https://deploy-preview-82--docs-projectcapsule.netlify.app/Recent content in Project Capsule on CapsuleHugo -- gohugo.ioenhttps://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/setup/installation/Thu, 05 Jan 2017 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/setup/installation/Capsule Proxy is an optional add-on of the main Capsule Operator, so make sure you have a working instance of Capsule before attempting to install it. Use the capsule-proxy only if you want Tenant Owners to list their Cluster-Scope resources. The capsule-proxy can be deployed in standalone mode, e.g. running as a pod bridging any Kubernetes client to the APIs server. Optionally, it can be deployed as a sidecar container in the backend of a dashboard.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/replications/global/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/replications/global/Overview GlobalTenantResource is a cluster-scoped CRD designed for cluster administrators. It lets you automatically replicate Kubernetes resources - such as Secrets, ConfigMaps, or custom resources - into the Namespaces of selected Tenants. Tenant owners cannot create GlobalTenantResource objects; for tenant-scoped replication, see TenantResource. The diagram below shows that an Administrator can create a GlobalTenantResource. In the GlobalTenantResource spec, an Administrator specifies which resource they would like to replicate, and where this resource should be replicated to.https://deploy-preview-82--docs-projectcapsule.netlify.app/project/contributions/guidelines/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/project/contributions/guidelines/The following guidelines outline the semantics and processes which apply to technical contributions to the project. Supported Versions Versions follow Semantic Versioning terminology and are expressed as x.y.z: where x is the major version y is the minor version and z is the patch version Security fixes, may be backported to the three most recent minor releases, depending on severity and feasibility. Prereleases are marked as -rc.x (release candidate) and may refere to any type of version bump.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/installation/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/installation/Requirements Helm 3 is required when installing the Capsule Operator chart. Follow Helm’s official documentation for installing Helm on your operating system. A Kubernetes cluster (v1.16+) with the following Admission Controllers enabled: PodNodeSelector LimitRanger ResourceQuota MutatingAdmissionWebhook ValidatingAdmissionWebhook A Kubeconfig file accessing the Kubernetes cluster with cluster admin permissions. Cert-Manager is required by default but can be disabled. It is used to manage the TLS certificates for the Capsule Admission Webhooks. Installation We officially only support the installation of Capsule using the Helm chart.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/quickstart/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/quickstart/In Capsule, a Tenant is an abstraction to group multiple namespaces in a single entity within a set of boundaries defined by the Cluster Administrator. The tenant is then assigned to a user or group of users who is called Tenant Owner. Capsule defines a Tenant as Custom Resource with cluster scope. Create the tenant as cluster admin: kubectl create -f - << EOF apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: oil spec: permissions: matchOwners: - matchLabels: team: platform owners: - name: alice kind: Us You can check the tenant just created ```bash $ kubectl get tenants NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR READY STATUS AGE oil Active 0 True reconciled 13s We create dedicated TenantOwners who represent cluster administrators.https://deploy-preview-82--docs-projectcapsule.netlify.app/project/resources/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/project/resources/2026 REX Ubisoft - Quand et comment partager un cluster : retour d’expérience sur Capsule chez Ubisoft video 25 Feb, 2026 REX DINUM -Les ingrédients multitenancy et authentification pour une distribution k8s open-source video 25 Feb, 2026 REX Renault - Kubernetes as a Service : sécurité, innovation et self-service à grande échelle video 25 Feb, 2026 2025 The State of Multi-tenancy in Kubernetes by LoftLabs video 27 Feb, 2025 Kubernetes Multi-tenancy Spectrum by aniele Polencic article 10 Feb, 2025 2024 Taming the Kube tenancy kraken (Capsule with Rancher) video 12 Dec, 2024 Painless Multi-Tenant Kafka on Kubernetes with Istio at ASML - Thomas Reichel & Dominique Chanet video 7 Oct, 2024 NVIDIA Case Study: The Many Facets of Building + Delivering AI in the Cloud video 14 Nov, 2024 2023 Confused by Kubernetes Multi-Tenancy?https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/whats-new/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/whats-new/Security 🔒 Advisory GHSA-qjjm-7j9w-pw72 - High - Users can create cluster scoped resources anywhere in the cluster if they are allowed to create TenantResources. To immidiatly mitigate this, make sure to use Impersonation for TenantResources. Advisory GHSA-2ww6-hf35-mfjm - Moderate - Users may hijack namespaces via namespaces/status privileges. These privileges must have been explicitly granted by Platform Administrators through RBAC rules to be affected. Requests for the namespaces/status subresource are now sent to the Capsule admission webhook as well.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/proxysettings/Tue, 20 Feb 2024 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/proxysettings/The configuration for the Proxy is also declarative via CRDs. This allows both Administrators and Tenant Owners to create flexible rules. GlobalProxysettings As an administrator, you might have the requirement to allow users to query cluster-scoped resources which are not directly linked to a tenant or anything like that. In that case you grant cluster-scoped LIST privileges to any subject, no matter what their tenant association is. For example: apiVersion: capsule.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/admission-policies/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/admission-policies/As Capsule we try to provide a secure multi-tenant environment out of the box, there are however some additional Admission Policies you should consider to enforce best practices in your cluster. Since Capsule only covers the core multi-tenancy features, such as Namespaces, Resource Quotas, Network Policies, and Container Registries, Classes, you should consider using an additional Admission Controller to enforce best practices on workloads and other resources. Custom Create custom Policies and reuse data provided via Tenant Status to enforce your own rules.https://deploy-preview-82--docs-projectcapsule.netlify.app/project/contributions/adoption/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/project/contributions/adoption/Have your tried Capsule or are you using it in your project or company? Please consider adding your project/company to the list of adopters. This helps the Capsule community understand who is using Capsule and how it is being used. Adding yourself In the adopters.yaml file you can add yourself as an adopter of the project. You just need to add an entry for your company and upon merging it will automatically be added to our website.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/architecture/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/architecture/Key Decisions Introducing a new separation of duties can lead to a significant paradigm shift. This has technical implications and may also impact your organizational structure. Therefore, when designing a multi-tenant platform pattern, carefully consider the following aspects. As Cluster Administrator, ask yourself: 🔑 How much ownership can be delegated to Tenant Owners (Platform Users)? The answer to this question may be influenced by the following aspects: Are the Cluster Adminsitrators willing to grant permissions to Tenant Owners?https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/configuration/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/configuration/The configuration for the capsule controller is done via it’s dedicated configration Custom Resource. You can explain the configuration options and how to use them: CapsuleConfiguration The configuration for Capsule is done via it’s dedicated configration Custom Resource. You can explain the configuration options and how to use them: kubectl explain capsuleConfiguration.spec administrators These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label for interacting with namespaces.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/setup/options/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/setup/options/You can customize the Capsule Proxy with the following configurations. Controller Options You can provide additional options via the helm chart: options: extraArgs: - --disable-caching=true Options are also available as dedicated configuration values: # Controller Options options: # -- Set the listening port of the capsule-proxy listeningPort: 9001 # -- Set leader election to true if you are running n-replicas leaderElection: false # -- Set the log verbosity of the capsule-proxy with a value from 1 to 10 logLevel: 4 # -- Name of the CapsuleConfiguration custom resource used by Capsule, required to identify the user groups capsuleConfigurationName: default # -- Define which groups must be ignored while proxying requests ignoredUserGroups: [] # -- Specify if capsule-proxy will use SSL oidcUsernameClaim: preferred_username # -- Specify if capsule-proxy will use SSL enableSSL: true # -- Set the directory, where SSL certificate and keyfile will be located SSLDirectory: /opt/capsule-proxy # -- Set the name of SSL certificate file SSLCertFileName: tls.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/guides/namespace-migration-across-tenants/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/guides/namespace-migration-across-tenants/Capsule relays on two components to associate given namespace with tenant. Namespace’s OwnerReference.name pointing to the Tenant defintion Namespace’s OwnerReference.uid pointing to the Tenant defintion If a cluster administrator changes the Namespace by matching the other Tenant with the proper UID and name, the Namespace can be easily transferred. kubectl get tenants NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE solar Active 1 46s wind Active 1 39s Get tenant’s metadata.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/namespaces/Alice, once logged with her credentials, can create a new Namespace in her Tenant, as simply issuing: kubectl create ns solar-production Alice started the name of the Namespace prepended by the name of the Tenant: this is not a strict requirement but it is highly suggested because it is likely that many different Tenants would like to call their Namespaces production, test, or demo, etc. The enforcement of this naming convention is optional and can be controlled by the cluster administrator with forceTenantPrefix option.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/replications/tenant/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/replications/tenant/Overview TenantResource is a namespace-scoped CRD that lets Tenant owners automatically replicate Kubernetes resources across all Namespaces in their Tenant - without manual distribution or custom automation. It is the tenant-level counterpart to GlobalTenantResource, which is reserved for cluster administrators. The diagram below shows that an Administrator or a Tenant Owner can create a TenantResource inside a Tenant. In the TenantResource spec, a user specifies which resource they would like to replicate across the Tenant.https://deploy-preview-82--docs-projectcapsule.netlify.app/project/contributions/addons/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/project/contributions/addons/Have you written an operator or some other automation which integrates with the capsule core project? Feel free to add your addon to the capsule ecosystem overview Adding an addon In the addons.yaml file you can add an addon to the ecosystem. You just need to add an entry for your addon and upon merging it will automatically be added to our website. To add your organization follow these steps:https://deploy-preview-82--docs-projectcapsule.netlify.app/project/governance/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/project/governance/The Capsule project is dedicated to creating a multi-tenancy and policy-based framework for Kubernetes. This governance explains how the project is run. Values Maintainers Becoming a Maintainer Removing a Maintainer Meetings CNCF Resources Code of Conduct Security Response Team Voting Modifying this Charter Values The Capsule and its leadership embrace the following values: Openness: Communication and decision-making happens in the open and is discoverable for future reference. As much as possible, all discussions and work take place in public Slack channels and open repositories.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/permissions/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/permissions/Administrators Administrators are users that have full control over all Tenants and their namespaces. They are typically cluster administrators or operators who need to manage the entire cluster and all its Tenants. However as administrator you are automatically Owner of all Tenants.Tenants This means that administrators can create, delete, and manage namespaces and other resources within any Tenant, given you are using label assignments for tenants. Ownership Capsule introduces the principal, that tenants must have owners (Tenant Owners).https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/workloads/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/workloads/User Namespaces Info The FeatureGate UserNamespacesSupport is active by default since Kubernetes 1.33. However every pod must still opt-in When you are also enabling the FeatureGate UserNamespacesPodSecurityStandards you may relax the Pod Security Standards for your workloads. Read More A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.https://deploy-preview-82--docs-projectcapsule.netlify.app/project/branding/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/project/branding/Find all the available artworks and logos for the project in the CNCF Logo repository: https://github.com/cncf/artwork/tree/main/projects/capsulehttps://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/networking/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/networking/Network-Policies It’s a best practice to not allow any traffic outside of a tenant (or a tenant’s namespace). For this we can use Tenant Replications to ensure we have for every namespace Networkpolicies in place. The following NetworkPolicy is distributed to all namespaces which belong to a Capsule tenant: apiVersion: capsule.clastix.io/v1beta2 kind: GlobalTenantResource metadata: name: default-networkpolicies namespace: solar-system spec: resyncPeriod: 60s resources: - rawItems: - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-policy spec: # Apply to all pods in this namespace podSelector: {} policyTypes: - Ingress - Egress ingress: # Allow traffic from the same namespace (intra-namespace communication) - from: - podSelector: {} # Allow traffic from all namespaces within the tenant - from: - namespaceSelector: matchLabels: capsule.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/quotas/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/quotas/With help of Capsule, Bill, the cluster admin, can set and enforce resources quota and limits for Alice’s Tenant. Resource Quota Deprecated This feature will be deprecated in a future release of Capsule. Instead use Resource Pools to handle any cases around distributed ResourceQuotas With help of Capsule, Bill, the cluster admin, can set and enforce resources quota and limits for Alice’s Tenant. Set resources quota for each Namespace in the Alice’s Tenant by defining them in the Tenant spec:https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/authentication/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/authentication/Capsule does not care about the authentication strategy used in the cluster and all the Kubernetes methods of authentication are supported. The only requirement to use Capsule is to assign tenant users to the group defined by userGroups option in the CapsuleConfiguration, which defaults to projectcapsule.dev. OIDC In the following guide, we’ll use Keycloak an Open Source Identity and Access Management server capable to authenticate users via OIDC and release JWT tokens as proof of authentication.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/images/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/best-practices/images/Until this issue is resolved (might be in Kubernetes 1.34) it’s recommended to use the ImagePullPolicy Always for private registries on shared nodes. This ensures that no images can be used which are already pulled to the node.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/gangplank/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/gangplank/Gangplank is a web application that allows users to authenticate with an OIDC provider and configure their kubectl configuration file with the OpenID Connect Tokens. Gangplank is based on Gangway, which is no longer maintained. Prerequisites For Authentication you will need a Confidential OIDC client configured in your OIDC provider, such as Keycloak, Dex, or Google Cloud Identity. By default the Kubernetes API only validates tokens against a Public OIDC client, so you will need to configure your OIDC provider to allow the Gangplank client to issue tokens.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/monitoring/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/monitoring/The Capsule dashboard allows you to track the health and performance of Capsule manager and tenants, with particular attention to resources saturation, server responses, and latencies. Prometheus and Grafana are requirements for monitoring Capsule. ResourcePools Instrumentation for ResourcePools. Dashboards Dashboards can be deployed via helm-chart, enable the following values: monitoring: dashboards: enabled: true Capsule / ResourcePools Dashboard which grants a detailed overview over the ResourcePools Rules Example rules to give you some idea, what’s possible.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/rules/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/rules/Enforcement rules allow Bill, the cluster admin, to set policies and restrictions on a per-Tenant basis. These rules are enforced by Capsule Admission Webhooks when Alice, the TenantOwner, creates or modifies resources in her Namespaces. With the Rule Construct we can profile namespaces within a tenant to adhere to specific policies, depending on metadata. Namespace Selector By default a rule is applied to all namespaces within a Tenant. However you can select a subset of namespaces to apply the rule on, by using a namespaceSelector.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/administration/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/administration/Cordoning Bill needs to cordon a Tenant and its Namespaces for several reasons: Avoid accidental resource modification(s) including deletion during a Production Freeze Window During the Kubernetes upgrade, to prevent any workload updates During incidents or outages During planned maintenance of a dedicated nodes pool in a BYOD scenario With the default installation of Capsule all CREATE, UPDATE and DELETE operations performed by Capsule Users are droped. Any Updates to Subresources (i.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/backup-restore/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/backup-restore/Velero is a backup and restore solution that performs data protection, disaster recovery and migrates Kubernetes cluster from on-premises to the Cloud or between different Clouds. When coming to backup and restore in Kubernetes, we have two main requirements: Configurations backup Data backup The first requirement aims to backup all the resources stored into etcd database, for example: namespaces, pods, services, deployments, etc. The second is about how to backup stateful application data as volumes.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/enforcement/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/enforcement/Scheduling LimitRanges This feature will be deprecated in a future release of Capsule. Instead use TenantReplications Bill, the cluster admin, can also set Limit Ranges for each Namespace in Alice’s Tenant by defining limits for pods and containers in the Tenant spec: apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: solar spec: ... limitRanges: items: - limits: - type: Pod min: cpu: "50m" memory: "5Mi" max: cpu: "1" memory: "1Gi" - limits: - type: Container defaultRequest: cpu: "100m" memory: "10Mi" default: cpu: "200m" memory: "100Mi" min: cpu: "50m" memory: "5Mi" max: cpu: "1" memory: "1Gi" - limits: - type: PersistentVolumeClaim min: storage: "1Gi" max: storage: "10Gi" Limits will be inherited by all the Namespaces created by Alice.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/metadata/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/tenants/metadata/Managed By default all namespaced resources within a Namespace which are part of a Tenant labeled at admission with the following labels: capsule.clastix.io/managed-by: <tenant-name> (Legacy label) projectcapsule.dev/tenant: <tenant-name> The labels are used by Capsule to identify resources belonging to a specific tenant. This is currently important for the Capsule Proxy to filter resources accordingly. Namespaces RequiredMetadata The cluster admin can enforce tenant owners to add specific metadata as Labels and Annotations to the Namespaces they create.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/overview/benchmark/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/overview/benchmark/The Multi-Tenancy Benchmark is a WG (Working Group) committed to achieving multi-tenancy in Kubernetes. The Benchmarks are guidelines that validate if a Kubernetes cluster is properly configured for multi-tenancy. Capsule is an open source multi-tenancy operator, we decided to meet the requirements of MTB. although at the time of writing, it’s in development and not ready for usage. Strictly speaking, we do not claim official conformance to MTB, but just to adhere to the multi-tenancy requirements and best practices promoted by MTB.https://deploy-preview-82--docs-projectcapsule.netlify.app/project/commitment/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/project/commitment/Our commitment is to deliver a robust, stable Tenancy specification that serves as a foundational platform for a wide range of automation use cases in multi-tenant environments. Rather than focusing on niche scenarios, our project addresses the fundamental aspects that are universally required, including: Streamlined Permissions Management: Efficiently governing access control across diverse namespaces (tenants). Comprehensive Resource Oversight: Facilitating seamless resource management across multiple tenants. Exceptional User Experience: Prioritizing intuitive design and ease of use.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/guides/use-fluxcd/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/guides/use-fluxcd/Multi-tenancy the GitOps way This document will guide you to manage Tenant resources the GitOps way with Flux configured with the multi-tenancy lockdown. The proposed approach consists on making Flux to reconcile Tenant resources as Tenant Owners, while still providing Namespace as a Service to Tenants. This means that Tenants can operate and declare multiple Namespaces in their own Git repositories while not escaping the policies enforced by Capsule. Quickstart Install In order to make it work you can install the FluxCD addon via Helm:https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/templating/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/templating/Fast Templates For simple template cases we provide a fast templating engine. With this engine, you can use Go templates syntax to reference Tenant and Namespace fields. There are no operators or anything else supported. Available fields are: {{tenant.name}}: The Name of the Tenant {{namespace}}: The Name of the Tenant Sprout Templating Our template library is mainly based on the upstream implementation from Sprout. You can find the all available functions here:https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/openshift/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/openshift/Introduction Capsule is a Kubernetes multi-tenancy operator that enables secure namespace-as-a-service in Kubernetes clusters. When combined with OpenShift’s robust security model, it provides an excellent platform for multi-tenant environments. This guide demonstrates how to deploy Capsule and Capsule Proxy on OpenShift using the nonroot-v2 and restricted-v2 SecurityContextConstraint (SCC), ensuring tenant owners operate within OpenShift’s security boundaries. Why Capsule on OpenShift While OpenShift can be already configured to be quite multi-tenant (together with for example Kyverno), Capsule takes it a step further and easier to manage.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/troubleshoting/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/troubleshoting/https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/rancher/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/rancher/The integration between Rancher and Capsule, aims to provide a multi-tenant Kubernetes service to users, enabling: a self-service approach access to cluster-wide resources to end-users. Tenant users will have the ability to access Kubernetes resources through: Rancher UI Rancher Shell Kubernetes CLI On the other side, administrators need to manage the Kubernetes clusters through Rancher. Rancher provides a feature called Projects to segregate resources inside a common domain. At the same time Projects doesn’t provide way to segregate Kubernetes cluster-scope resources.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/managed-kubernetes/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/operating/setup/managed-kubernetes/Capsule Operator can be easily installed on a Managed Kubernetes Service. Since you do not have access to the Kubernetes APIs Server, you should check with the provider of the service: the default cluster-admin ClusterRole is accessible the following Admission Webhooks are enabled on the APIs Server: PodNodeSelector LimitRanger ResourceQuota MutatingAdmissionWebhook ValidatingAdmissionWebhook AWS EKS This is an example of how to install AWS EKS cluster and one user manged by Capsule.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/reference/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/proxy/reference/Packages: capsule.clastix.io/v1beta1 capsule.clastix.io/v1beta1 Resource Types: GlobalProxySettings ProxySetting GlobalProxySettings GlobalProxySettings is the Schema for the globalproxysettings API. Name Type Description Required apiVersion string capsule.clastix.io/v1beta1 true kind string GlobalProxySettings true metadata object Refer to the Kubernetes API documentation for the fields of the metadata field. true spec object GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. false GlobalProxySettings.spec GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. Name Type Description Required rules []object Subjects that should receive additional permissions.https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/reference/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/docs/reference/Packages: capsule.clastix.io/v1beta2 capsule.clastix.io/v1beta1 capsule.clastix.io/v1beta2 Resource Types: CapsuleConfiguration GlobalTenantResource ResourcePoolClaim ResourcePool TenantOwner TenantResource Tenant CapsuleConfiguration CapsuleConfiguration is the Schema for the Capsule configuration API. Name Type Description Required apiVersion string capsule.clastix.io/v1beta2 true kind string CapsuleConfiguration true metadata object Refer to the Kubernetes API documentation for the fields of the metadata field. true spec object CapsuleConfigurationSpec defines the Capsule configuration. true status object CapsuleConfigurationStatus defines the Capsule configuration status. false CapsuleConfiguration.spec CapsuleConfigurationSpec defines the Capsule configuration.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/argocd/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/argocd/Integration Resource Actions You may provide Custom Resource Actions for Capsule specific resources and interactions. Namespace Resource Actions With the following configuration, ArgoCD will show Cordon and Resume actions for the Namespace resource. The Cordon action will set the projectcapsule.dev/cordoned label to true, while the Resume action will set it to false. This is only for Namespaces part of a Capsule Tenant. resource.customizations.actions.Namespace: | mergeBuiltinActions: true discovery.lua: | actions = { cordon = { iconClass = "fa fa-solid fa-pause", disabled = true, }, uncordon = { iconClass = "fa fa-solid fa-play", disabled = true, }, } local function has_managed_ownerref() if obj.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/crossplane/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/crossplane/https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/dashboard/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/dashboard/This guide works with the kubernetes dashboard v2.0.0 (Chart 6.0.8). It has not yet been tested successfully with with v3.x version of the dashboard. We recommend to use Headlamp as a more modern alternative to the Kubernetes Dashboard. This guide describes how to integrate the Kubernetes Dashboard and Capsule Proxy with OIDC authorization. OIDC Authentication Your cluster must also be configured to use OIDC Authentication for seemless Kubernetes RBAC integration.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/envoy-gateway/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/envoy-gateway/There’s different ways to use Gateway API in a multi-tenant setup. This guide suggested a strong isolated implementation using the Envoy Gateway Project. The Architecture suggested looks something like this: Each tenant will get it’s own -system Namespace. However that namespace is not managed by the Tenant nor part of it. It’s the namespace where the platform deploys managed services for each Tenant, which are out of bound for TenantOwners.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/harbor/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/harbor/There’s different ways to use Gateway API in a multi-tenant setup. This guide suggested a strong isolated implementation using the Envoy Gateway Project. The Architecture suggested looks something like this: Each tenant will get it’s own -system Namespace. However that namespace is not managed by the Tenant nor part of it. It’s the namespace where the platform deploys managed services for each Tenant, which are out of bound for TenantOwners.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/eso/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/eso/With External Secrets Operator it’s possible to delegate Secrets Management to an external system while keeping the actual management of the secrets within Kubernetes. This guide provides a simple automation example with External Secrets Operator. Before starting, you might want to explore the existing documentation regarding multi-tenancy: https://external-secrets.io/latest/guides/multi-tenancy/ Secure ClusterSecretStores If you have any ClusterSecretStores, which are not intended to be used by Tenants, you must make sure Tenants can not reference the ClusterSecretStore.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/headlamp/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/headlamp/Headlamp is an easy-to-use and extensible Kubernetes web UI. Headlamp was created to blend the traditional feature set of other web UIs/dashboards (i.e., to list and view resources) with added functionality. Prerequisites You will need a running Capsule Proxy instance. For Authentication you will need a Confidential OIDC client configured in your OIDC provider, such as Keycloak, Dex, or Google Cloud Identity. By default the Kubernetes API only validates tokens against a Public OIDC client, so you will need to configure your OIDC provider to allow the Headlamp client to issue tokens.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/kyverno/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/kyverno/Kyverno is a policy engine designed for Kubernetes. It provides the ability to validate, mutate, and generate Kubernetes resources using admission control. Kyverno policies are managed as Kubernetes resources and can be applied to a cluster using kubectl. Capsule integrates with Kyverno to provide a set of policies that can be used to improve the security and governance of the Kubernetes cluster. Permissions Some policies are attempting to query Capsule specific information, such as the tenant name based on the namespace.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/lens/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/lens/With Capsule extension for Lens, a cluster administrator can easily manage from a single pane of glass all resources of a Kubernetes cluster, including all the Tenants created through the Capsule Operator. Features Capsule extension for Lens provides these capabilities: List all tenants See tenant details and change through the embedded Lens editor Check Resources Quota and Budget at both the tenant and namespace level Please, see the README for details about the installation of the Capsule Lens Extension.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/monitoring/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/monitoring/While we can not provide a full list of all the monitoring solutions available, we can provide some guidance on how to integrate Capsule with some of the most popular ones. Also this is dependent on how you have set up your monitoring solution. We will just explore the options available to you. Logging Loki Promtail config: clients: - url: "https://loki.company.com/loki/api/v1/push" # Maximum wait period before sending batch batchwait: 1s # Maximum batch size to accrue before sending, unit is byte batchsize: 102400 # Maximum time to wait for server to respond to a request timeout: 10s backoff_config: # Initial backoff time between retries min_period: 100ms # Maximum backoff time between retries max_period: 5s # Maximum number of retries when sending batches, 0 means infinite retries max_retries: 20 tenant_id: "tenant" external_labels: cluster: "${cluster_name}" serverPort: 3101 positions: filename: /run/promtail/positions.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/opencost/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/opencost/This guide explains how to integrate OpenCost with Capsule to provide cost visibility and chargeback/showback per tenant. You can group workloads into tenants by annotating namespaces (for example, opencost.projectcapsule.dev/tenant: {{ tenant.name }}). OpenCost can use this annotation to aggregate costs, enabling accurate cost allocation across clusters, nodes, namespaces, controller kinds, controllers, services, pods, and containers for each tenant. Prerequisites Capsule v0.10.8 or later Prometheus Operator Prometheus OpenCost Installation Capsule Create a tenant with spec.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/openshift/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/openshift/https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/rancher/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/rancher/https://deploy-preview-82--docs-projectcapsule.netlify.app/search/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/search/https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/tekton/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/tekton/With Capsule extension for Lens, a cluster administrator can easily manage from a single pane of glass all resources of a Kubernetes cluster, including all the Tenants created through the Capsule Operator. Prerequisites Tekton must be already installed on your cluster, if that’s not the case consult the documentation here: Tekton Cluster Scoped Permissions Tekton Dashboard Now for the enduser experience we are going to deploy the tekton dashboard. When using oauth2-proxy we can deploy one single dashboard, which can be used for all tenants.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/teleport/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/teleport/Teleport is an open-source tool that provides zero trust access to servers and cloud applications using SSH, Kubernetes, Database, Remote Desktop Protocol and HTTPS. It can eliminate the need for VPNs by providing a single gateway to access computing infrastructure via SSH, Kubernetes clusters, and cloud applications via a built-in proxy.1 If you want to pass requests from teleport users through the capsule-proxy for users to be able to do things like listing namespaces scoped to their own tenants, this integration is for you.https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/velero/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-82--docs-projectcapsule.netlify.app/ecosystem/integrations/velero/