chore(go): bumping up github.com/emicklei/go-restful to v2.16.0

2026-03-02 01:30:17 +00:00 · 2023-02-17 14:18:57 +01:00
325 changed files with 4437 additions and 7199 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -15,4 +15,6 @@ following ourselves these points:
 - explain what and why in the body, if more than a trivial change, wrapping at
  72 characters

+If you have any issue or question, reach out us!
+https://clastix.slack.com >>> #capsule channel 
 -->
--- a/.github/actions/exists/action.yaml
+++ b/.github/actions/exists/action.yaml
@@ -1,21 +0,0 @@
-name: Checks if an input is defined
-
-description: Checks if an input is defined and outputs 'true' or 'false'.
-
-inputs:
-  value:
-    description: value to test
-    required: true
-
-outputs:
-  result:
-    description: outputs 'true' or 'false' if input value is defined or not
-    value: ${{ steps.check.outputs.result }}
-
-runs:
-  using: composite
-  steps:
-    - shell: bash
-      id: check
-      run: |
-        echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
--- a/.github/actions/setup-caches/action.yaml
+++ b/.github/actions/setup-caches/action.yaml
@@ -1,20 +0,0 @@
-name: Setup caches
-
-description: Setup caches for go modules and build cache.
-
-inputs:
-  build-cache-key:
-    description: build cache prefix
-
-runs:
-  using: composite
-  steps:
-    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
-      with:
-        path: ~/go/pkg/mod
-        key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
-    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
-      if: ${{ inputs.build-cache-key }}
-      with:
-        path: ~/.cache/go-build
-        key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
--- a/.github/configs/ct.yaml
+++ b/.github/configs/ct.yaml
@@ -1,5 +1,5 @@
 remote: origin
-target-branch: main
+target-branch: master
 chart-dirs:
  - charts
 helm-extra-args: "--timeout 600s"  
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,16 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: gomod
-    directory: /
-    schedule:
-      interval: daily
-    rebase-strategy: disabled
-    commit-message:
-      prefix: "feat(deps)"
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: daily
-    rebase-strategy: disabled
-    commit-message:
-      prefix: "ci"
--- a/.github/maintainers.yaml
+++ b/.github/maintainers.yaml
@@ -2,22 +2,22 @@
  github: https://github.com/bsctl
  company: Clastix
  projects:
-    - https://github.com/projectcapsule/capsule
+    - https://github.com/clastix/capsule
    - https://github.com/clastix/capsule-proxy
 - name: Dario Tranchitella
  github: https://github.com/prometherion
  company: Clastix
  projects:
-    - https://github.com/projectcapsule/capsule
+    - https://github.com/clastix/capsule
    - https://github.com/clastix/capsule-proxy
 - name: Maksim Fedotov
  github: https://github.com/MaxFedotov
  company: wargaming.net
  projects:
-    - https://github.com/projectcapsule/capsule
+    - https://github.com/clastix/capsule
    - https://github.com/clastix/capsule-proxy
 - name: Oliver Bähler
  github: https://github.com/oliverbaehler
  company: Bedag Informatik AG
  projects:
-    - https://github.com/projectcapsule/capsule
+    - https://github.com/clastix/capsule
--- a/.github/workflows/check-actions.yml
+++ b/.github/workflows/check-actions.yml
@@ -1,24 +0,0 @@
-name: Check actions
-permissions: {}
-
-on:
-  pull_request:
-    branches: [ "main" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
-        with:
-          # slsa-github-generator requires using a semver tag for reusable workflows. 
-          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
-          allowlist: |
-            slsa-framework/slsa-github-generator
--- a/.github/workflows/check-commit.yml
+++ b/.github/workflows/check-commit.yml
@@ -1,23 +0,0 @@
-name: Check Commit
-permissions: {}
-
-on:
-  push:
-    branches: [ "*" ]
-  pull_request:
-    branches: [ "*" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  commit_lint:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3
-        with:
-          firstParent: true
--- a/.github/workflows/diff.yml
+++ b/.github/workflows/diff.yml
@@ -1,5 +1,4 @@
-name: Diff checks
-permissions: {}
+name: CI

 on:
  push:
@@ -7,21 +6,37 @@ on:
  pull_request:
    branches: [ "*" ]

-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 jobs:
-  diff:
-    name: diff
-    runs-on: ubuntu-20.04
+  commit_lint:
+    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      - uses: wagoid/commitlint-github-action@v2
        with:
-          go-version: '1.19'
+          firstParent: true
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v2.3.0
+        with:
+          version: v1.45.2
+          only-new-issues: false
+          args: --timeout 2m --config .golangci.yml
+  diff:
+    name: diff
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '1.18'
      - run: make installer
      - name: Checking if YAML installer file is not aligned
        run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@@ -1,38 +0,0 @@
-name: Codecov
-permissions: {}
-
-on:
-  pull_request:
-    branches: [ "main" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  codecov:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Setup caches
-        uses: ./.github/actions/setup-caches
-        timeout-minutes: 5
-        continue-on-error: true
-        with:
-          build-cache-key: codecov
-      - name: Check secret
-        id: checksecret
-        uses: ./.github/actions/exists
-        with:
-          value: ${{ secrets.CODECOV_TOKEN }}
-      - name: Generate Code Coverage Report
-        if: steps.checksecret.outputs.result == 'true'
-        run: make test
-      - name: Upload Report to Codecov
-        if: steps.checksecret.outputs.result == 'true'
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
-        with:
-          file: ./coverage.out
-          fail_ci_if_error: true
-          verbose: true
--- a/.github/workflows/docker-ci.yml
+++ b/.github/workflows/docker-ci.yml
@@ -0,0 +1,97 @@
+name: docker-ci
+
+on:
+  push:
+    tags:        
+      - "v*"
+
+jobs:
+  docker-ci:
+    runs-on: ubuntu-20.04
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Generate build-args
+        id: build-args
+        run: |
+          # Declare vars for internal use
+          VERSION=$(git describe --abbrev=0 --tags)
+          GIT_HEAD_COMMIT=$(git rev-parse --short HEAD)
+          GIT_TAG_COMMIT=$(git rev-parse --short $VERSION)
+          GIT_MODIFIED_1=$(git diff $GIT_HEAD_COMMIT $GIT_TAG_COMMIT --quiet && echo "" || echo ".dev")
+          GIT_MODIFIED_2=$(git diff --quiet && echo "" || echo ".dirty")
+          # Export to GH_ENV
+          echo "GIT_LAST_TAG=$VERSION" >> $GITHUB_ENV
+          echo "GIT_HEAD_COMMIT=$GIT_HEAD_COMMIT" >> $GITHUB_ENV
+          echo "GIT_TAG_COMMIT=$GIT_TAG_COMMIT" >> $GITHUB_ENV
+          echo "GIT_MODIFIED=$(echo "$GIT_MODIFIED_1""$GIT_MODIFIED_2")" >> $GITHUB_ENV
+          echo "GIT_REPO=$(git config --get remote.origin.url)" >> $GITHUB_ENV
+          echo "BUILD_DATE=$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_ENV
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: |
+             quay.io/${{ github.repository }}
+             docker.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{raw}}
+          flavor: |
+            latest=false
+
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: arm64,arm
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          install: true
+
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+
+      - name: Login to quay.io Container Registry
+        uses: docker/login-action@v1 
+        with:
+          registry: quay.io
+          username: ${{ github.repository_owner }}+github
+          password: ${{ secrets.BOT_QUAY_IO }}
+
+      - name: Login to docker.io Container Registry
+        uses: docker/login-action@v1 
+        with:
+          registry: docker.io
+          username: ${{ secrets.USER_DOCKER_IO }}
+          password: ${{ secrets.BOT_DOCKER_IO }}
+
+      - name: Build and push
+        id: build-release
+        uses: docker/build-push-action@v2
+        with:
+          file: Dockerfile
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            GIT_HEAD_COMMIT=${{ env.GIT_HEAD_COMMIT }}
+            GIT_TAG_COMMIT=${{ env.GIT_TAG_COMMIT }}
+            GIT_REPO=${{ env.GIT_REPO }}
+            GIT_LAST_TAG=${{ env.GIT_LAST_TAG }}
+            GIT_MODIFIED=${{ env.GIT_MODIFIED }}
+            BUILD_DATE=${{ env.BUILD_DATE }}
+
+      - name: Image digest
+        run: echo ${{ steps.build-release.outputs.digest }}
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -1,69 +0,0 @@
-name: Publish images
-permissions: {}
-
-on:
-  push:
-    tags:
-      - "v*"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  publish-images:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      id-token: write 
-    outputs:
-      capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Setup caches
-        uses: ./.github/actions/setup-caches
-        timeout-minutes: 5
-        continue-on-error: true
-        with:
-          build-cache-key: publish-images
-      - name: Run Trivy vulnerability (Repo)
-        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
-        with:
-          scan-type: 'fs'
-          ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
-      - name: Publish Capsule
-        id: publish-capsule
-        uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1
-        with:
-          makefile-target: ko-publish-capsule
-          registry: ghcr.io
-          registry-username: ${{ github.actor }}
-          registry-password: ${{ secrets.GITHUB_TOKEN }}
-          repository: ${{ github.repository_owner }}
-          version: ${{ github.ref_name }}
-          sign-image: true
-          sbom-name: capsule
-          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
-          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
-          main-path: ./
-        env:
-          REPOSITORY: ${{ github.repository }}
-  generate-capsule-provenance:
-    needs: publish-images
-    permissions:
-      id-token: write   # To sign the provenance.
-      packages: write   # To upload assets to release.
-      actions: read     # To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
-    with:
-      image: ghcr.io/${{ github.repository_owner }}/capsule
-      digest: "${{ needs.publish-images.outputs.capsule-digest }}"
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/docs-lint.yml
+++ b/.github/workflows/docs-lint.yml
@@ -1,31 +0,0 @@
-name: docs-lint
-permissions: {}
-
-on:
-  push:
-    branches: [ "*" ]
-    paths:
-      - '.github/workflows/docs-lint.yml'
-      - 'docs/content/**'
-  pull_request:
-    branches: [ "*" ]
-    paths:
-      - '.github/workflows/docs-lint.yml'
-      - 'docs/content/**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  spelling:
-    name: Spell Check
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
-        with:
-          node-version: 18
-      - run: make docs-lint
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -1,5 +1,4 @@
 name: e2e
-permissions: {}

 on:
  push:
@@ -27,35 +26,31 @@ on:
      - 'main.go'
      - 'Makefile'

-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 jobs:
  kind:
    name: Kubernetes
    strategy:
      fail-fast: false
      matrix:
-        k8s-version: ['v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2']
-    runs-on: ubuntu-20.04
+        k8s-version: ['v1.16.15', 'v1.17.11', 'v1.18.8', 'v1.19.4', 'v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.0']
+    runs-on: ubuntu-18.04
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      - uses: actions/setup-go@v2
        with:
-          go-version: '1.19'
+          go-version: '1.18'
      - run: make manifests
      - name: Checking if manifests are disaligned
        run: test -z "$(git diff 2> /dev/null)"
      - name: Checking if manifests generated untracked files
        run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
-      - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
+      - uses: engineerd/setup-kind@v0.5.0
        with:
          skipClusterCreation: true
          version: v0.14.0
-      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
+      - uses: azure/setup-helm@v1
        with:
          version: 3.3.4
      - name: e2e testing
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -1,35 +0,0 @@
-name: FOSSA
-permissions: {}
-
-on:
-  push:
-    branches: [ "*" ]
-  pull_request:
-    branches: [ "*" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true    
-
-jobs:
-  fossa-scan:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: "Checkout Code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Check secret
-        id: checksecret
-        uses: ./.github/actions/exists
-        with:
-          value: ${{ secrets.FOSSA_API_KEY }}
-      - name: "Run FOSSA Scan"
-        if: steps.checksecret.outputs.result == 'true'
-        uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-      - name: "Run FOSSA Test"
-        if: steps.checksecret.outputs.result == 'true'
-        uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-          run-tests: true
--- a/.github/workflows/gosec.yml
+++ b/.github/workflows/gosec.yml
@@ -1,24 +1,18 @@
 name: CI gosec
-permissions: {}
 on:
  push:
    branches: [ "*" ]
  pull_request:
    branches: [ "*" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 jobs:
  tests:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v2
      - name: Run Gosec Security Scanner
-        uses: securego/gosec@0ec6cd95d7bf02aef4ec2786e884868e0044875b # v2.18.1
+        uses: securego/gosec@master
        with:
          args: ./...
--- a/.github/workflows/helm-publish.yml
+++ b/.github/workflows/helm-publish.yml
@@ -1,78 +0,0 @@
-name: Publish charts
-permissions: read-all
-on:
-  push:
-    tags: [ "helm-v*" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  publish-helm:
-    # Skip this Release on forks
-    if: github.repository_owner == 'projectcapsule'
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: "Extract Version"
-        id: extract_version
-        run: |
-          GIT_TAG=${GITHUB_REF##*/}
-          VERSION=${GIT_TAG##*v}
-          echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
-      - name: Publish Helm chart
-        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
-        with:
-          token: "${{ secrets.HELM_CHARTS_PUSH_TOKEN }}"
-          linting: off
-          chart_version: ${{ steps.extract_version.outputs.version }}
-          charts_dir: charts
-          charts_url: https://${{ github.repository_owner }}.github.io/charts
-          owner: ${{ github.repository_owner }}
-          repository: charts
-          branch: gh-pages
-          commit_username: ${{ github.actor }}
-  publish-helm-oci:
-    runs-on: ubuntu-20.04
-    permissions:
-      contents: write
-      id-token: write
-      packages: write
-    outputs:
-      chart-digest: ${{ steps.helm_publish.outputs.digest }}
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
-      - name: "Extract Version"
-        id: extract_version
-        run: |
-          GIT_TAG=${GITHUB_REF##*/}
-          VERSION=${GIT_TAG##*v}
-          echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
-      - name: Helm | Publish
-        id: helm_publish
-        uses: oliverbaehler/github-actions/helm-oci-chart@8dfd42735c85f6c58d5d4d6f3232cd0e39d1fe73 # v0.1.0
-        with:
-          registry: ghcr.io
-          repository: ${{ github.repository_owner }}/charts
-          name: "capsule"
-          version: ${{ steps.extract_version.outputs.version }}
-          registry-username: ${{ github.actor }}
-          registry-password: ${{ secrets.GITHUB_TOKEN }}
-          update-dependencies: 'true' # Defaults to false
-          sign-image: 'true'
-          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
-  helm-provenance:
-    needs: publish-helm-oci
-    permissions:
-      id-token: write   # To sign the provenance.
-      packages: write   # To upload assets to release.
-      actions: read     # To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
-    with:
-      image: ghcr.io/${{ github.repository_owner }}/charts/capsule
-      digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}"
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/helm-test.yml
+++ b/.github/workflows/helm-test.yml
@@ -1,69 +0,0 @@
-name: Test charts
-permissions: {}
-
-on:
-  pull_request:
-    branches: [ "main" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  lint:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
-      - name: Linting Chart
-        run: helm lint ./charts/capsule
-      - name: Setup Chart Linting
-        id: lint
-        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
-      - name: Run chart-testing (list-changed)
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --config ./.github/configs/ct.yaml)
-          if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
-          fi
-      - name: Run chart-testing (lint)
-        run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
-      - name: Run docs-testing (helm-docs)
-        id: helm-docs
-        run: |
-          make helm-docs
-          if [[ $(git diff --stat) != '' ]]; then
-            echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌'
-            git diff --color
-            exit 1
-          else
-            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
-          fi
-
-      # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs
-      # With this workflow the current docker image is build and loaded into kind, otherwise the install fails
-      # In the future this must be removed and the chart-testing-action must be used
-      - name: Run chart-testing (install)
-        run: make helm-test
-        if: steps.list-changed.outputs.changed == 'true'
-
-      ## Create KIND Cluster
-      - name: Create kind cluster
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
-        if: steps.list-changed.outputs.changed == 'true'
-      # Install Required Operators/CRDs
-      - name: Prepare Cluster Operators/CRDs
-        run: |
-          # Cert-Manager CRDs
-          kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
-          
-          # Prometheus CRDs
-          kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
-        if: steps.list-changed.outputs.changed == 'true'
-      # Install Charts
-      - name: Run chart-testing (install)
-        run: ct install --debug --config ./.github/configs/ct.yaml
-        if: steps.list-changed.outputs.changed == 'true'
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -0,0 +1,86 @@
+name: Helm Chart
+
+on:
+  push:
+    branches: [ "*" ]
+    tags: [ "helm-v*" ]
+  pull_request:
+    branches: [ "*" ]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: azure/setup-helm@v1
+        with:
+          version: 3.3.4
+      - name: Linting Chart
+        run: helm lint ./charts/capsule
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@v2.3.0
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config ./.github/configs/ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+      - name: Run chart-testing (lint)
+        run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
+      - name: Run docs-testing (helm-docs)
+        id: helm-docs
+        run: |
+          make helm-docs
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
+          fi
+
+      # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs
+      # With this workflow the current docker image is build and loaded into kind, otherwise the install fails
+      # In the future this must be removed and the chart-testing-action must be used
+      - name: Run chart-testing (install)
+        run: make helm-test
+        if: steps.list-changed.outputs.changed == 'true'
+
+      ## Create KIND Cluster
+      #- name: Create kind cluster
+      #  uses: helm/kind-action@v1.2.0
+      #  if: steps.list-changed.outputs.changed == 'true'
+      ## Install Required Operators/CRDs
+      #- name: Prepare Cluster Operators/CRDs
+      #  run: |
+      #    # Cert-Manager CRDs
+      #    kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+      #    
+      #    # Prometheus CRDs
+      #    kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+      #  if: steps.list-changed.outputs.changed == 'true'
+      ## Install Charts
+      #- name: Run chart-testing (install)
+      #  run: ct install --debug --config ./.github/configs/ct.yaml
+      #  if: steps.list-changed.outputs.changed == 'true'
+  release:
+    if: startsWith(github.ref, 'refs/tags/helm-v')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Publish Helm chart
+        uses: stefanprodan/helm-gh-pages@master
+        with:
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          charts_dir: charts
+          charts_url: https://clastix.github.io/charts
+          owner: clastix
+          repository: charts
+          branch: gh-pages
+          target_dir: .
+          commit_username: prometherion
+          commit_email: dario@tranchitella.eu
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,25 +0,0 @@
-name: Linting
-permissions: {}
-
-on:
-  push:
-    branches: [ "*" ]
-  pull_request:
-    branches: [ "*" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
-        with:
-          version: v1.51.2
-          only-new-issues: false
-          args: --timeout 5m --config .golangci.yml
--- a/.github/workflows/releaser.yml
+++ b/.github/workflows/releaser.yml
@@ -1,36 +0,0 @@
-name: Go Release
-
-permissions: {}
-on:
-  push:
-    tags:
-      - 'v*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  create-release:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Setup caches
-        uses: ./.github/actions/setup-caches
-        timeout-minutes: 5
-        continue-on-error: true
-      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-      - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
-        with:
-          version: latest
-          args: release --clean --timeout 90m --debug
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,42 +0,0 @@
-name: Scorecards supply-chain security
-permissions: {}
-
-on:
-  schedule:
-    - cron: '0 0 * * 5'
-  push:
-    branches:
-      - main
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  analysis:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          persist-credentials: false
-      - name: Run analysis
-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
-          publish_results: true
-      - name: Upload artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
-        with:
-          sarif_file: results.sarif
--- a/.gitignore
+++ b/.gitignore
@@ -6,7 +6,6 @@
 *.so
 *.dylib
 bin
-dist/

 # Test binary, build with `go test -c`
 *.test
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -14,10 +14,10 @@ linters-settings:
    sections:
      - standard
      - default
-      - prefix(github.com/projectcapsule/capsule)
+      - prefix(github.com/clastix/capsule)
  goheader:
    template: |-
-      Copyright 2020-2023 Project Capsule Authors.
+      Copyright 2020-2021 Clastix Labs
      SPDX-License-Identifier: Apache-2.0

 linters:
@@ -39,16 +39,9 @@ linters:
    - testpackage
    - varnamelen
    - wrapcheck
-    - exhaustruct
-    - varcheck
-    - structcheck
-    - nosnakecase
-    - deadcode
-    - ifshort
-    - nonamedreturns

 service:
-  golangci-lint-version: 1.51.2
+  golangci-lint-version: 1.45.2

 run:
  skip-files:
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,83 +0,0 @@
-project_name: capsule
-env:
-  - COSIGN_EXPERIMENTAL=true
-  - GO111MODULE=on
-before:
-  hooks:
-    - go mod download
-gomod:
-  proxy: false
-builds:
-  - main: .
-    binary: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
-    env:
-      - CGO_ENABLED=0
-    goarch:
-      - amd64
-      - arm64
-    goos:
-      - linux
-    flags:
-      - -trimpath
-    mod_timestamp: '{{ .CommitTimestamp }}'
-    ldflags:
-      - >-
-          -X main.Version={{ .Tag }}
-          -X main.GitCommit={{ .Commit }}
-          -X main.GitTag={{ .Tag }}
-          -X main.GitTreeState={{ .Date }}
-          -X main.BuildDate={{ .Date }}
-          -X main.GitRepo={{ .ProjectName }}
-release:
-  prerelease: auto
-  footer: |
-    Thanks to all the contributors!
-
-    **Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
-    
-    **Docker Images**
-    - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Tag }}`
-    - `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
-checksum:
-  name_template: 'checksums.txt'
-changelog:
-  sort: asc
-  use: github
-  filters:
-    exclude:
-    - '^test:'
-    - '^chore'
-    - '^rebase:'
-    - 'merge conflict'
-    - Merge pull request
-    - Merge remote-tracking branch
-    - Merge branch
-  groups:
-    # https://github.com/conventional-changelog/commitlint/tree/master/%40commitlint/config-conventional
-    - title: '🛠 Dependency updates'
-      regexp: '^.*?(feat|fix)\(deps\)!?:.+$'
-      order: 300
-    - title: '✨ New Features'
-      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
-      order: 100
-    - title: '🐛 Bug fixes'
-      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
-      order: 200
-    - title: '📖 Documentation updates'
-      regexp: ^.*?docs(\([[:word:]]+\))??!?:.+$
-      order: 400
-    - title: '🚀 Build process updates'
-      regexp: ^.*?(build|ci)(\([[:word:]]+\))??!?:.+$
-      order: 400
-    - title: '📦 Other work'
-      order: 9999
-sboms:
-  - artifacts: archive
-signs:
- cmd: cosign
-  args:
-  - "sign-blob"
-  - "--output-signature=${signature}"
-  - "${artifact}"
-  - "--yes"
-  artifacts: all
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,8 +0,0 @@
-defaultPlatforms:
- linux/arm64
- linux/amd64
-builds:
- id: capsule
-  main: ./
-  ldflags:
-  - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -7,26 +7,5 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
 ### [Bedag Informatik AG](https://www.bedag.ch/)
 ![Bedag](https://www.bedag.ch/wGlobal/wGlobal/layout/images/logo.svg)

-### [Fastweb](https://www.fastweb.it/)
-![Fastweb](https://www.fastweb.it/grandi-aziende/gfx/common/logo-fastweb-header.svg)
-
-### [Klarrio](https://klarrio.com/)
-![Klarrio](https://klarrio.com/wp-content/uploads/klarrio.png)
-
-### [PITS Global Data Recovery Services](https://www.pitsdatarecovery.net)
-![PITS Global Data Recovery Services](https://www.pitsdatarecovery.net/wp-content/uploads/2020/09/pits-logo.svg)
-
-### [Politecnico di Torino](https://www.polito.it/)
-![Politecnico di Torino](https://www.polito.it/themes/custom/polito/logo.svg)
-
-### [Reevo](https://www.reevo.it/)
-![Reevo Cloud and CyberSecurity](https://www.dropbox.com/s/x3q6r0oqstgvtdr/Logo_ReeVo_270x200px.svg)
-
-### [University of Torino](https://www.unito.it)
-![University of Torino](https://www.unito.it/sites/all/themes/bsunito/img/logo_new_2022.svg)
-
-### [Velocity](https://velocity.tech/)
-![Velocity](https://raw.githubusercontent.com/yarelm/velocity-logo/main/velocity.png)
-
 ### [Wargaming.net](https://www.wargaming.net/)
 ![Wargaming.net](https://static-cspbe-eu.wargaming.net/images/logo@2x.png)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,7 +1,5 @@
 # Contributor Covenant Code of Conduct

-Capsule follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
-
 ## Our Pledge

 We as members, contributors, and leaders pledge to make participation in our
@@ -116,7 +114,7 @@ the community.

 ## Attribution

-This Code of Conduct follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and is adapted from the [Contributor Covenant][homepage],
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
 version 2.0, available at
 https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,58 +0,0 @@
-# Contributing
-
-All contributions are welcome! If you find a bug or have a feature request, please open an issue or submit a pull request.
-
-
-## Guidelines
-
-
-## Pull Requests
-
-
-## Commits
-
-Commit messages should indicate the change and it's impact. The general format for commit messages is the following:
-
-    feat(ui): Add `Button` component
-    ^    ^    ^
-    |    |    |__ Subject
-    |    |_______ Scope
-    |____________ Type
-
- The commits are checked on pull-request. If the commit message does not follow the format, the workflow will fail. See the [Types](#types) and [Scopes](#scopes) sections for more information.
-
-## Types
-
-The following types are allowed for commits and pull requests:
-
-  * `ci` or `build`: changes to buillding process/workflows
-  * `docs`: changes to documentation
-  * `feat`: new features
-  * `fix`: bug fixes
-
-## Scopes
-
-The following types are allowed for commits and pull requests:
-
-  * `all`: changes that affect all components
-  * `chart`: changes to the Helm chart
-  * `operator`: changes to the operator
-  * `docs`: changes to the documentation
-  * `website`: changes to the website
-  * `ci`: changes to the CI/CD workflows
-  * `build`: changes to the build process
-  * `test`: changes to the testing process
-  * `release`: changes to the release process
-  * `deps`: dependency updates
-
-### Sign-Off
-
-Developer Certificate of Origin (DCO) Sign off
-For contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project, we are requiring everyone to acknowledge this by signing their work which indicates you agree to the DCO found here.
-
-To sign your work, just add a line like this at the end of your commit message:
-
-Signed-off-by: Random J Developer <random@developer.example.org>
-This can easily be done with the -s command line option to append this automatically to your commit message.
-
-git commit -s -m 'This is my commit message'
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19.10 as builder
+FROM golang:1.18 as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
--- a/192
+++ b/192
@@ -1,23 +1,8 @@
-# Version
-GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD)
-VERSION          ?= $(shell git describe --abbrev=0 --tags --match "v*")
-ifndef VERSION
-VERSION          = $(GIT_HEAD_COMMIT)
-endif
-
-# Defaults
-REGISTRY        ?= ghcr.io
-REPOSITORY      ?= projectcapsule/capsule
-GIT_TAG_COMMIT  ?= $(shell git rev-parse --short $(VERSION))
-GIT_MODIFIED_1  ?= $(shell git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev")
-GIT_MODIFIED_2  ?= $(shell git diff --quiet && echo "" || echo ".dirty")
-GIT_MODIFIED    ?= $(shell echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)")
-GIT_REPO        ?= $(shell git config --get remote.origin.url)
-BUILD_DATE      ?= $(shell git log -1 --format="%at" | xargs -I{} sh -c 'if [ "$(shell uname)" = "Darwin" ]; then date -r {} +%Y-%m-%dT%H:%M:%S; else date -d @{} +%Y-%m-%dT%H:%M:%S; fi')
-IMG_BASE        ?= $(REPOSITORY)
-IMG             ?= $(IMG_BASE):$(VERSION)
-CAPSULE_IMG     ?= $(REGISTRY)/$(IMG_BASE)
+# Current Operator version
+VERSION ?= $$(git describe --abbrev=0 --tags --match "v*")

+# Default bundle image tag
+BUNDLE_IMG ?= clastix/capsule:$(VERSION)-bundle
 # Options for 'bundle-build'
 ifneq ($(origin CHANNELS), undefined)
 BUNDLE_CHANNELS := --channels=$(CHANNELS)
@@ -27,6 +12,9 @@ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)
 endif
 BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)

+# Image URL to use all building/pushing image targets
+IMG ?= clastix/capsule:$(VERSION)
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -34,16 +22,20 @@ else
 GOBIN=$(shell go env GOBIN)
 endif

+# Get information about git current status
+GIT_HEAD_COMMIT ?= $$(git rev-parse --short HEAD)
+GIT_TAG_COMMIT  ?= $$(git rev-parse --short $(VERSION))
+GIT_MODIFIED_1  ?= $$(git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev")
+GIT_MODIFIED_2  ?= $$(git diff --quiet && echo "" || echo ".dirty")
+GIT_MODIFIED    ?= $$(echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)")
+GIT_REPO        ?= $$(git config --get remote.origin.url)
+BUILD_DATE      ?= $$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)
+
 all: manager

 # Run tests
-.PHONY: test
-test: test-clean generate manifests test-clean
-	@GO111MODULE=on go test -v ./... -coverprofile coverage.out
-
-.PHONY: test-clean
-test-clean: ## Clean tests cache
-	@go clean -testcache
+test: generate manifests
+	go test ./... -coverprofile cover.out

 # Build manager binary
 manager: generate golint
@@ -55,7 +47,7 @@ run: generate manifests

 # Creates the single file to install Capsule without any external dependency
 installer: manifests kustomize
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG}
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default > config/install.yaml

 # Install CRDs into a cluster
@@ -94,13 +86,12 @@ helm-docs: HELMDOCS_VERSION := v1.11.0
 helm-docs: docker
 	@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs

-helm-lint: CT_VERSION := v3.3.1
-helm-lint: docker
-	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml  --lint-conf .github/configs/lintconf.yaml  --all --debug"
+helm-lint: ct
+	@ct lint --config $(SRC_ROOT)/.github/configs/ct.yaml --lint-conf $(SRC_ROOT)/.github/configs/lintconf.yaml --all --debug

-helm-test: kind ct ko-build-all
+helm-test: kind ct docker-build
 	@kind create cluster --wait=60s --name capsule-charts
-	@kind load docker-image --name capsule-charts $(LOCAL_CAPSULE_IMG)
+	@kind load docker-image --name capsule-charts ${IMG}
 	@kubectl create ns capsule-system
 	@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
 	@kind delete cluster --name capsule-charts
@@ -175,101 +166,42 @@ dev-setup:
 		]";


-####################
-# -- Docker
-####################
+# Build the docker image
+docker-build: test
+	docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \
+ 							 --build-arg GIT_TAG_COMMIT=$(GIT_TAG_COMMIT) \
+ 							 --build-arg GIT_MODIFIED=$(GIT_MODIFIED) \
+ 							 --build-arg GIT_REPO=$(GIT_REPO) \
+ 							 --build-arg GIT_LAST_TAG=$(VERSION) \
+ 							 --build-arg BUILD_DATE=$(BUILD_DATE)

-KOCACHE         ?= /tmp/ko-cache
-KO_REGISTRY     := ko.local
-KO_TAGS         ?= "latest"
-ifdef VERSION
-KO_TAGS         := $(KO_TAGS),$(VERSION)
-endif
+# Push the docker image
+docker-push:
+	docker push ${IMG}

-LD_FLAGS        := "-X main.Version=$(VERSION) \
-					-X main.GitCommit=$(GIT_HEAD_COMMIT) \
-					-X main.GitTag=$(VERSION) \
-					-X main.GitTreeState=$(GIT_MODIFIED) \
-					-X main.BuildDate=$(BUILD_DATE) \
-					-X main.GitRepo=$(GIT_REPO)"
-
-# Docker Image Build
-# ------------------
-
-.PHONY: ko-build-capsule
-LOCAL_CAPSULE_IMG_BASE := github.com/$(REPOSITORY)
-LOCAL_CAPSULE_IMG := $(KO_REGISTRY)/$(LOCAL_CAPSULE_IMG_BASE)
-ko-build-capsule: ko
-	@echo Building Capsule $(KO_TAGS) >&2
-	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
-		$(KO) build ./ --preserve-import-paths --tags=$(KO_TAGS)  --push=false
-
-.PHONY: ko-build-all
-ko-build-all: ko-build-capsule
-
-# Docker Image Publish
-# ------------------
-
-REGISTRY_PASSWORD   ?= dummy
-REGISTRY_USERNAME   ?= dummy
-
-.PHONY: ko-login
-ko-login: ko
-	@$(KO) login $(REGISTRY) --username $(REGISTRY_USERNAME) --password $(REGISTRY_PASSWORD)
-
-.PHONY: ko-publish-capsule
-ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
-	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
-		$(KO) build ./ --bare --tags=$(KO_TAGS)
-
-.PHONY: ko-publish-all
-ko-publish-all: ko-publish-capsule
-
-####################
-# -- Binaries
-####################
-
-CONTROLLER_GEN         := $(shell pwd)/bin/controller-gen
-CONTROLLER_GEN_VERSION := v0.10.0
+CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0)

-APIDOCS_GEN         := $(shell pwd)/bin/crdoc
-APIDOCS_GEN_VERSION := latest
+APIDOCS_GEN = $(shell pwd)/bin/crdoc
 apidocs-gen: ## Download crdoc locally if necessary.
-	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
+	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@latest)

-GINKGO         := $(shell pwd)/bin/ginkgo
-GINGKO_VERSION := v2.9.5
+GINKGO = $(shell pwd)/bin/ginkgo
 ginkgo: ## Download ginkgo locally if necessary.
-	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
+	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/ginkgo@v1.16.5)

-CT         := $(shell pwd)/bin/ct
-CT_VERSION := v3.7.1
+CT = $(shell pwd)/bin/ct
 ct: ## Download ct locally if necessary.
-	$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
+	$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@v3.7.1)

-KIND         := $(shell pwd)/bin/kind
-KIND_VERSION := v0.17.0
+KIND = $(shell pwd)/bin/kind
 kind: ## Download kind locally if necessary.
-	$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
+	$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@v0.17.0)

-KUSTOMIZE         := $(shell pwd)/bin/kustomize
-KUSTOMIZE_VERSION := 3.8.7
+KUSTOMIZE = $(shell pwd)/bin/kustomize
 kustomize: ## Download kustomize locally if necessary.
-	$(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION))
-
-KO = $(shell pwd)/bin/ko
-KO_VERSION = v0.14.1
-ko:
-	$(call go-install-tool,$(KO),github.com/google/ko@v0.14.1)
-
-####################
-# -- Helpers
-####################
-pull-upstream:
-	git remote add upstream https://github.com/capsuleproject/capsule.git
-	git fetch --all && git pull upstream
+	$(call install-kustomize,$(KUSTOMIZE),3.8.7)

 define install-kustomize
@[ -f $(1) ] || { \
@@ -286,6 +218,7 @@ PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-install-tool
@[ -f $(1) ] || { \
 set -e ;\
+echo "Installing $(2)" ;\
 GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
 }
 endef
@@ -296,14 +229,18 @@ bundle: manifests
 	kustomize build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 	operator-sdk bundle validate ./bundle

+# Build the bundle image.
+bundle-build:
+	docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
+
 # Sorting imports
 .PHONY: goimports
 goimports:
-	goimports -w -l -local "github.com/projectcapsule/capsule" .
+	goimports -w -l -local "github.com/clastix/capsule" .

 GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
 golangci-lint: ## Download golangci-lint locally if necessary.
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.2)
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@v1.45.2)

 # Linting code as PR is expecting
 .PHONY: golint
@@ -313,15 +250,12 @@ golint: golangci-lint
 # Running e2e tests in a KinD instance
 .PHONY: e2e
 e2e/%: ginkgo
-	$(MAKE) e2e-build/$* && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
+	$(MAKE) e2e-build/$* && $(MAKE) e2e-exec || $(MAKE) e2e-destroy

 e2e-build/%:
 	kind create cluster --wait=60s --name capsule --image=kindest/node:$*
-	make e2e-load-image
-	make e2e-install
-
-.PHONY: e2e-install
-e2e-install:
+	make docker-build
+	kind load docker-image --nodes capsule-control-plane --name capsule $(IMG)
 	helm upgrade \
 		--debug \
 		--install \
@@ -330,27 +264,13 @@ e2e-install:
 		--set 'manager.image.pullPolicy=Never' \
 		--set 'manager.resources=null'\
 		--set "manager.image.tag=$(VERSION)" \
-		--set 'manager.image.registry=$(KO_REGISTRY)' \
-		--set 'manager.image.repository=$(LOCAL_CAPSULE_IMG_BASE)' \
 		--set 'manager.livenessProbe.failureThreshold=10' \
 		--set 'manager.readinessProbe.failureThreshold=10' \
-		--set 'podSecurityContext.seccompProfile=null' \
 		capsule \
 		./charts/capsule

-.PHONY: e2e-load-image
-e2e-load-image: ko-build-all
-	kind load docker-image --nodes capsule-control-plane --name capsule $(LOCAL_CAPSULE_IMG):$(VERSION)
-
-.PHONY: e2e-exec
 e2e-exec: ginkgo
 	$(GINKGO) -v -tags e2e ./e2e

-.PHONY: e2e-destroy
 e2e-destroy:
 	kind delete cluster --name capsule
-
-SPELL_CHECKER = npx spellchecker-cli
-docs-lint:
-	cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" -d dictionary.txt
-
--- a/16
+++ b/16
@@ -5,7 +5,7 @@ plugins:
  manifests.sdk.operatorframework.io/v2: {}
  scorecard.sdk.operatorframework.io/v2: {}
 projectName: capsule
-repo: github.com/projectcapsule/capsule
+repo: github.com/clastix/capsule
 resources:
 - api:
    crdVersion: v1
@@ -13,7 +13,7 @@ resources:
  domain: clastix.io
  group: capsule
  kind: Tenant
-  path: github.com/projectcapsule/capsule/api/v1alpha1
+  path: github.com/clastix/capsule/api/v1alpha1
  version: v1alpha1
  webhooks:
    conversion: true
@@ -24,21 +24,21 @@ resources:
  domain: clastix.io
  group: capsule
  kind: CapsuleConfiguration
-  path: github.com/projectcapsule/capsule/api/v1alpha1
+  path: github.com/clastix/capsule/api/v1alpha1
  version: v1alpha1
 - api:
    crdVersion: v1
  domain: clastix.io
  group: capsule
  kind: Tenant
-  path: github.com/projectcapsule/capsule/api/v1beta1
+  path: github.com/clastix/capsule/api/v1beta1
  version: v1beta1
 - api:
    crdVersion: v1
  domain: clastix.io
  group: capsule
  kind: Tenant
-  path: github.com/projectcapsule/capsule/api/v1beta2
+  path: github.com/clastix/capsule/api/v1beta2
  version: v1beta2
 - api:
    crdVersion: v1
@@ -46,7 +46,7 @@ resources:
  domain: clastix.io
  group: capsule
  kind: CapsuleConfiguration
-  path: github.com/projectcapsule/capsule/api/v1beta2
+  path: github.com/clastix/capsule/api/v1beta2
  version: v1beta2
 - api:
    crdVersion: v1
@@ -54,13 +54,13 @@ resources:
  domain: clastix.io
  group: capsule
  kind: TenantResource
-  path: github.com/projectcapsule/capsule/api/v1beta2
+  path: github.com/clastix/capsule/api/v1beta2
  version: v1beta2
 - api:
    crdVersion: v1
  domain: clastix.io
  group: capsule
  kind: GlobalTenantResource
-  path: github.com/projectcapsule/capsule/api/v1beta2
+  path: github.com/clastix/capsule/api/v1beta2
  version: v1beta2
 version: "3"
--- a/README.md
+++ b/README.md
@@ -1,23 +1,13 @@

 <p align="left">
-  <img src="https://github.com/projectcapsule/capsule/actions/workflows/ci.yml/badge.svg"/>
  <img src="https://img.shields.io/github/license/clastix/capsule"/>
  <img src="https://img.shields.io/github/go-mod/go-version/clastix/capsule"/>
-  <a href="https://github.com/projectcapsule/capsule/releases">
+  <a href="https://github.com/clastix/capsule/releases">
    <img src="https://img.shields.io/github/v/release/clastix/capsule"/>
  </a>
  <a href="https://charmhub.io/capsule-k8s">
    <img src="https://charmhub.io/capsule-k8s/badge.svg"/>
  </a>
-  <a href="https://www.bestpractices.dev/projects/5601">
-    <img src="https://www.bestpractices.dev/projects/5601/badge"/>
-  </a>
-  <a href="https://api.securityscorecards.dev/projects/github.com/projectcapsule/capsule/badge">
-    <img src="https://api.securityscorecards.dev/projects/github.com/projectcapsule/capsule/badge"/>
-  </a>
-  <a href="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/projectcapsule">
-    <img src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/projectcapsule"/>
-  </a>
 </p>

 <p align="center">
@@ -100,9 +90,7 @@ make helm-docs

 ## Community

-Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
-
-Please read the [code of conduct](CODE_OF_CONDUCT.md).
+Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/clastix/capsule-community).

 ## Adopters

@@ -116,10 +104,6 @@ You can find how the Capsule project is governed [here](https://capsule.clastix.

 Please, refer to the maintainers file available [here](.github/maintainers.yaml).

-## Release process
-
-Please, refer to the [documentation page](https://capsule.clastix.io/docs/contributing/release).
-
 # FAQ

 - Q. How to pronounce Capsule?
@@ -128,7 +112,7 @@ Please, refer to the [documentation page](https://capsule.clastix.io/docs/contri

 - Q. Is it production grade?

-  A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/projectcapsule/capsule/releases) page for a detailed list of available versions.
+  A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/clastix/capsule/releases) page for a detailed list of available versions.

 - Q. Does it work with my Kubernetes XYZ distribution?

--- a/api/v1alpha1/additional_metadata.go
+++ b/api/v1alpha1/additional_metadata.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/api/v1alpha1/capsuleconfiguration_annotations.go
+++ b/api/v1alpha1/capsuleconfiguration_annotations.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/api/v1alpha1/capsuleconfiguration_types.go
+++ b/api/v1alpha1/capsuleconfiguration_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/api/v1alpha1/capsuleconfiguration_webhook.go
+++ b/api/v1alpha1/capsuleconfiguration_webhook.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/api/v1alpha1/conversion_hub.go
+++ b/api/v1alpha1/conversion_hub.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -13,8 +13,8 @@ import (
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"

-	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
-	"github.com/projectcapsule/capsule/pkg/api"
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+	"github.com/clastix/capsule/pkg/api"
 )

 const (
@@ -133,7 +133,7 @@ func (in *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
 	return owners
 }

-//nolint:gocognit,gocyclo,cyclop,maintidx
+// nolint:gocognit,gocyclo,cyclop,maintidx
 func (in *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 	dst, ok := dstRaw.(*capsulev1beta1.Tenant)
 	if !ok {
@@ -294,7 +294,7 @@ func (in *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 			dst.Spec.ServiceOptions.AllowedServices = &api.AllowedServices{}
 		}

-		dst.Spec.ServiceOptions.AllowedServices.NodePort = pointer.Bool(val)
+		dst.Spec.ServiceOptions.AllowedServices.NodePort = pointer.BoolPtr(val)
 	}

 	enableExternalName, ok := annotations[enableExternalNameAnnotation]
@@ -312,7 +312,7 @@ func (in *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 			dst.Spec.ServiceOptions.AllowedServices = &api.AllowedServices{}
 		}

-		dst.Spec.ServiceOptions.AllowedServices.ExternalName = pointer.Bool(val)
+		dst.Spec.ServiceOptions.AllowedServices.ExternalName = pointer.BoolPtr(val)
 	}

 	loadBalancerService, ok := annotations[enableLoadBalancerAnnotation]
@@ -330,7 +330,7 @@ func (in *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 			dst.Spec.ServiceOptions.AllowedServices = &api.AllowedServices{}
 		}

-		dst.Spec.ServiceOptions.AllowedServices.LoadBalancer = pointer.Bool(val)
+		dst.Spec.ServiceOptions.AllowedServices.LoadBalancer = pointer.BoolPtr(val)
 	}
 	// Status
 	dst.Status = capsulev1beta1.TenantStatus{
@@ -365,7 +365,7 @@ func (in *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 	return nil
 }

-//nolint:gocognit,gocyclo,cyclop
+// nolint:gocognit,gocyclo,cyclop
 func (in *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
 	ownersAnnotations := map[string][]string{
 		ownerGroupsAnnotation:         nil,
--- a/api/v1alpha1/conversion_hub_test.go
+++ b/api/v1alpha1/conversion_hub_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -15,11 +15,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/pointer"

-	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
-	"github.com/projectcapsule/capsule/pkg/api"
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+	"github.com/clastix/capsule/pkg/api"
 )

-//nolint:maintidx
+// nolint:maintidx
 func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 	var namespaceQuota int32 = 5

@@ -53,9 +53,9 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 	v1beta1ServiceOptions := &api.ServiceOptions{
 		AdditionalMetadata: v1beta1AdditionalMetadataSpec,
 		AllowedServices: &api.AllowedServices{
-			NodePort:     pointer.Bool(false),
-			ExternalName: pointer.Bool(false),
-			LoadBalancer: pointer.Bool(false),
+			NodePort:     pointer.BoolPtr(false),
+			ExternalName: pointer.BoolPtr(false),
+			LoadBalancer: pointer.BoolPtr(false),
 		},
 		ExternalServiceIPs: &api.ExternalServiceIPsSpec{
 			Allowed: []api.AllowedIP{"192.168.0.1"},
--- a/api/v1alpha1/groupversion_info.go
+++ b/api/v1alpha1/groupversion_info.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 // Package v1alpha1 contains API Schema definitions for the capsule.clastix.io v1alpha1 API group
--- a/api/v1alpha1/owner.go
+++ b/api/v1alpha1/owner.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/api/v1alpha1/tenant_func.go
+++ b/api/v1alpha1/tenant_func.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/api/v1alpha1/tenant_types.go
+++ b/api/v1alpha1/tenant_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -8,7 +8,7 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 // TenantSpec defines the desired state of Tenant.
--- a/api/v1alpha1/tenant_webhook.go
+++ b/api/v1alpha1/tenant_webhook.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
 package v1alpha1

 import (
-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/api/networking/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
--- a/api/v1beta1/custom_resource_quota.go
+++ b/api/v1beta1/custom_resource_quota.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/deny_wildcard.go
+++ b/api/v1beta1/deny_wildcard.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/groupversion_info.go
+++ b/api/v1beta1/groupversion_info.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 // Package v1beta1 contains API Schema definitions for the capsule v1beta1 API group
--- a/api/v1beta1/ingress_options.go
+++ b/api/v1beta1/ingress_options.go
@@ -1,10 +1,10 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1

 import (
-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 type IngressOptions struct {
--- a/api/v1beta1/namespace_options.go
+++ b/api/v1beta1/namespace_options.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
@@ -6,7 +6,7 @@ package v1beta1
 import (
 	"strings"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 type NamespaceOptions struct {
--- a/api/v1beta1/owner.go
+++ b/api/v1beta1/owner.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_list.go
+++ b/api/v1beta1/owner_list.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_list_test.go
+++ b/api/v1beta1/owner_list_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/owner_role.go
+++ b/api/v1beta1/owner_role.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/service_allowed_types.go
+++ b/api/v1beta1/service_allowed_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/service_options.go
+++ b/api/v1beta1/service_options.go
@@ -1,10 +1,10 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1

 import (
-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 type ServiceOptions struct {
--- a/api/v1beta1/tenant_func.go
+++ b/api/v1beta1/tenant_func.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/tenant_status.go
+++ b/api/v1beta1/tenant_status.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/tenant_types.go
+++ b/api/v1beta1/tenant_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
@@ -6,7 +6,7 @@ package v1beta1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 // TenantSpec defines the desired state of Tenant.
@@ -75,7 +75,9 @@ func init() {
 func (in *Tenant) GetNamespaces() (res []string) {
 	res = make([]string, 0, len(in.Status.Namespaces))

-	res = append(res, in.Status.Namespaces...)
+	for _, ns := range in.Status.Namespaces {
+		res = append(res, ns)
+	}

 	return
 }
--- a/api/v1beta1/tenant_webhook.go
+++ b/api/v1beta1/tenant_webhook.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta1
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
 package v1beta1

 import (
-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )

--- a/api/v1beta2/additional_role_bindings.go
+++ b/api/v1beta2/additional_role_bindings.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/capsuleconfiguration_convertion_hub.go
+++ b/api/v1beta2/capsuleconfiguration_convertion_hub.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -10,7 +10,7 @@ import (

 	"sigs.k8s.io/controller-runtime/pkg/conversion"

-	capsulev1alpha1 "github.com/projectcapsule/capsule/api/v1alpha1"
+	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
 )

 func (in *CapsuleConfiguration) ConvertTo(raw conversion.Hub) error {
--- a/api/v1beta2/capsuleconfiguration_types.go
+++ b/api/v1beta2/capsuleconfiguration_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -6,7 +6,7 @@ package v1beta2
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 // CapsuleConfigurationSpec defines the Capsule configuration.
--- a/api/v1beta2/custom_resource_quota.go
+++ b/api/v1beta2/custom_resource_quota.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/groupversion_info.go
+++ b/api/v1beta2/groupversion_info.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 // Package v1beta2 contains API Schema definitions for the capsule v1beta2 API group
--- a/api/v1beta2/ingress_options.go
+++ b/api/v1beta2/ingress_options.go
@@ -1,10 +1,10 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2

 import (
-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 type IngressOptions struct {
--- a/api/v1beta2/namespace_options.go
+++ b/api/v1beta2/namespace_options.go
@@ -1,10 +1,10 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2

 import (
-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 type NamespaceOptions struct {
--- a/api/v1beta2/owner.go
+++ b/api/v1beta2/owner.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -34,7 +34,7 @@ func (p ProxyOperation) String() string {
 	return string(p)
 }

-// +kubebuilder:validation:Enum=Nodes;StorageClasses;IngressClasses;PriorityClasses;RuntimeClasses;PersistentVolumes
+// +kubebuilder:validation:Enum=Nodes;StorageClasses;IngressClasses;PriorityClasses
 type ProxyServiceKind string

 func (p ProxyServiceKind) String() string {
@@ -42,12 +42,10 @@ func (p ProxyServiceKind) String() string {
 }

 const (
-	NodesProxy             ProxyServiceKind = "Nodes"
-	StorageClassesProxy    ProxyServiceKind = "StorageClasses"
-	IngressClassesProxy    ProxyServiceKind = "IngressClasses"
-	PriorityClassesProxy   ProxyServiceKind = "PriorityClasses"
-	RuntimeClassesProxy    ProxyServiceKind = "RuntimeClasses"
-	PersistentVolumesProxy ProxyServiceKind = "PersistentVolumes"
+	NodesProxy           ProxyServiceKind = "Nodes"
+	StorageClassesProxy  ProxyServiceKind = "StorageClasses"
+	IngressClassesProxy  ProxyServiceKind = "IngressClasses"
+	PriorityClassesProxy ProxyServiceKind = "PriorityClasses"

 	ListOperation   ProxyOperation = "List"
 	UpdateOperation ProxyOperation = "Update"
--- a/api/v1beta2/owner_list.go
+++ b/api/v1beta2/owner_list.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/owner_list_test.go
+++ b/api/v1beta2/owner_list_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_annotations.go
+++ b/api/v1beta2/tenant_annotations.go
@@ -1,44 +1,17 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2

 import (
-	"crypto/md5" //#nosec
-	"encoding/hex"
 	"fmt"
+	"strings"
 )

-const (
-	// Annotation name part must be no more than 63 characters.
-	maxAnnotationLength = 63
-)
-
-func createAnnotation(format string, resource fmt.Stringer) (string, error) {
-	suffix := resource.String()
-
-	hash := md5.Sum([]byte(resource.String())) //#nosec
-
-	hashed := hex.EncodeToString(hash[:])
-	capsuleHashed := format + hashed
-	capsuleAnnotation := format + suffix
-
-	switch {
-	case len(capsuleAnnotation) <= maxAnnotationLength:
-		return capsuleAnnotation, nil
-	case len(capsuleHashed) <= maxAnnotationLength:
-		return capsuleHashed, nil
-	case len(hashed) <= maxAnnotationLength:
-		return hashed, nil
-	default:
-		return "", fmt.Errorf("the annotation name would exceed the maximum supported length (%d), skipping", maxAnnotationLength)
-	}
+func UsedQuotaFor(resource fmt.Stringer) string {
+	return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
 }

-func UsedQuotaFor(resource fmt.Stringer) (string, error) {
-	return createAnnotation("quota.capsule.clastix.io/used-", resource)
-}
-
-func HardQuotaFor(resource fmt.Stringer) (string, error) {
-	return createAnnotation("quota.capsule.clastix.io/hard-", resource)
+func HardQuotaFor(resource fmt.Stringer) string {
+	return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
 }
--- a/api/v1beta2/tenant_conversion_hub.go
+++ b/api/v1beta2/tenant_conversion_hub.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -10,8 +10,8 @@ import (

 	"sigs.k8s.io/controller-runtime/pkg/conversion"

-	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
-	"github.com/projectcapsule/capsule/pkg/api"
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+	"github.com/clastix/capsule/pkg/api"
 )

 func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
--- a/api/v1beta2/tenant_func.go
+++ b/api/v1beta2/tenant_func.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_labels.go
+++ b/api/v1beta2/tenant_labels.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_status.go
+++ b/api/v1beta2/tenant_status.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/tenant_types.go
+++ b/api/v1beta2/tenant_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -6,7 +6,7 @@ package v1beta2
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 // TenantSpec defines the desired state of Tenant.
@@ -76,7 +76,9 @@ type Tenant struct {
 func (in *Tenant) GetNamespaces() (res []string) {
 	res = make([]string, 0, len(in.Status.Namespaces))

-	res = append(res, in.Status.Namespaces...)
+	for _, ns := range in.Status.Namespaces {
+		res = append(res, ns)
+	}

 	return
 }
--- a/api/v1beta2/tenantresource_global.go
+++ b/api/v1beta2/tenantresource_global.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -25,9 +25,8 @@ type GlobalTenantResourceStatus struct {

 type ProcessedItems []ObjectReferenceStatus

-func (p *ProcessedItems) AsSet() sets.Set[string] {
-	set := sets.New[string]()
-
+func (p *ProcessedItems) AsSet() sets.String {
+	set := sets.NewString()
 	for _, i := range *p {
 		set.Insert(i.String())
 	}
--- a/api/v1beta2/tenantresource_namespaced.go
+++ b/api/v1beta2/tenantresource_namespaced.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
@@ -7,7 +7,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 )

 // TenantResourceSpec defines the desired state of TenantResource.
--- a/api/v1beta2/tenantresource_types.go
+++ b/api/v1beta2/tenantresource_types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 package v1beta2
--- a/api/v1beta2/zz_generated.deepcopy.go
+++ b/api/v1beta2/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 Project Capsule Authors.
+// Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
 package v1beta2

 import (
-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/clastix/capsule/pkg/api"
 	"k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
--- a/charts/capsule/Chart.yaml
+++ b/charts/capsule/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 type: application
 description: A Helm chart to deploy the Capsule Operator for easily implementing,
  managing, and maintaining mutitenancy and access control in Kubernetes.
-home: https://github.com/projectcapsule/capsule
-icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
+home: https://github.com/clastix/capsule
+icon: https://github.com/clastix/capsule/raw/master/assets/logo/capsule_small.png
 keywords:
 - kubernetes
 - operator
@@ -17,11 +17,12 @@ maintainers:
  name: Clastix Labs Team
 name: capsule
 sources:
- https://github.com/projectcapsule/capsule
+- https://github.com/clastix/capsule

-# The version is overwritten by the release workflow.
-version: 0.4.6
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: 0.3.1

 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.4.0-rc.1
+appVersion: 0.2.1
--- a/charts/capsule/README.md
+++ b/charts/capsule/README.md
@@ -22,15 +22,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator

 1. Add this repository:

-        $ helm repo add projectcapsule https://projectcapsule.github.io/charts
+        $ helm repo add clastix https://clastix.github.io/charts

 2. Install the Chart:

-        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
-
-        or
-
-        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
+        $ helm install capsule clastix/capsule -n capsule-system --create-namespace

 3. Show the status:

@@ -38,11 +34,7 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator

 4. Upgrade the Chart

-        $ helm upgrade capsule projectcapsule/capsule -n capsule-system
-
-        or
-
-        $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7
+        $ helm upgrade capsule clastix/capsule -n capsule-system

 5. Uninstall the Chart

@@ -74,19 +66,15 @@ Here the values you can override:
 | certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
 | customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
 | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
-| imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
 | jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
-| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
 | jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
 | jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
 | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
 | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
 | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
-| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
 | podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
 | replicaCount | int | `1` | Set the replica count for capsule pod |
-| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
@@ -94,7 +82,6 @@ Here the values you can override:
 | tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
 | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
 | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
-| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
 | validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |

 ### Manager Parameters
@@ -103,23 +90,21 @@ Here the values you can override:
 |-----|------|---------|-------------|
 | manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode.  Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
 | manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
-| manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. |
-| manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. |
+| manager.image.repository | string | `"clastix/capsule"` | Set the image repository of the capsule. |
 | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
+| manager.imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
 | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
 | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
 | manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups |
 | manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
 | manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator |
 | manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 |
-| manager.options.nodeMetadata | object | `{"forbiddenAnnotations":{"denied":[],"deniedRegex":""},"forbiddenLabels":{"denied":[],"deniedRegex":""}}` | Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant |
 | manager.options.protectedNamespaceRegex | string | `""` | If specified, disallows creation of namespaces matching the passed regexp |
 | manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
 | manager.resources.limits.cpu | string | `"200m"` |  |
 | manager.resources.limits.memory | string | `"128Mi"` |  |
 | manager.resources.requests.cpu | string | `"200m"` |  |
 | manager.resources.requests.memory | string | `"128Mi"` |  |
-| manager.webhookPort | int | `9443` | Set an alternative to the default container port.  Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side |

 ### ServiceMonitor Parameters

@@ -134,6 +119,8 @@ Here the values you can override:
 | serviceMonitor.labels | object | `{}` | Assign additional labels according to Prometheus' serviceMonitorSelector matching labels |
 | serviceMonitor.matchLabels | object | `{}` | Change matching labels |
 | serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
+| serviceMonitor.serviceAccount.name | string | `"capsule"` | ServiceAccount for Metrics RBAC |
+| serviceMonitor.serviceAccount.namespace | string | `"capsule-system"` | ServiceAccount Namespace for Metrics RBAC |
 | serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |

 ### Webhook Parameters
@@ -170,7 +157,6 @@ Here the values you can override:
 | webhooks.services.failurePolicy | string | `"Fail"` |  |
 | webhooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
 | webhooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.tenantResourceObjects.failurePolicy | string | `"Fail"` |  |
 | webhooks.tenants.failurePolicy | string | `"Fail"` |  |

 ## Created resources
@@ -206,7 +192,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 You can enable the generation of certificates using `cert-manager` as follows.

 ```
-helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \
+helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
  --set "certManager.generateCertificates=true" \
  --set "tls.create=false" \
  --set "tls.enableController=false"
@@ -231,4 +217,4 @@ metadata:

 ## More

-See Capsule [tutorial](https://github.com/projectcapsule/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
+See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
--- a/charts/capsule/README.md.gotmpl
+++ b/charts/capsule/README.md.gotmpl
@@ -22,15 +22,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator

 1. Add this repository:

-        $ helm repo add projectcapsule https://projectcapsule.github.io/charts
+        $ helm repo add clastix https://clastix.github.io/charts

 2. Install the Chart:

-        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
-
-        or
-
-        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
+        $ helm install capsule clastix/capsule -n capsule-system --create-namespace

 3. Show the status:

@@ -38,11 +34,7 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator

 4. Upgrade the Chart

-        $ helm upgrade capsule projectcapsule/capsule -n capsule-system
-
-        or
-
-        $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7
+        $ helm upgrade capsule clastix/capsule -n capsule-system

 5. Uninstall the Chart

@@ -140,7 +132,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 You can enable the generation of certificates using `cert-manager` as follows.

 ```
-helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \
+helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
  --set "certManager.generateCertificates=true" \
  --set "tls.create=false" \
  --set "tls.enableController=false"
@@ -165,4 +157,4 @@ metadata:

 ## More

-See Capsule [tutorial](https://github.com/projectcapsule/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
+See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
--- a/charts/capsule/crds/tenant-crd.yaml
+++ b/charts/capsule/crds/tenant-crd.yaml
--- a/charts/capsule/templates/_helpers.tpl
+++ b/charts/capsule/templates/_helpers.tpl
@@ -80,7 +80,7 @@ Create the name of the service account to use
 Create the manager fully-qualified Docker image to use
 */}}
 {{- define "capsule.managerFullyQualifiedDockerImage" -}}
-{{- printf "%s/%s:%s" .Values.manager.image.registry  .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
+{{- printf "%s:%s" .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
 {{- end }}

 {{/*
@@ -106,9 +106,9 @@ Create the jobs fully-qualified Docker image to use
 */}}
 {{- define "capsule.jobsFullyQualifiedDockerImage" -}}
 {{- if .Values.jobs.image.tag }}
-{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}}
+{{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}}
 {{- else }}
-{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
+{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
 {{- end }}
 {{- end }}

--- a/charts/capsule/templates/configuration-default.yaml
+++ b/charts/capsule/templates/configuration-default.yaml
@@ -20,7 +20,3 @@ spec:
    - {{ . }}
 {{- end}}
  protectedNamespaceRegex: {{ .Values.manager.options.protectedNamespaceRegex | quote }}
-  {{- with .Values.manager.options.nodeMetadata }}
-  nodeMetadata:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
--- a/charts/capsule/templates/daemonset.yaml
+++ b/charts/capsule/templates/daemonset.yaml
@@ -29,10 +29,6 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
      {{- if .Values.manager.hostNetwork }}
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
@@ -60,7 +56,6 @@ spec:
          command:
          - /manager
          args:
-          - --webhook-port={{ .Values.manager.webhookPort }}
          - --enable-leader-election
          - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
          - --configuration-name=default
@@ -73,7 +68,7 @@ spec:
                fieldPath: metadata.namespace
          ports:
            - name: webhook-server
-              containerPort: {{ .Values.manager.webhookPort }}
+              containerPort: 9443
              protocol: TCP
            - name: metrics
              containerPort: 8080
@@ -89,5 +84,5 @@ spec:
          resources:
            {{- toYaml .Values.manager.resources | nindent 12 }}
          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            allowPrivilegeEscalation: false
 {{- end }}
--- a/charts/capsule/templates/deployment.yaml
+++ b/charts/capsule/templates/deployment.yaml
@@ -28,10 +28,6 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
      {{- if .Values.manager.hostNetwork }}
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
@@ -49,10 +45,6 @@ spec:
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
      volumes:
        - name: cert
          secret:
@@ -60,8 +52,9 @@ spec:
            secretName: {{ include "capsule.secretTlsName" . }}
      containers:
        - name: manager
+          command:
+          - /manager
          args:
-          - --webhook-port={{ .Values.manager.webhookPort }}
          - --enable-leader-election
          - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
          - --configuration-name=default
@@ -74,7 +67,7 @@ spec:
                fieldPath: metadata.namespace
          ports:
            - name: webhook-server
-              containerPort: {{ .Values.manager.webhookPort }}
+              containerPort: 9443
              protocol: TCP
            - name: metrics
              containerPort: 8080
@@ -90,5 +83,5 @@ spec:
          resources:
            {{- toYaml .Values.manager.resources | nindent 12 }}
          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            allowPrivilegeEscalation: false
 {{- end }}
--- a/charts/capsule/templates/metrics-rbac.yaml
+++ b/charts/capsule/templates/metrics-rbac.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- if .Values.serviceMonitor.labels }}
+    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+  {{- end }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "capsule.fullname" . }}-metrics-role
+  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+    {{- if .Values.serviceMonitor.labels }}
+    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+    {{- end }}
+  name: {{ include "capsule.fullname" . }}-metrics-rolebinding
+  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "capsule.fullname" . }}-metrics-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceMonitor.serviceAccount.name }}
+  namespace: {{ .Values.serviceMonitor.serviceAccount.namespace | default .Release.Namespace }}
+{{- end }}
--- a/charts/capsule/templates/post-install-job.yaml
+++ b/charts/capsule/templates/post-install-job.yaml
@@ -45,11 +45,5 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
 {{- end }}
--- a/charts/capsule/templates/pre-delete-job.yaml
+++ b/charts/capsule/templates/pre-delete-job.yaml
@@ -47,10 +47,4 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
--- a/charts/capsule/templates/validatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/validatingwebhookconfiguration.yaml
@@ -257,38 +257,6 @@ webhooks:
      scope: Namespaced
  sideEffects: None
  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
- admissionReviewVersions:
-    - v1
-  clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: capsule-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /tenantresource-objects
-  failurePolicy:  {{ .Values.webhooks.tenantResourceObjects.failurePolicy }}
-  name: resource-objects.tenant.capsule.clastix.io
-  namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
-  objectSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/resources
-        operator: Exists
-  rules:
-    - apiGroups:
-        - '*'
-      apiVersions:
-        - '*'
-      operations:
-        - UPDATE
-        - DELETE
-      resources:
-        - '*'
-      scope: Namespaced
-  sideEffects: None
 - admissionReviewVersions:
    - v1
    - v1beta1
--- a/charts/capsule/templates/webhook-service.yaml
+++ b/charts/capsule/templates/webhook-service.yaml
@@ -13,7 +13,7 @@ spec:
  - port: 443
    name: https
    protocol: TCP
-    targetPort: {{ .Values.manager.webhookPort }}
+    targetPort: 9443
  selector:
    {{- include "capsule.selectorLabels" . | nindent 4 }}
  sessionAffinity: None
--- a/charts/capsule/values.yaml
+++ b/charts/capsule/values.yaml
@@ -18,15 +18,16 @@ manager:
  kind: Deployment

  image:
-     # -- Set the image registry of capsule.
-    registry: ghcr.io
-    # -- Set the image repository of capsule.
-    repository: projectcapsule/capsule
+    # -- Set the image repository of the capsule.
+    repository: clastix/capsule
    # -- Set the image pull policy.
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is the chart appVersion.
    tag: ''

+  # -- Configuration for `imagePullSecrets` so that you can use a private images registry.
+  imagePullSecrets: []
+
  # -- Specifies if the container should be started in hostNetwork mode.
  #
  # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
@@ -34,13 +35,6 @@ manager:
  # with pods' IP CIDR and admission webhooks are not working
  hostNetwork: false

-  # -- Set an alternative to the default container port.
-  #
-  # Useful for use in some kubernetes clusters (such as GKE Private) with
-  # aggregator routing turned on, because pod ports have to be opened manually
-  # on the firewall side
-  webhookPort: 9443
-
  # Additional Capsule Controller Options
  options:
    # -- Set the log verbosity of the capsule with a value from 1 to 10
@@ -53,14 +47,6 @@ manager:
    protectedNamespaceRegex: ""
    # -- Specifies whether capsule webhooks certificates should be generated by capsule operator
    generateCertificates: true
-    # -- Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant
-    nodeMetadata:
-      forbiddenLabels:
-        denied: []
-        deniedRegex: ""
-      forbiddenAnnotations:
-        denied: []
-        deniedRegex: ""

  # -- Configure the liveness probe using Deployment probe spec
  livenessProbe:
@@ -82,9 +68,6 @@ manager:
      cpu: 200m
      memory: 128Mi

-# -- Configuration for `imagePullSecrets` so that you can use a private images registry.
-imagePullSecrets: []
-
 # -- Annotations to add to the capsule pod.
 podAnnotations: {}
 #  The following annotations guarantee scheduling for critical add-on pods
@@ -94,23 +77,6 @@ podAnnotations: {}
 # -- Set the priority class name of the Capsule pod
 priorityClassName: '' # system-cluster-critical

-# -- Set the securityContext for the Capsule pod
-podSecurityContext:
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsGroup: 1002
-  runAsNonRoot: true
-  runAsUser: 1002
-
-
-# -- Set the securityContext for the Capsule container
-securityContext:
-  capabilities:
-    drop:
-    - ALL
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
-
 # -- Set the node selector for the Capsule pod
 nodeSelector: {}
 #  node-role.kubernetes.io/master: ""
@@ -128,17 +94,12 @@ replicaCount: 1
 # -- Set affinity rules for the Capsule pod
 affinity: {}

-# -- Set topology spread constraints for the Capsule pod
-topologySpreadConstraints: []
-
 podSecurityPolicy:
  # -- Specify if a Pod Security Policy must be created
  enabled: false

 jobs:
  image:
-    # -- Set the image repository of the helm chart job
-    registry: docker.io
    # -- Set the image repository of the helm chart job
    repository: clastix/kubectl
    # -- Set the image pull policy of the helm chart job
@@ -203,8 +164,6 @@ webhooks:
          operator: Exists
  tenants:
    failurePolicy: Fail
-  tenantResourceObjects:
-    failurePolicy: Fail
  services:
    failurePolicy: Fail
    namespaceSelector:
@@ -253,6 +212,11 @@ serviceMonitor:
  matchLabels: {}
  # -- Set targetLabels for the serviceMonitor
  targetLabels: []
+  serviceAccount:
+    # -- ServiceAccount for Metrics RBAC
+    name: capsule
+    # -- ServiceAccount Namespace for Metrics RBAC
+    namespace: capsule-system
  endpoint:
    # -- Set the scrape interval for the endpoint of the serviceMonitor
    interval: "15s"
--- a/config/crd/bases/capsule.clastix.io_tenants.yaml
+++ b/config/crd/bases/capsule.clastix.io_tenants.yaml
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -790,44 +790,44 @@ spec:
                  description: NetworkPolicySpec provides the specification of a NetworkPolicy
                  properties:
                    egress:
-                      description: egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
+                      description: List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
                      items:
                        description: NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8
                        properties:
                          ports:
-                            description: ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+                            description: List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
                            items:
                              description: NetworkPolicyPort describes a port to allow traffic on
                              properties:
                                endPort:
-                                  description: endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
+                                  description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
                                  format: int32
                                  type: integer
                                port:
                                  anyOf:
                                  - type: integer
                                  - type: string
-                                  description: port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                  x-kubernetes-int-or-string: true
                                protocol:
                                  default: TCP
-                                  description: protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+                                  description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
                                  type: string
                              type: object
                            type: array
                          to:
-                            description: to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
+                            description: List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
                            items:
                              description: NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
                              properties:
                                ipBlock:
-                                  description: ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+                                  description: IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
                                  properties:
                                    cidr:
-                                      description: cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                                      description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
                                      type: string
                                    except:
-                                      description: except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
+                                      description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
                                      items:
                                        type: string
                                      type: array
@@ -835,7 +835,7 @@ spec:
                                  - cidr
                                  type: object
                                namespaceSelector:
-                                  description: "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector."
+                                  description: "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector."
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -866,7 +866,7 @@ spec:
                                  type: object
                                  x-kubernetes-map-type: atomic
                                podSelector:
-                                  description: "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace."
+                                  description: "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace."
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -901,23 +901,23 @@ spec:
                        type: object
                      type: array
                    ingress:
-                      description: ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
+                      description: List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
                      items:
                        description: NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
                        properties:
                          from:
-                            description: from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
+                            description: List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
                            items:
                              description: NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
                              properties:
                                ipBlock:
-                                  description: ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+                                  description: IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
                                  properties:
                                    cidr:
-                                      description: cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                                      description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
                                      type: string
                                    except:
-                                      description: except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
+                                      description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
                                      items:
                                        type: string
                                      type: array
@@ -925,7 +925,7 @@ spec:
                                  - cidr
                                  type: object
                                namespaceSelector:
-                                  description: "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector."
+                                  description: "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector."
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -956,7 +956,7 @@ spec:
                                  type: object
                                  x-kubernetes-map-type: atomic
                                podSelector:
-                                  description: "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace."
+                                  description: "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace."
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -989,30 +989,30 @@ spec:
                              type: object
                            type: array
                          ports:
-                            description: ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+                            description: List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
                            items:
                              description: NetworkPolicyPort describes a port to allow traffic on
                              properties:
                                endPort:
-                                  description: endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
+                                  description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
                                  format: int32
                                  type: integer
                                port:
                                  anyOf:
                                  - type: integer
                                  - type: string
-                                  description: port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                  x-kubernetes-int-or-string: true
                                protocol:
                                  default: TCP
-                                  description: protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+                                  description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
                                  type: string
                              type: object
                            type: array
                        type: object
                      type: array
                    podSelector:
-                      description: podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
+                      description: Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -1043,7 +1043,7 @@ spec:
                      type: object
                      x-kubernetes-map-type: atomic
                    policyTypes:
-                      description: policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                      description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                      items:
                        description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                        type: string
@@ -1378,44 +1378,44 @@ spec:
                      description: NetworkPolicySpec provides the specification of a NetworkPolicy
                      properties:
                        egress:
-                          description: egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
+                          description: List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
                          items:
                            description: NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8
                            properties:
                              ports:
-                                description: ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+                                description: List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
                                items:
                                  description: NetworkPolicyPort describes a port to allow traffic on
                                  properties:
                                    endPort:
-                                      description: endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
                                      format: int32
                                      type: integer
                                    port:
                                      anyOf:
                                      - type: integer
                                      - type: string
-                                      description: port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                      x-kubernetes-int-or-string: true
                                    protocol:
                                      default: TCP
-                                      description: protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+                                      description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
                                      type: string
                                  type: object
                                type: array
                              to:
-                                description: to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
+                                description: List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
                                items:
                                  description: NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
                                  properties:
                                    ipBlock:
-                                      description: ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+                                      description: IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
                                      properties:
                                        cidr:
-                                          description: cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                                          description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
                                          type: string
                                        except:
-                                          description: except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
+                                          description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
                                          items:
                                            type: string
                                          type: array
@@ -1423,7 +1423,7 @@ spec:
                                      - cidr
                                      type: object
                                    namespaceSelector:
-                                      description: "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector."
+                                      description: "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector."
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -1454,7 +1454,7 @@ spec:
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    podSelector:
-                                      description: "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace."
+                                      description: "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace."
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -1489,23 +1489,23 @@ spec:
                            type: object
                          type: array
                        ingress:
-                          description: ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
+                          description: List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
                          items:
                            description: NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
                            properties:
                              from:
-                                description: from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
+                                description: List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
                                items:
                                  description: NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
                                  properties:
                                    ipBlock:
-                                      description: ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+                                      description: IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
                                      properties:
                                        cidr:
-                                          description: cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                                          description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
                                          type: string
                                        except:
-                                          description: except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
+                                          description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
                                          items:
                                            type: string
                                          type: array
@@ -1513,7 +1513,7 @@ spec:
                                      - cidr
                                      type: object
                                    namespaceSelector:
-                                      description: "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector."
+                                      description: "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector."
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -1544,7 +1544,7 @@ spec:
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    podSelector:
-                                      description: "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace."
+                                      description: "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace."
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -1577,30 +1577,30 @@ spec:
                                  type: object
                                type: array
                              ports:
-                                description: ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+                                description: List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
                                items:
                                  description: NetworkPolicyPort describes a port to allow traffic on
                                  properties:
                                    endPort:
-                                      description: endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
                                      format: int32
                                      type: integer
                                    port:
                                      anyOf:
                                      - type: integer
                                      - type: string
-                                      description: port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                      x-kubernetes-int-or-string: true
                                    protocol:
                                      default: TCP
-                                      description: protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+                                      description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
                                      type: string
                                  type: object
                                type: array
                            type: object
                          type: array
                        podSelector:
-                          description: podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
+                          description: Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -1631,7 +1631,7 @@ spec:
                          type: object
                          x-kubernetes-map-type: atomic
                        policyTypes:
-                          description: policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                          description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                          items:
                            description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                            type: string
@@ -2116,44 +2116,44 @@ spec:
                      description: NetworkPolicySpec provides the specification of a NetworkPolicy
                      properties:
                        egress:
-                          description: egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
+                          description: List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
                          items:
                            description: NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8
                            properties:
                              ports:
-                                description: ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+                                description: List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
                                items:
                                  description: NetworkPolicyPort describes a port to allow traffic on
                                  properties:
                                    endPort:
-                                      description: endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
                                      format: int32
                                      type: integer
                                    port:
                                      anyOf:
                                      - type: integer
                                      - type: string
-                                      description: port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                      x-kubernetes-int-or-string: true
                                    protocol:
                                      default: TCP
-                                      description: protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+                                      description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
                                      type: string
                                  type: object
                                type: array
                              to:
-                                description: to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
+                                description: List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
                                items:
                                  description: NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
                                  properties:
                                    ipBlock:
-                                      description: ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+                                      description: IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
                                      properties:
                                        cidr:
-                                          description: cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                                          description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
                                          type: string
                                        except:
-                                          description: except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
+                                          description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
                                          items:
                                            type: string
                                          type: array
@@ -2161,7 +2161,7 @@ spec:
                                      - cidr
                                      type: object
                                    namespaceSelector:
-                                      description: "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector."
+                                      description: "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector."
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -2192,7 +2192,7 @@ spec:
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    podSelector:
-                                      description: "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace."
+                                      description: "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace."
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -2227,23 +2227,23 @@ spec:
                            type: object
                          type: array
                        ingress:
-                          description: ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
+                          description: List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
                          items:
                            description: NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
                            properties:
                              from:
-                                description: from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
+                                description: List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
                                items:
                                  description: NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
                                  properties:
                                    ipBlock:
-                                      description: ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+                                      description: IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
                                      properties:
                                        cidr:
-                                          description: cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                                          description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
                                          type: string
                                        except:
-                                          description: except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
+                                          description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
                                          items:
                                            type: string
                                          type: array
@@ -2251,7 +2251,7 @@ spec:
                                      - cidr
                                      type: object
                                    namespaceSelector:
-                                      description: "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector."
+                                      description: "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector."
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -2282,7 +2282,7 @@ spec:
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    podSelector:
-                                      description: "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace."
+                                      description: "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace."
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -2315,30 +2315,30 @@ spec:
                                  type: object
                                type: array
                              ports:
-                                description: ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+                                description: List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
                                items:
                                  description: NetworkPolicyPort describes a port to allow traffic on
                                  properties:
                                    endPort:
-                                      description: endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
                                      format: int32
                                      type: integer
                                    port:
                                      anyOf:
                                      - type: integer
                                      - type: string
-                                      description: port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                      x-kubernetes-int-or-string: true
                                    protocol:
                                      default: TCP
-                                      description: protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+                                      description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
                                      type: string
                                  type: object
                                type: array
                            type: object
                          type: array
                        podSelector:
-                          description: podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
+                          description: Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -2369,7 +2369,7 @@ spec:
                          type: object
                          x-kubernetes-map-type: atomic
                        policyTypes:
-                          description: policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                          description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                          items:
                            description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                            type: string
@@ -2416,8 +2416,6 @@ spec:
                            - StorageClasses
                            - IngressClasses
                            - PriorityClasses
-                            - RuntimeClasses
-                            - PersistentVolumes
                            type: string
                          operations:
                            items:
@@ -2762,12 +2760,14 @@ spec:
        - --zap-encoder=console
        - --zap-log-level=debug
        - --configuration-name=capsule-default
+        command:
+        - /manager
        env:
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: ghcr.io/projectcapsule/capsule
+        image: clastix/capsule:v0.2.1
        imagePullPolicy: IfNotPresent
        name: manager
        ports:
@@ -3110,35 +3110,6 @@ webhooks:
    - services
    scope: Namespaced
  sideEffects: None
- admissionReviewVersions:
-  - v1
-  clientConfig:
-    service:
-      name: capsule-webhook-service
-      namespace: capsule-system
-      path: /tenantresource-objects
-  failurePolicy: Fail
-  name: resource-objects.tenant.capsule.clastix.io
-  namespaceSelector:
-    matchExpressions:
-    - key: capsule.clastix.io/tenant
-      operator: Exists
-  objectSelector:
-    matchExpressions:
-    - key: capsule.clastix.io/resources
-      operator: Exists
-  rules:
-  - apiGroups:
-    - '*'
-    apiVersions:
-    - '*'
-    operations:
-    - UPDATE
-    - DELETE
-    resources:
-    - '*'
-    scope: Namespaced
-  sideEffects: None
 - admissionReviewVersions:
  - v1
  clientConfig:
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -6,4 +6,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: ghcr.io/projectcapsule/capsule
+  newName: clastix/capsule
+  newTag: v0.2.1
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -23,7 +23,9 @@ spec:
        control-plane: controller-manager
    spec:
      containers:
-      - args:
+      - command:
+        - /manager
+        args:
        - --enable-leader-election
        - --zap-encoder=console
        - --zap-log-level=debug
--- a/config/prometheus/kustomization.yaml
+++ b/config/prometheus/kustomization.yaml
@@ -1,2 +1,4 @@
 resources:
 - monitor.yaml
+- role.yaml
+- rolebinding.yaml
--- a/Show More
+++ b/Show More