "--enable-leader-election=true"
@@ -303,9 +336,12 @@ serviceAccount:
  # -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template
  name: ""

+  imagePullSecrets: []
+  # just string array [ "sec-1", "sec-2" ]
+
 certManager:
  # -- Specifies whether capsule webhooks certificates should be generated using cert-manager
-  generateCertificates: false
+  generateCertificates: true
  # -- Specify additional SANS to add to the certificate
  additionalSANS: []
 # -- Additional labels which will be added to all resources created by Capsule helm chart
@@ -326,6 +362,28 @@ extraManifests: []
 # Monitoring Settings
 monitoring:

+  diagnostics:
+    # -- Enable Diagnostic Dashboards to be deployed
+    enabled: false
+    # -- Annotations for dashboard configmaps
+    annotations: {}
+    # -- Labels for dashboard configmaps
+    labels: {}
+    # grafana_dashboard: "1"
+
+    # Grafana Operator
+    operator:
+      # -- Enable Operator Resources (GrafanaDashboard)
+      enabled: false
+      # -- Allow the Operator to match this resource with Grafanas outside the current namespace
+      allowCrossNamespaceImport: true
+      # -- How often the resource is synced, defaults to 10m0s if not set
+      resyncPeriod: "10m"
+      # -- Selects Grafana instances for import
+      instanceSelector: {}
+      # -- folder assignment for dashboard
+      folder: ""
+
  dashboards:
    # -- Enable Dashboards to be deployed
    enabled: false
@@ -336,6 +394,7 @@ monitoring:
    # grafana_dashboard: "1"
    # -- Custom namespace for dashboard configmaps
    namespace: ""
+
    # Grafana Operator
    operator:
      # -- Enable Operator Resources (GrafanaDashboard)
@@ -383,6 +442,12 @@ webhooks:
  # -- Timeout in seconds for validating webhooks
  validatingWebhooksTimeoutSeconds: 30

+  # -- Additional Labels for all webhooks
+  labels: {}
+
+  # -- Additional Annotations for all webhooks
+  annotations: {}
+
  # Configure custom webhook service
  service:
    # -- The URL where the capsule webhook services are running (Overwrites cluster scoped service definition)
@@ -398,6 +463,41 @@ webhooks:

  # Admission Webhook Configuration
  hooks:
+    tenantLabel:
+      # -- Enable the Hook
+      enabled: true
+      # -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
+      failurePolicy: Fail
+      # -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
+      matchPolicy: Equivalent
+      # -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
+      objectSelector: {}
+      # -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
+      namespaceSelector:
+        matchExpressions:
+          - key: capsule.clastix.io/tenant
+            operator: Exists
+      # -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
+      matchConditions:
+        - name: ignore-subresources
+          expression: '!has(request.subResource) || request.subResource == ""'
+        - name: ignore-events
+          expression: 'request.resource.resource != "events"'
+
+      # -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
+      reinvocationPolicy: Never
+      # -- [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)
+      rules:
+      - apiGroups:
+          - '*'
+        apiVersions:
+          - '*'
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - '*'
+        scope: Namespaced

    resourcepools:
      pools:
@@ -442,8 +542,16 @@ webhooks:
        matchExpressions:
          - key: capsule.clastix.io/tenant
            operator: Exists
+          - key: projectcapsule.dev/custom-resources
+            operator: Exists
+
      # -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
-      matchConditions: []
+      matchConditions:
+        - name: ignore-subresources
+          expression: '!has(request.subResource) || request.subResource == ""'
+        - name: ignore-events
+          expression: 'request.resource.resource != "events"'
+

    namespaces:
      # -- Enable the Hook
@@ -476,9 +584,15 @@ webhooks:
          - key: capsule.clastix.io/tenant
            operator: Exists
          - key: projectcapsule.dev/cordoned
-            operator: Exists
+            operator: In
+            values:
+              - "true"
      # -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
-      matchConditions: []
+      matchConditions:
+        - name: ignore-subresources
+          expression: '!has(request.subResource) || request.subResource == ""'
+        - name: ignore-events
+          expression: 'request.resource.resource != "events"'
      # -- [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)
      rules:
      - apiGroups:
@@ -528,8 +642,7 @@ webhooks:
      matchConditions: []
      # -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
      reinvocationPolicy: Never
-
-    networkpolicies:
+    devices:
      # -- Enable the Hook
      enabled: true
      # -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
@@ -545,6 +658,8 @@ webhooks:
            operator: Exists
      # -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
      matchConditions: []
+      # -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
+      reinvocationPolicy: Never

    pods:
      # -- Enable the Hook
@@ -600,7 +715,23 @@ webhooks:
      # -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
      reinvocationPolicy: Never

-    tenantResourceObjects:
+    config:
+      # -- Enable the Hook
+      enabled: true
+      # -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
+      failurePolicy: Ignore
+      # -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
+      matchPolicy: Exact
+      # -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
+      objectSelector: {}
+      # -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
+      namespaceSelector: {}
+      # -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
+      matchConditions: []
+      # -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
+      reinvocationPolicy: Never
+
+    managed:
      # -- Enable the Hook
      enabled: true
      # -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
@@ -610,7 +741,7 @@ webhooks:
      # -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
      objectSelector:
        matchExpressions:
-          - key: capsule.clastix.io/tenant
+          - key: "projectcapsule.dev/managed-by"
            operator: Exists
      # -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
      namespaceSelector:
@@ -619,6 +750,19 @@ webhooks:
            operator: Exists
      # -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
      matchConditions: []
+      # -- [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)
+      rules:
+        - apiGroups:
+            - '*'
+          apiVersions:
+            - '*'
+          operations:
+            - CREATE
+            - UPDATE
+            - DELETE
+          resources:
+            - '*'
+          scope: '*'

    services:
      # -- Enable the Hook
@@ -678,3 +822,6 @@ webhooks:
      pvc: {}
      # -- Deprecated, use webhooks.hooks.pods instead
      pods: {}
+
+    # -- Deprecated, use webhooks.hooks.managed instead
+    tenantResourceObjects: {}
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package main
@@ -31,37 +31,42 @@ import (

 	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
-	configcontroller "github.com/projectcapsule/capsule/controllers/config"
-	podlabelscontroller "github.com/projectcapsule/capsule/controllers/pod"
-	"github.com/projectcapsule/capsule/controllers/pv"
-	rbaccontroller "github.com/projectcapsule/capsule/controllers/rbac"
-	"github.com/projectcapsule/capsule/controllers/resourcepools"
-	"github.com/projectcapsule/capsule/controllers/resources"
-	servicelabelscontroller "github.com/projectcapsule/capsule/controllers/servicelabels"
-	tenantcontroller "github.com/projectcapsule/capsule/controllers/tenant"
-	tlscontroller "github.com/projectcapsule/capsule/controllers/tls"
-	utilscontroller "github.com/projectcapsule/capsule/controllers/utils"
-	"github.com/projectcapsule/capsule/pkg/configuration"
-	"github.com/projectcapsule/capsule/pkg/indexer"
-	"github.com/projectcapsule/capsule/pkg/metrics"
-	"github.com/projectcapsule/capsule/pkg/webhook"
-	"github.com/projectcapsule/capsule/pkg/webhook/defaults"
-	"github.com/projectcapsule/capsule/pkg/webhook/gateway"
-	"github.com/projectcapsule/capsule/pkg/webhook/ingress"
-	namespacemutation "github.com/projectcapsule/capsule/pkg/webhook/namespace/mutation"
-	namespacevalidation "github.com/projectcapsule/capsule/pkg/webhook/namespace/validation"
-	"github.com/projectcapsule/capsule/pkg/webhook/networkpolicy"
-	"github.com/projectcapsule/capsule/pkg/webhook/node"
-	"github.com/projectcapsule/capsule/pkg/webhook/pod"
-	"github.com/projectcapsule/capsule/pkg/webhook/pvc"
-	"github.com/projectcapsule/capsule/pkg/webhook/resourcepool"
-	"github.com/projectcapsule/capsule/pkg/webhook/route"
-	"github.com/projectcapsule/capsule/pkg/webhook/service"
-	"github.com/projectcapsule/capsule/pkg/webhook/serviceaccounts"
-	tenantmutation "github.com/projectcapsule/capsule/pkg/webhook/tenant/mutation"
-	tenantvalidation "github.com/projectcapsule/capsule/pkg/webhook/tenant/validation"
-	tntresource "github.com/projectcapsule/capsule/pkg/webhook/tenantresource"
-	"github.com/projectcapsule/capsule/pkg/webhook/utils"
+	"github.com/projectcapsule/capsule/internal/cache"
+	"github.com/projectcapsule/capsule/internal/controllers/admission"
+	configcontroller "github.com/projectcapsule/capsule/internal/controllers/cfg"
+	podlabelscontroller "github.com/projectcapsule/capsule/internal/controllers/pod"
+	"github.com/projectcapsule/capsule/internal/controllers/pv"
+	rbaccontroller "github.com/projectcapsule/capsule/internal/controllers/rbac"
+	"github.com/projectcapsule/capsule/internal/controllers/resourcepools"
+	"github.com/projectcapsule/capsule/internal/controllers/resources"
+	servicelabelscontroller "github.com/projectcapsule/capsule/internal/controllers/servicelabels"
+	tenantcontroller "github.com/projectcapsule/capsule/internal/controllers/tenant"
+	tlscontroller "github.com/projectcapsule/capsule/internal/controllers/tls"
+	utilscontroller "github.com/projectcapsule/capsule/internal/controllers/utils"
+	"github.com/projectcapsule/capsule/internal/metrics"
+	"github.com/projectcapsule/capsule/internal/webhook"
+	cfgvalidation "github.com/projectcapsule/capsule/internal/webhook/cfg"
+	"github.com/projectcapsule/capsule/internal/webhook/defaults"
+	"github.com/projectcapsule/capsule/internal/webhook/dra"
+	"github.com/projectcapsule/capsule/internal/webhook/gateway"
+	"github.com/projectcapsule/capsule/internal/webhook/ingress"
+	"github.com/projectcapsule/capsule/internal/webhook/misc"
+	namespacemutation "github.com/projectcapsule/capsule/internal/webhook/namespace/mutation"
+	namespacevalidation "github.com/projectcapsule/capsule/internal/webhook/namespace/validation"
+	"github.com/projectcapsule/capsule/internal/webhook/node"
+	"github.com/projectcapsule/capsule/internal/webhook/pod"
+	"github.com/projectcapsule/capsule/internal/webhook/pvc"
+	"github.com/projectcapsule/capsule/internal/webhook/resourcepool"
+	"github.com/projectcapsule/capsule/internal/webhook/route"
+	"github.com/projectcapsule/capsule/internal/webhook/service"
+	"github.com/projectcapsule/capsule/internal/webhook/serviceaccounts"
+	tenantmutation "github.com/projectcapsule/capsule/internal/webhook/tenant/mutation"
+	tenantvalidation "github.com/projectcapsule/capsule/internal/webhook/tenant/validation"
+	tntresource "github.com/projectcapsule/capsule/internal/webhook/tenantresource"
+	"github.com/projectcapsule/capsule/internal/webhook/utils"
+	"github.com/projectcapsule/capsule/pkg/runtime/configuration"
+	"github.com/projectcapsule/capsule/pkg/runtime/handlers"
+	"github.com/projectcapsule/capsule/pkg/runtime/indexers"
 )

 var (
@@ -86,13 +91,13 @@ func printVersion() {
 	setupLog.Info(fmt.Sprintf("Go OS/Arch: %s/%s", goRuntime.GOOS, goRuntime.GOARCH))
 }

-//nolint:maintidx
+//nolint:maintidx,cyclop
 func main() {
 	controllerConfig := utilscontroller.ControllerOptions{}

-	var enableLeaderElection, version bool
+	var enableLeaderElection, enablePprof, version bool

-	var metricsAddr, namespace, configurationName string
+	var metricsAddr, ns string

 	var webhookPort int

@@ -105,7 +110,8 @@ func main() {
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&version, "version", false, "Print the Capsule version and exit")
-	flag.StringVar(&configurationName, "configuration-name", "default", "The CapsuleConfiguration resource name to use")
+	flag.StringVar(&controllerConfig.ConfigurationName, "configuration-name", "default", "The CapsuleConfiguration resource name to use")
+	flag.BoolVar(&enablePprof, "enable-pprof", false, "Enables Pprof endpoint for profiling (not recommend in production)")

 	opts := zap.Options{
 		EncoderConfigOptions: append([]zap.EncoderConfigOption{}, func(config *zapcore.EncoderConfig) {
@@ -125,17 +131,19 @@ func main() {
 		os.Exit(0)
 	}

-	if namespace = os.Getenv("NAMESPACE"); len(namespace) == 0 {
+	setupLog.V(5).Info("Controller", "Options", controllerConfig)
+
+	if ns = os.Getenv("NAMESPACE"); len(ns) == 0 {
 		setupLog.Error(fmt.Errorf("unable to determinate the Namespace Capsule is running on"), "unable to start manager")
 		os.Exit(1)
 	}

-	if len(configurationName) == 0 {
+	if len(controllerConfig.ConfigurationName) == 0 {
 		setupLog.Error(fmt.Errorf("missing CapsuleConfiguration resource name"), "unable to start manager")
 		os.Exit(1)
 	}

-	manager, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+	ctrlOpts := ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
 			BindAddress: metricsAddr,
@@ -151,7 +159,13 @@ func main() {

 			return client.New(config, options)
 		},
-	})
+	}
+
+	if enablePprof {
+		ctrlOpts.PprofBindAddress = ":8082"
+	}
+
+	manager, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrlOpts)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
@@ -162,7 +176,7 @@ func main() {

 	ctx := ctrl.SetupSignalHandler()

-	cfg := configuration.NewCapsuleConfiguration(ctx, manager.GetClient(), configurationName)
+	cfg := configuration.NewCapsuleConfiguration(ctx, manager.GetClient(), controllerConfig.ConfigurationName)

 	directClient, err := client.New(ctrl.GetConfigOrDie(), client.Options{
 		Scheme: manager.GetScheme(),
@@ -173,13 +187,13 @@ func main() {
 		os.Exit(1)
 	}

-	directCfg := configuration.NewCapsuleConfiguration(ctx, directClient, configurationName)
+	directCfg := configuration.NewCapsuleConfiguration(ctx, directClient, controllerConfig.ConfigurationName)

 	if directCfg.EnableTLSConfiguration() {
 		tlsReconciler := &tlscontroller.Reconciler{
 			Client:        directClient,
-			Log:           ctrl.Log.WithName("controllers").WithName("TLS"),
-			Namespace:     namespace,
+			Log:           ctrl.Log.WithName("capsule.ctrl").WithName("tls"),
+			Namespace:     ns,
 			Configuration: directCfg,
 		}

@@ -190,7 +204,7 @@ func main() {

 		tlsCert := &corev1.Secret{}

-		if err = directClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: directCfg.TLSSecretName()}, tlsCert); err != nil {
+		if err = directClient.Get(ctx, types.NamespacedName{Namespace: ns, Name: directCfg.TLSSecretName()}, tlsCert); err != nil {
 			setupLog.Error(err, "unable to get Capsule TLS secret")
 			os.Exit(1)
 		}
@@ -201,12 +215,15 @@ func main() {
 		}
 	}

+	registryCache := cache.NewRegistryRuleSetCache()
+
 	if err = (&tenantcontroller.Manager{
-		RESTConfig: manager.GetConfig(),
-		Client:     manager.GetClient(),
-		Metrics:    metrics.MustMakeTenantRecorder(),
-		Log:        ctrl.Log.WithName("controllers").WithName("Tenant"),
-		Recorder:   manager.GetEventRecorderFor("tenant-controller"),
+		RESTConfig:    manager.GetConfig(),
+		Client:        manager.GetClient(),
+		Metrics:       metrics.MustMakeTenantRecorder(),
+		Log:           ctrl.Log.WithName("capsule.ctrl").WithName("tenant"),
+		Recorder:      manager.GetEventRecorder("tenant-controller"),
+		Configuration: cfg,
 	}).SetupWithManager(manager, controllerConfig); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Tenant")
 		os.Exit(1)
@@ -217,7 +234,7 @@ func main() {
 		os.Exit(1)
 	}

-	if err = indexer.AddToManager(ctx, setupLog, manager); err != nil {
+	if err = indexers.AddToManager(ctx, setupLog, manager); err != nil {
 		setupLog.Error(err, "unable to setup indexers")
 		os.Exit(1)
 	}
@@ -231,32 +248,97 @@ func main() {

 	// webhooks: the order matters, don't change it and just append
 	webhooksList := append(
-		make([]webhook.Webhook, 0),
-		route.Pod(pod.ImagePullPolicy(), pod.ContainerRegistry(cfg), pod.PriorityClass(), pod.RuntimeClass()),
-		route.Namespace(utils.InCapsuleGroups(cfg, namespacevalidation.PatchHandler(cfg), namespacevalidation.QuotaHandler(), namespacevalidation.FreezeHandler(cfg), namespacevalidation.PrefixHandler(cfg), namespacevalidation.UserMetadataHandler())),
+		make([]handlers.Webhook, 0),
+		route.Pod(
+			pod.Handler(
+				pod.ImagePullPolicy(),
+				pod.ContainerRegistryLegacy(cfg),
+				pod.ContainerRegistry(cfg, registryCache),
+				pod.PriorityClass(),
+				pod.RuntimeClass(),
+			),
+		),
 		route.Ingress(ingress.Class(cfg, kubeVersion), ingress.Hostnames(cfg), ingress.Collision(cfg), ingress.Wildcard()),
-		route.PVC(pvc.Validating(), pvc.PersistentVolumeReuse()),
-		route.Service(service.Handler()),
-		route.TenantResourceObjects(utils.InCapsuleGroups(cfg, tntresource.WriteOpsHandler())),
-		route.NetworkPolicy(utils.InCapsuleGroups(cfg, networkpolicy.Handler())),
-		route.TenantMutating(tenantmutation.MetaHandler()),
-		route.TenantValidating(tenantvalidation.NameHandler(), tenantvalidation.RoleBindingRegexHandler(), tenantvalidation.IngressClassRegexHandler(), tenantvalidation.StorageClassRegexHandler(), tenantvalidation.ContainerRegistryRegexHandler(), tenantvalidation.HostnameRegexHandler(), tenantvalidation.FreezedEmitter(), tenantvalidation.ServiceAccountNameHandler(), tenantvalidation.ForbiddenAnnotationsRegexHandler(), tenantvalidation.ProtectedHandler()),
-		route.Cordoning(tenantvalidation.CordoningHandler(cfg)),
-		route.Node(utils.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),
-		route.ServiceAccounts(serviceaccounts.Handler(cfg)),
-		route.NamespacePatch(utils.InCapsuleGroups(cfg, namespacemutation.CordoningLabelHandler(cfg), namespacemutation.OwnerReferenceHandler(cfg), namespacemutation.MetadataHandler(cfg))),
-		route.CustomResources(tenantvalidation.ResourceCounterHandler(manager.GetClient())),
+		route.PVC(
+			pvc.Handler(
+				pvc.Validating(),
+				pvc.PersistentVolumeReuse(),
+			),
+		),
+		route.Service(
+			service.Handler(
+				service.Validating(),
+			),
+		),
+		route.TenantResourceObjects(handlers.InCapsuleGroups(cfg, tntresource.WriteOpsHandler())),
+		route.Cordoning(handlers.InCapsuleGroups(cfg, misc.CordoningHandler(cfg))),
+		route.Node(handlers.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),
+		route.ServiceAccounts(
+			serviceaccounts.Handler(
+				serviceaccounts.Validating(cfg),
+			),
+		),
+		route.MiscCustomResources(misc.ResourceCounterHandler(manager.GetClient())),
 		route.Gateway(gateway.Class(cfg)),
+		route.DeviceClass(dra.DeviceClass()),
 		route.Defaults(defaults.Handler(cfg, kubeVersion)),
+		route.TenantMutation(
+			tenantmutation.MetaHandler(),
+		),
+		route.TenantValidation(
+			tenantvalidation.Handler(cfg,
+				tenantvalidation.NameHandler(),
+				tenantvalidation.RoleBindingRegexHandler(),
+				tenantvalidation.IngressClassRegexHandler(),
+				tenantvalidation.StorageClassRegexHandler(),
+				tenantvalidation.ContainerRegistryRegexHandler(),
+				tenantvalidation.RuleHandler(),
+				tenantvalidation.HostnameRegexHandler(),
+				tenantvalidation.FreezedEmitter(),
+				tenantvalidation.ServiceAccountNameHandler(),
+				tenantvalidation.ForbiddenAnnotationsRegexHandler(),
+				tenantvalidation.ProtectedHandler(),
+				tenantvalidation.RequiredMetadataHandler(),
+				tenantvalidation.WarningHandler(cfg),
+			),
+		),
+		route.NamespaceValidation(
+			namespacevalidation.NamespaceHandler(
+				cfg,
+				namespacevalidation.PatchHandler(cfg),
+				namespacevalidation.FreezeHandler(cfg),
+				namespacevalidation.QuotaHandler(),
+				namespacevalidation.PrefixHandler(cfg),
+				namespacevalidation.UserMetadataHandler(),
+				namespacevalidation.RequiredMetadataHandler(),
+			),
+		),
+		route.NamespaceMutation(
+			namespacemutation.NamespaceHandler(
+				cfg,
+				namespacemutation.OwnerReferenceHandler(cfg),
+				namespacemutation.MetadataHandler(cfg),
+				namespacemutation.CordoningLabelHandler(cfg),
+			),
+		),
 		route.ResourcePoolMutation((resourcepool.PoolMutationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepool")))),
 		route.ResourcePoolValidation((resourcepool.PoolValidationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepool")))),
 		route.ResourcePoolClaimMutation((resourcepool.ClaimMutationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepoolclaims")))),
 		route.ResourcePoolClaimValidation((resourcepool.ClaimValidationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepoolclaims")))),
+		route.MiscTenantAssignment(
+			misc.TenantAssignmentHandler(),
+		),
+		route.MiscManagedValidation(
+			handlers.InCapsuleGroups(cfg, misc.ManagedValidatingHandler()),
+		),
+		route.ConfigValidation(
+			cfgvalidation.WarningHandler(),
+		),
 	)

 	nodeWebhookSupported, _ := utils.NodeWebhookSupported(kubeVersion)
 	if !nodeWebhookSupported {
-		setupLog.Info("Disabling node labels verification webhook as current Kubernetes version doesn't have fix for CVE-2021-25735")
+		setupLog.Info("disabling node labels verification webhook as current Kubernetes version doesn't have fix for CVE-2021-25735")
 	}

 	if err = webhook.Register(manager, webhooksList...); err != nil {
@@ -265,7 +347,7 @@ func main() {
 	}

 	rbacManager := &rbaccontroller.Manager{
-		Log:           ctrl.Log.WithName("controllers").WithName("Rbac"),
+		Log:           ctrl.Log.WithName("capsule.ctrl").WithName("rbac"),
 		Client:        manager.GetClient(),
 		Configuration: cfg,
 	}
@@ -275,25 +357,28 @@ func main() {
 		os.Exit(1)
 	}

-	if err = rbacManager.SetupWithManager(ctx, manager, configurationName); err != nil {
+	if err = rbacManager.SetupWithManager(ctx, manager, controllerConfig); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Rbac")
 		os.Exit(1)
 	}

 	if err = (&servicelabelscontroller.ServicesLabelsReconciler{
-		Log: ctrl.Log.WithName("controllers").WithName("ServiceLabels"),
+		Log: ctrl.Log.WithName("capsule.ctrl").WithName("services"),
 	}).SetupWithManager(ctx, manager); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ServiceLabels")
 		os.Exit(1)
 	}

 	if err = (&servicelabelscontroller.EndpointSlicesLabelsReconciler{
-		Log: ctrl.Log.WithName("controllers").WithName("EndpointSliceLabels"),
+		Log: ctrl.Log.WithName("capsule.ctrl").WithName("endpointslices"),
 	}).SetupWithManager(ctx, manager); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "EndpointSliceLabels")
 	}

-	if err = (&podlabelscontroller.MetadataReconciler{Client: manager.GetClient()}).SetupWithManager(ctx, manager); err != nil {
+	if err = (&podlabelscontroller.MetadataReconciler{
+		Client: manager.GetClient(),
+		Log:    ctrl.Log.WithName("capsule.ctrl").WithName("pods"),
+	}).SetupWithManager(ctx, manager); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "PodLabels")
 		os.Exit(1)
 	}
@@ -304,8 +389,10 @@ func main() {
 	}

 	if err = (&configcontroller.Manager{
-		Log: ctrl.Log.WithName("controllers").WithName("CapsuleConfiguration"),
-	}).SetupWithManager(manager, configurationName); err != nil {
+		Client:        manager.GetClient(),
+		RegistryCache: registryCache,
+		Log:           ctrl.Log.WithName("capsule.ctrl").WithName("configuration"),
+	}).SetupWithManager(manager, controllerConfig); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "CapsuleConfiguration")
 		os.Exit(1)
 	}
@@ -320,10 +407,21 @@ func main() {
 		os.Exit(1)
 	}

-	if err := resourcepools.Add(
-		ctrl.Log.WithName("controllers").WithName("ResourcePools"),
+	if err := admission.Add(
+		ctrl.Log.WithName("capsule.ctrl").WithName("admission"),
 		manager,
-		manager.GetEventRecorderFor("pools-ctrl"),
+		manager.GetEventRecorder("admission-ctrl"),
+		controllerConfig,
+		cfg,
+	); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "admission")
+		os.Exit(1)
+	}
+
+	if err := resourcepools.Add(
+		ctrl.Log.WithName("capsule.ctrl").WithName("resourcepools"),
+		manager,
+		manager.GetEventRecorder("pools-ctrl"),
 		controllerConfig,
 	); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "resourcepools")
--- a/cmd/version.go
+++ b/cmd/version.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0

 package main
--- a/controllers/config/manager.go
+++ b/controllers/config/manager.go
@@ -1,46 +0,0 @@
-// Copyright 2020-2025 Project Capsule Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package config
-
-import (
-	"context"
-
-	"github.com/go-logr/logr"
-	"github.com/pkg/errors"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-
-	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
-	"github.com/projectcapsule/capsule/controllers/utils"
-	"github.com/projectcapsule/capsule/pkg/configuration"
-)
-
-type Manager struct {
-	client client.Client
-
-	Log logr.Logger
-}
-
-func (c *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) error {
-	c.client = mgr.GetClient()
-
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&capsulev1beta2.CapsuleConfiguration{}, utils.NamesMatchingPredicate(configurationName)).
-		Complete(c)
-}
-
-func (c *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
-	c.Log.Info("CapsuleConfiguration reconciliation started", "request.name", request.Name)
-
-	cfg := configuration.NewCapsuleConfiguration(ctx, c.client, request.Name)
-	// Validating the Capsule Configuration options
-	if _, err = cfg.ProtectedNamespaceRegexp(); err != nil {
-		panic(errors.Wrap(err, "Invalid configuration for protected Namespace regex"))
-	}
-
-	c.Log.V(5).Info("CapsuleConfiguration reconciliation finished", "request.name", request.Name)
-
-	return res, err
-}
--- a/controllers/pod/errors.go
+++ b/controllers/pod/errors.go
@@ -1,30 +0,0 @@
-// Copyright 2020-2025 Project Capsule Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package pod
-
-import "fmt"
-
-type NonTenantObjectError struct {
-	objectName string
-}
-
-func NewNonTenantObject(objectName string) error {
-	return &NonTenantObjectError{objectName: objectName}
-}
-
-func (n NonTenantObjectError) Error() string {
-	return fmt.Sprintf("Skipping labels sync for %s as it doesn't belong to tenant", n.objectName)
-}
-
-type NoPodMetadataError struct {
-	objectName string
-}
-
-func NewNoPodMetadata(objectName string) error {
-	return &NoPodMetadataError{objectName: objectName}
-}
-
-func (n NoPodMetadataError) Error() string {
-	return fmt.Sprintf("Skipping labels sync for %s because no AdditionalLabels or AdditionalAnnotations presents in Tenant spec", n.objectName)
-}
--- a/controllers/rbac/const.go
+++ b/controllers/rbac/const.go
@@ -1,54 +0,0 @@
-// Copyright 2020-2025 Project Capsule Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package rbac
-
-import (
-	rbacv1 "k8s.io/api/rbac/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-const (
-	ProvisionerRoleName = "capsule-namespace-provisioner"
-	DeleterRoleName     = "capsule-namespace-deleter"
-)
-
-var (
-	clusterRoles = map[string]*rbacv1.ClusterRole{
-		ProvisionerRoleName: {
-			ObjectMeta: metav1.ObjectMeta{
-				Name: ProvisionerRoleName,
-			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups: []string{""},
-					Resources: []string{"namespaces"},
-					Verbs:     []string{"create", "patch"},
-				},
-			},
-		},
-		DeleterRoleName: {
-			ObjectMeta: metav1.ObjectMeta{
-				Name: DeleterRoleName,
-			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups: []string{""},
-					Resources: []string{"namespaces"},
-					Verbs:     []string{"delete"},
-				},
-			},
-		},
-	}
-
-	provisionerClusterRoleBinding = &rbacv1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: ProvisionerRoleName,
-		},
-		RoleRef: rbacv1.RoleRef{
-			Kind:     "ClusterRole",
-			Name:     ProvisionerRoleName,
-			APIGroup: rbacv1.GroupName,
-		},
-	}
-)
--- a/controllers/rbac/manager.go
+++ b/controllers/rbac/manager.go
@@ -1,228 +0,0 @@
-// Copyright 2020-2025 Project Capsule Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package rbac
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"github.com/go-logr/logr"
-	corev1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/util/retry"
-	"k8s.io/client-go/util/workqueue"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-
-	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
-	"github.com/projectcapsule/capsule/controllers/utils"
-	"github.com/projectcapsule/capsule/pkg/configuration"
-	"github.com/projectcapsule/capsule/pkg/meta"
-)
-
-type Manager struct {
-	Log           logr.Logger
-	Client        client.Client
-	Configuration configuration.Configuration
-}
-
-//nolint:revive
-func (r *Manager) SetupWithManager(ctx context.Context, mgr ctrl.Manager, configurationName string) (err error) {
-	namesPredicate := utils.NamesMatchingPredicate(ProvisionerRoleName, DeleterRoleName)
-
-	crErr := ctrl.NewControllerManagedBy(mgr).
-		For(&rbacv1.ClusterRole{}, namesPredicate).
-		Complete(r)
-	if crErr != nil {
-		err = errors.Join(err, crErr)
-	}
-
-	crbErr := ctrl.NewControllerManagedBy(mgr).
-		For(&rbacv1.ClusterRoleBinding{}, namesPredicate).
-		Watches(&capsulev1beta2.CapsuleConfiguration{}, handler.Funcs{
-			UpdateFunc: func(ctx context.Context, updateEvent event.TypedUpdateEvent[client.Object], limitingInterface workqueue.TypedRateLimitingInterface[reconcile.Request]) {
-				if updateEvent.ObjectNew.GetName() == configurationName {
-					if crbErr := r.EnsureClusterRoleBindingsProvisioner(ctx); crbErr != nil {
-						r.Log.Error(err, "cannot update ClusterRoleBinding upon CapsuleConfiguration update")
-					}
-				}
-			},
-		}).
-		Watches(&corev1.ServiceAccount{}, handler.Funcs{
-			CreateFunc: func(ctx context.Context, e event.TypedCreateEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
-				r.handleSAChange(ctx, e.Object)
-			},
-			UpdateFunc: func(ctx context.Context, e event.TypedUpdateEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
-				if promotionLabelsChanged(e.ObjectOld.GetLabels(), e.ObjectNew.GetLabels()) {
-					r.handleSAChange(ctx, e.ObjectNew)
-				}
-			},
-			DeleteFunc: func(ctx context.Context, e event.TypedDeleteEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
-				r.handleSAChange(ctx, e.Object)
-			},
-		}).
-		Complete(r)
-	if crbErr != nil {
-		err = errors.Join(err, crbErr)
-	}
-
-	return err
-}
-
-// Reconcile serves both required ClusterRole and ClusterRoleBinding resources: that's ok, we're watching for multiple
-// Resource kinds and we're just interested to the ones with the said name since they're bounded together.
-func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
-	switch request.Name {
-	case ProvisionerRoleName:
-		if err = r.EnsureClusterRole(ctx, ProvisionerRoleName); err != nil {
-			r.Log.Error(err, "Reconciliation for ClusterRole failed", "ClusterRole", ProvisionerRoleName)
-
-			break
-		}
-
-		if err = r.EnsureClusterRoleBindingsProvisioner(ctx); err != nil {
-			r.Log.Error(err, "Reconciliation for ClusterRoleBindings (Provisioner) failed")
-
-			break
-		}
-	case DeleterRoleName:
-		if err = r.EnsureClusterRole(ctx, DeleterRoleName); err != nil {
-			r.Log.Error(err, "Reconciliation for ClusterRole failed", "ClusterRole", DeleterRoleName)
-		}
-	}
-
-	return res, err
-}
-
-func (r *Manager) EnsureClusterRoleBindingsProvisioner(ctx context.Context) error {
-	crb := &rbacv1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{Name: ProvisionerRoleName},
-	}
-
-	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		_, err := controllerutil.CreateOrUpdate(ctx, r.Client, crb, func() error {
-			crb.RoleRef = provisionerClusterRoleBinding.RoleRef
-			crb.Subjects = nil
-
-			for _, group := range r.Configuration.UserGroups() {
-				crb.Subjects = append(crb.Subjects, rbacv1.Subject{
-					Kind: rbacv1.GroupKind,
-					Name: group,
-				})
-			}
-
-			for _, user := range r.Configuration.UserNames() {
-				crb.Subjects = append(crb.Subjects, rbacv1.Subject{
-					Kind: rbacv1.UserKind,
-					Name: user,
-				})
-			}
-
-			if r.Configuration.AllowServiceAccountPromotion() {
-				saList := &corev1.ServiceAccountList{}
-				if err := r.Client.List(ctx, saList, client.MatchingLabels{
-					meta.OwnerPromotionLabel: meta.OwnerPromotionLabelTrigger,
-				}); err != nil {
-					return err
-				}
-
-				for _, sa := range saList.Items {
-					crb.Subjects = append(crb.Subjects, rbacv1.Subject{
-						Kind:      rbacv1.ServiceAccountKind,
-						Name:      sa.Name,
-						Namespace: sa.Namespace,
-					})
-				}
-			}
-
-			return nil
-		})
-
-		return err
-	})
-}
-
-func (r *Manager) EnsureClusterRole(ctx context.Context, roleName string) (err error) {
-	role, ok := clusterRoles[roleName]
-	if !ok {
-		return fmt.Errorf("clusterRole %s is not mapped", roleName)
-	}
-
-	clusterRole := &rbacv1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: role.GetName(),
-		},
-	}
-
-	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, clusterRole, func() error {
-		clusterRole.Rules = role.Rules
-
-		return nil
-	})
-
-	return err
-}
-
-// Start is the Runnable function triggered upon Manager start-up to perform the first RBAC reconciliation
-// since we're not creating empty CR and CRB upon Capsule installation: it's a run-once task, since the reconciliation
-// is handled by the Reconciler implemented interface.
-func (r *Manager) Start(ctx context.Context) error {
-	for roleName := range clusterRoles {
-		r.Log.V(4).Info("setting up ClusterRoles", "ClusterRole", roleName)
-
-		if err := r.EnsureClusterRole(ctx, roleName); err != nil {
-			if apierrors.IsAlreadyExists(err) {
-				continue
-			}
-
-			return err
-		}
-	}
-
-	r.Log.V(4).Info("setting up ClusterRoleBindings")
-
-	if err := r.EnsureClusterRoleBindingsProvisioner(ctx); err != nil {
-		if apierrors.IsAlreadyExists(err) {
-			return nil
-		}
-
-		return err
-	}
-
-	return nil
-}
-
-func (r *Manager) handleSAChange(ctx context.Context, obj client.Object) {
-	if !r.Configuration.AllowServiceAccountPromotion() {
-		return
-	}
-
-	if err := r.EnsureClusterRoleBindingsProvisioner(ctx); err != nil {
-		r.Log.Error(err, "cannot update ClusterRoleBinding upon ServiceAccount event")
-	}
-}
-
-func promotionLabelsChanged(oldLabels, newLabels map[string]string) bool {
-	keys := []string{
-		meta.OwnerPromotionLabel,
-	}
-
-	for _, key := range keys {
-		oldVal, oldOK := oldLabels[key]
-		newVal, newOK := newLabels[key]
-
-		if oldOK != newOK || oldVal != newVal {
-			return true
-		}
-	}
-
-	return false
-}
--- a/controllers/servicelabels/errors.go
+++ b/controllers/servicelabels/errors.go
@@ -1,30 +0,0 @@
-// Copyright 2020-2025 Project Capsule Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package servicelabels
-
-import "fmt"
-
-type NonTenantObjectError struct {
-	objectName string
-}
-
-func NewNonTenantObject(objectName string) error {
-	return &NonTenantObjectError{objectName: objectName}
-}
-
-func (n NonTenantObjectError) Error() string {
-	return fmt.Sprintf("Skipping labels sync for %s as it doesn't belong to tenant", n.objectName)
-}
-
-type NoServicesMetadataError struct {
-	objectName string
-}
-
-func NewNoServicesMetadata(objectName string) error {
-	return &NoServicesMetadataError{objectName: objectName}
-}
-
-func (n NoServicesMetadataError) Error() string {
-	return fmt.Sprintf("Skipping labels sync for %s because no AdditionalLabels or AdditionalAnnotations presents in Tenant spec", n.objectName)
-}
--- a/controllers/tenant/annotations.go
+++ b/controllers/tenant/annotations.go
@@ -1,13 +0,0 @@
-// Copyright 2020-2025 Project Capsule Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package tenant
-
-const (
-	AvailableIngressClassesAnnotation       = "capsule.clastix.io/ingress-classes"
-	AvailableIngressClassesRegexpAnnotation = "capsule.clastix.io/ingress-classes-regexp"
-	AvailableStorageClassesAnnotation       = "capsule.clastix.io/storage-classes"
-	AvailableStorageClassesRegexpAnnotation = "capsule.clastix.io/storage-classes-regexp"
-	AllowedRegistriesAnnotation             = "capsule.clastix.io/allowed-registries"
-	AllowedRegistriesRegexpAnnotation       = "capsule.clastix.io/allowed-registries-regexp"
-)
--- a/Show More
+++ b/Show More