https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/Recent content in Best Practices on CapsuleHugo -- gohugo.ioenhttps://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/workloads/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/workloads/User Namespaces Info The FeatureGate UserNamespacesSupport is active by default since Kubernetes 1.33. However every pod must still opt-in When you are also enabling the FeatureGate UserNamespacesPodSecurityStandards you may relax the Pod Security Standards for your workloads. Read More A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/networking/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/networking/Network-Policies It’s a best practice to not allow any traffic outside of a tenant (or a tenant’s namespace). For this we can use Tenant Replications to ensure we have for every namespace Networkpolicies in place. The following NetworkPolicy is distributed to all namespaces which belong to a Capsule tenant: apiVersion: capsule.clastix.io/v1beta2 kind: GlobalTenantResource metadata: name: default-networkpolicies namespace: solar-system spec: resyncPeriod: 60s resources: - rawItems: - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-policy spec: # Apply to all pods in this namespace podSelector: {} policyTypes: - Ingress - Egress ingress: # Allow traffic from the same namespace (intra-namespace communication) - from: - podSelector: {} # Allow traffic from all namespaces within the tenant - from: - namespaceSelector: matchLabels: capsule.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/images/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/images/Until this issue is resolved (might be in Kubernetes 1.34) it’s recommended to use the ImagePullPolicy Always for private registries on shared nodes. This ensures that no images can be used which are already pulled to the node.