https://deploy-preview-80--docs-projectcapsule.netlify.app/Recent content in Project Capsule on CapsuleHugo -- gohugo.ioenhttps://deploy-preview-80--docs-projectcapsule.netlify.app/docs/proxy/installation/Thu, 05 Jan 2017 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/proxy/installation/Capsule Proxy is an optional add-on of the main Capsule Operator, so make sure you have a working instance of Capsule before attempting to install it. Use the capsule-proxy only if you want Tenant Owners to list their Cluster-Scope resources. The capsule-proxy can be deployed in standalone mode, e.g. running as a pod bridging any Kubernetes client to the APIs server. Optionally, it can be deployed as a sidecar container in the backend of a dashboard.https://deploy-preview-80--docs-projectcapsule.netlify.app/project/contributions/guidelines/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/project/contributions/guidelines/The following guidelines outline the semantics and processes which apply to technical contributions to the project. Supported Versions Versions follow Semantic Versioning terminology and are expressed as x.y.z: where x is the major version y is the minor version and z is the patch version Security fixes, may be backported to the three most recent minor releases, depending on severity and feasibility. Prereleases are marked as -rc.x (release candidate) and may refere to any type of version bump.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/installation/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/installation/Requirements Helm 3 is required when installing the Capsule Operator chart. Follow Helm’s official for installing helm on your particular operating system. A Kubernetes cluster 1.16+ with following Admission Controllers enabled: PodNodeSelector LimitRanger ResourceQuota MutatingAdmissionWebhook ValidatingAdmissionWebhook A Kubeconfig file accessing the Kubernetes cluster with cluster admin permissions. Cert-Manager is recommended but not required Installation We officially only support the installation of Capsule using the Helm chart. The chart itself handles the Installation/Upgrade of needed CustomResourceDefinitions.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/quickstart/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/quickstart/In Capsule, a Tenant is an abstraction to group multiple namespaces in a single entity within a set of boundaries defined by the Cluster Administrator. The tenant is then assigned to a user or group of users who is called Tenant Owner. Capsule defines a Tenant as Custom Resource with cluster scope. Create the tenant as cluster admin: kubectl create -f - << EOF apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: solar spec: owners: - name: alice kind: User EOF You can check the tenant just createdhttps://deploy-preview-80--docs-projectcapsule.netlify.app/project/resources/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/project/resources/2025 The State of Multi-tenancy in Kubernetes by LoftLabs video 27 Feb, 2025 Kubernetes Multi-tenancy Spectrum by aniele Polencic article 10 Feb, 2025 2024 Taming the Kube tenancy kraken (Capsule with Rancher) video 12 Dec, 2024 Painless Multi-Tenant Kafka on Kubernetes with Istio at ASML - Thomas Reichel & Dominique Chanet video 7 Oct, 2024 NVIDIA Case Study: The Many Facets of Building + Delivering AI in the Cloud video 14 Nov, 2024 2023 Confused by Kubernetes Multi-Tenancy?https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/whats-new/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/whats-new/Features Admission Webhooks return warnings for deprecated fields in Capsule resources. You are encouraged to update your resources accordingly. Added --enable-pprof flag to enable pprof endpoint for profiling Capsule controller performance. Not recommended for production environments. Read More. Added --workers flag to define the MaxConcurrentReconciles for relevant controllers Read More. Combined Capsule Users Configuration for defining all users and groups which should be considered for Capsule tenancy. This simplifies the configuration and avoids confusion between users and groups.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/proxy/proxysettings/Tue, 20 Feb 2024 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/proxy/proxysettings/The configuration for the Proxy is also declarative via CRDs. This allows both Administrators and Tenant Owners to create flexible rules. GlobalProxysettings As an administrator, you might have the requirement to allow users to query cluster-scoped resources which are not directly linked to a tenant or anything like that. In that case you grant cluster-scoped LIST privileges to any subject, no matter what their tenant association is. For example: apiVersion: capsule.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/admission-policies/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/admission-policies/As Capsule we try to provide a secure multi-tenant environment out of the box, there are however some additional Admission Policies you should consider to enforce best practices in your cluster. Since Capsule only covers the core multi-tenancy features, such as Namespaces, Resource Quotas, Network Policies, and Container Registries, Classes, you should consider using an additional Admission Controller to enforce best practices on workloads and other resources. Custom Create custom Policies and reuse data provided via Tenant Status to enforce your own rules.https://deploy-preview-80--docs-projectcapsule.netlify.app/project/contributions/adoption/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/project/contributions/adoption/Have your tried Capsule or are you using it in your project or company? Please consider adding your project/company to the list of adopters. This helps the Capsule community understand who is using Capsule and how it is being used. Adding yourself In the adopters.yaml file you can add yourself as an adopter of the project. You just need to add an entry for your company and upon merging it will automatically be added to our website.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/architecture/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/architecture/Key Decisions Introducing a new separation of duties can lead to a significant paradigm shift. This has technical implications and may also impact your organizational structure. Therefore, when designing a multi-tenant platform pattern, carefully consider the following aspects. As Cluster Administrator, ask yourself: 🔑 How much ownership can be delegated to Tenant Owners (Platform Users)? The answer to this question may be influenced by the following aspects: Are the Cluster Adminsitrators willing to grant permissions to Tenant Owners?https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/guides/namespace-migration-across-tenants/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/guides/namespace-migration-across-tenants/Capsule relays on two components to associate given namespace with tenant. Namespace’s OwnerReference.name pointing to the Tenant defintion Namespace’s OwnerReference.uid pointing to the Tenant defintion If a cluster administrator changes the Namespace by matching the other Tenant with the proper UID and name, the Namespace can be easily transferred. kubectl get tenants NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE solar Active 1 46s wind Active 1 39s Get tenant’s metadata.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/namespaces/Alice, once logged with her credentials, can create a new Namespace in her Tenant, as simply issuing: kubectl create ns solar-production Alice started the name of the Namespace prepended by the name of the Tenant: this is not a strict requirement but it is highly suggested because it is likely that many different Tenants would like to call their Namespaces production, test, or demo, etc. The enforcement of this naming convention is optional and can be controlled by the cluster administrator with forceTenantPrefix option.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/proxy/options/Tue, 20 Feb 2024 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/proxy/options/You can customize the Capsule Proxy with the following configuration Flags Feature Gates Feature Gates are a set of key/value pairs that can be used to enable or disable certain features of the Capsule Proxy. The following feature gates are available: Feature Gate Default Value Description ProxyAllNamespaced true ProxyAllNamespaced allows to proxy all the Namespaced objects. When enabled, it will discover apis and ensure labels are set for resources in all tenant namespaces resulting in increased memory.https://deploy-preview-80--docs-projectcapsule.netlify.app/project/contributions/addons/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/project/contributions/addons/Have you written an operator or some other automation which integrates with the capsule core project? Feel free to add your addon to the capsule ecosystem overview Adding an addon In the addons.yaml file you can add an addon to the ecosystem. You just need to add an entry for your addon and upon merging it will automatically be added to our website. To add your organization follow these steps:https://deploy-preview-80--docs-projectcapsule.netlify.app/project/governance/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/project/governance/The Capsule project is dedicated to creating a multi-tenancy and policy-based framework for Kubernetes. This governance explains how the project is run. Values Maintainers Becoming a Maintainer Removing a Maintainer Meetings CNCF Resources Code of Conduct Security Response Team Voting Modifying this Charter Values The Capsule and its leadership embrace the following values: Openness: Communication and decision-making happens in the open and is discoverable for future reference. As much as possible, all discussions and work take place in public Slack channels and open repositories.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/permissions/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/permissions/Ownership Capsule introduces the principal, that tenants must have owners (Tenant Owners). The owner of a tenant is a user or a group of users that have the right to create, delete, and manage the tenant’s namespaces and other tenant resources. However an owner does not have the permissions to manage the tenants they are owner of. This is still done by cluster-administrators. At any time you are able to verify which users or groups are owners of a tenant by checking the owners field of the Tenant status subresource:https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/best-practices/workloads/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/best-practices/workloads/User Namespaces Info The FeatureGate UserNamespacesSupport is active by default since Kubernetes 1.33. However every pod must still opt-in When you are also enabling the FeatureGate UserNamespacesPodSecurityStandards you may relax the Pod Security Standards for your workloads. Read More A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.https://deploy-preview-80--docs-projectcapsule.netlify.app/project/branding/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/project/branding/Find all the available artworks and logos for the project in the CNCF Logo repository: https://github.com/cncf/artwork/tree/main/projects/capsulehttps://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/best-practices/networking/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/best-practices/networking/Network-Policies It’s a best practice to not allow any traffic outside of a tenant (or a tenant’s namespace). For this we can use Tenant Replications to ensure we have for every namespace Networkpolicies in place. The following NetworkPolicy is distributed to all namespaces which belong to a Capsule tenant: apiVersion: capsule.clastix.io/v1beta2 kind: GlobalTenantResource metadata: name: default-networkpolicies namespace: solar-system spec: resyncPeriod: 60s resources: - rawItems: - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-policy spec: # Apply to all pods in this namespace podSelector: {} policyTypes: - Ingress - Egress ingress: # Allow traffic from the same namespace (intra-namespace communication) - from: - podSelector: {} # Allow traffic from all namespaces within the tenant - from: - namespaceSelector: matchLabels: capsule.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/quotas/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/quotas/With help of Capsule, Bill, the cluster admin, can set and enforce resources quota and limits for Alice’s Tenant. Resource Quota Deprecated This feature will be deprecated in a future release of Capsule. Instead use Resource Pools to handle any cases around distributed ResourceQuotas With help of Capsule, Bill, the cluster admin, can set and enforce resources quota and limits for Alice’s Tenant. Set resources quota for each Namespace in the Alice’s Tenant by defining them in the Tenant spec:https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/authentication/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/authentication/Capsule does not care about the authentication strategy used in the cluster and all the Kubernetes methods of authentication are supported. The only requirement to use Capsule is to assign tenant users to the group defined by userGroups option in the CapsuleConfiguration, which defaults to projectcapsule.dev. OIDC In the following guide, we’ll use Keycloak an Open Source Identity and Access Management server capable to authenticate users via OIDC and release JWT tokens as proof of authentication.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/best-practices/images/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/best-practices/images/Until this issue is resolved (might be in Kubernetes 1.34) it’s recommended to use the ImagePullPolicy Always for private registries on shared nodes. This ensures that no images can be used which are already pulled to the node.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/enforcement/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/enforcement/Scheduling LimitRanges This feature will be deprecated in a future release of Capsule. Instead use TenantReplications Bill, the cluster admin, can also set Limit Ranges for each Namespace in Alice’s Tenant by defining limits for pods and containers in the Tenant spec: apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: solar spec: ... limitRanges: items: - limits: - type: Pod min: cpu: "50m" memory: "5Mi" max: cpu: "1" memory: "1Gi" - limits: - type: Container defaultRequest: cpu: "100m" memory: "10Mi" default: cpu: "200m" memory: "100Mi" min: cpu: "50m" memory: "5Mi" max: cpu: "1" memory: "1Gi" - limits: - type: PersistentVolumeClaim min: storage: "1Gi" max: storage: "10Gi" Limits will be inherited by all the Namespaces created by Alice.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/metadata/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/metadata/Managed By default all namespaced resources within a Namespace which are part of a Tenant labeled at admission with the capsule.clastix.io/tenant: <tenant-name> label. Namespaces AdditionalMetadataList Information Starting from v0.10.8, it is possible to use templated values for labels and annotations. Currently, {{ tenant.name }} and {{ namespace }} placeholders are available. apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: solar spec: owners: - name: alice kind: User namespaceOptions: additionalMetadataList: - annotations: templated-annotation: {{ tenant.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/monitoring/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/monitoring/The Capsule dashboard allows you to track the health and performance of Capsule manager and tenants, with particular attention to resources saturation, server responses, and latencies. Prometheus and Grafana are requirements for monitoring Capsule. ResourcePools Instrumentation for ResourcePools. Dashboards Dashboards can be deployed via helm-chart, enable the following values: monitoring: dashboards: enabled: true Capsule / ResourcePools Dashboard which grants a detailed overview over the ResourcePools Rules Example rules to give you some idea, what’s possible.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/rules/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/rules/Enforcement rules allow Bill, the cluster admin, to set policies and restrictions on a per-Tenant basis. These rules are enforced by Capsule Admission Webhooks when Alice, the TenantOwner, creates or modifies resources in her Namespaces. With the Rule Construct we can profile namespaces within a tenant to adhere to specific policies, depending on metadata. Namespace Selector By default a rule is applied to all namespaces within a Tenant. However you can select a subset of namespaces to apply the rule on, by using a namespaceSelector.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/administration/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/tenants/administration/Cordoning Bill needs to cordon a Tenant and its Namespaces for several reasons: Avoid accidental resource modification(s) including deletion during a Production Freeze Window During the Kubernetes upgrade, to prevent any workload updates During incidents or outages During planned maintenance of a dedicated nodes pool in a BYOD scenario With this said, the TenantOwner and the related Service Account living into managed Namespaces, cannot proceed to any update, create or delete action.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/backup-restore/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/backup-restore/Velero is a backup and restore solution that performs data protection, disaster recovery and migrates Kubernetes cluster from on-premises to the Cloud or between different Clouds. When coming to backup and restore in Kubernetes, we have two main requirements: Configurations backup Data backup The first requirement aims to backup all the resources stored into etcd database, for example: namespaces, pods, services, deployments, etc. The second is about how to backup stateful application data as volumes.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/overview/benchmark/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/overview/benchmark/The Multi-Tenancy Benchmark is a WG (Working Group) committed to achieving multi-tenancy in Kubernetes. The Benchmarks are guidelines that validate if a Kubernetes cluster is properly configured for multi-tenancy. Capsule is an open source multi-tenancy operator, we decided to meet the requirements of MTB. although at the time of writing, it’s in development and not ready for usage. Strictly speaking, we do not claim official conformance to MTB, but just to adhere to the multi-tenancy requirements and best practices promoted by MTB.https://deploy-preview-80--docs-projectcapsule.netlify.app/project/commitment/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/project/commitment/Our commitment is to deliver a robust, stable Tenancy specification that serves as a foundational platform for a wide range of automation use cases in multi-tenant environments. Rather than focusing on niche scenarios, our project addresses the fundamental aspects that are universally required, including: Streamlined Permissions Management: Efficiently governing access control across diverse namespaces (tenants). Comprehensive Resource Oversight: Facilitating seamless resource management across multiple tenants. Exceptional User Experience: Prioritizing intuitive design and ease of use.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/guides/use-fluxcd/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/guides/use-fluxcd/Multi-tenancy the GitOps way This document will guide you to manage Tenant resources the GitOps way with Flux configured with the multi-tenancy lockdown. The proposed approach consists on making Flux to reconcile Tenant resources as Tenant Owners, while still providing Namespace as a Service to Tenants. This means that Tenants can operate and declare multiple Namespaces in their own Git repositories while not escaping the policies enforced by Capsule. Quickstart Install In order to make it work you can install the FluxCD addon via Helm:https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/openshift/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/openshift/Introduction Capsule is a Kubernetes multi-tenancy operator that enables secure namespace-as-a-service in Kubernetes clusters. When combined with OpenShift’s robust security model, it provides an excellent platform for multi-tenant environments. This guide demonstrates how to deploy Capsule and Capsule Proxy on OpenShift using the nonroot-v2 and restricted-v2 SecurityContextConstraint (SCC), ensuring tenant owners operate within OpenShift’s security boundaries. Why Capsule on OpenShift While OpenShift can be already configured to be quite multi-tenant (together with for example Kyverno), Capsule takes it a step further and easier to manage.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/troubleshoting/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/troubleshoting/https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/rancher/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/rancher/The integration between Rancher and Capsule, aims to provide a multi-tenant Kubernetes service to users, enabling: a self-service approach access to cluster-wide resources to end-users. Tenant users will have the ability to access Kubernetes resources through: Rancher UI Rancher Shell Kubernetes CLI On the other side, administrators need to manage the Kubernetes clusters through Rancher. Rancher provides a feature called Projects to segregate resources inside a common domain. At the same time Projects doesn’t provide way to segregate Kubernetes cluster-scope resources.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/managed-kubernetes/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/managed-kubernetes/Capsule Operator can be easily installed on a Managed Kubernetes Service. Since you do not have access to the Kubernetes APIs Server, you should check with the provider of the service: the default cluster-admin ClusterRole is accessible the following Admission Webhooks are enabled on the APIs Server: PodNodeSelector LimitRanger ResourceQuota MutatingAdmissionWebhook ValidatingAdmissionWebhook AWS EKS This is an example of how to install AWS EKS cluster and one user manged by Capsule.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/proxy/reference/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/proxy/reference/Packages: capsule.clastix.io/v1beta1 capsule.clastix.io/v1beta1 Resource Types: GlobalProxySettings ProxySetting GlobalProxySettings GlobalProxySettings is the Schema for the globalproxysettings API. Name Type Description Required apiVersion string capsule.clastix.io/v1beta1 true kind string GlobalProxySettings true metadata object Refer to the Kubernetes API documentation for the fields of the metadata field. true spec object GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. false GlobalProxySettings.spec GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. Name Type Description Required rules []object Subjects that should receive additional permissions.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/reference/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/reference/Packages: capsule.clastix.io/v1beta2 capsule.clastix.io/v1beta1 capsule.clastix.io/v1beta2 Resource Types: CapsuleConfiguration GlobalTenantResource ResourcePoolClaim ResourcePool RuleStatus TenantOwner TenantResource Tenant CapsuleConfiguration CapsuleConfiguration is the Schema for the Capsule configuration API. Name Type Description Required apiVersion string capsule.clastix.io/v1beta2 true kind string CapsuleConfiguration true metadata object Refer to the Kubernetes API documentation for the fields of the metadata field. true spec object CapsuleConfigurationSpec defines the Capsule configuration. true status object CapsuleConfigurationStatus defines the Capsule configuration status. false CapsuleConfiguration.spec CapsuleConfigurationSpec defines the Capsule configuration.https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/configuration/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/docs/operating/setup/configuration/The configuration for the capsule controller is done via it’s dedicated configration Custom Resource. You can explain the configuration options and how to use them: CapsuleConfiguration The configuration for Capsule is done via it’s dedicated configration Custom Resource. You can explain the configuration options and how to use them: kubectl explain capsuleConfiguration.spec administrators These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label for interacting with namespaces.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/crossplane/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/crossplane/https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/dashboard/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/dashboard/This guide works with the kubernetes dashboard v2.0.0 (Chart 6.0.8). It has not yet been tested successfully with with v3.x version of the dashboard. We recommend to use Headlamp as a more modern alternative to the Kubernetes Dashboard. This guide describes how to integrate the Kubernetes Dashboard and Capsule Proxy with OIDC authorization. OIDC Authentication Your cluster must also be configured to use OIDC Authentication for seemless Kubernetes RBAC integration.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/gangplank/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/gangplank/Gangplank is a web application that allows users to authenticate with an OIDC provider and configure their kubectl configuration file with the OpenID Connect Tokens. Gangplank is based on Gangway, which is no longer maintained. Prerequisites You will need a running Capsule Proxy instance. For Authentication you will need a Confidential OIDC client configured in your OIDC provider, such as Keycloak, Dex, or Google Cloud Identity. By default the Kubernetes API only validates tokens against a Public OIDC client, so you will need to configure your OIDC provider to allow the Gangplank client to issue tokens.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/headlamp/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/headlamp/Headlamp is an easy-to-use and extensible Kubernetes web UI. Headlamp was created to blend the traditional feature set of other web UIs/dashboards (i.e., to list and view resources) with added functionality. Prerequisites You will need a running Capsule Proxy instance. For Authentication you will need a Confidential OIDC client configured in your OIDC provider, such as Keycloak, Dex, or Google Cloud Identity. By default the Kubernetes API only validates tokens against a Public OIDC client, so you will need to configure your OIDC provider to allow the Headlamp client to issue tokens.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/kyverno/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/kyverno/Kyverno is a policy engine designed for Kubernetes. It provides the ability to validate, mutate, and generate Kubernetes resources using admission control. Kyverno policies are managed as Kubernetes resources and can be applied to a cluster using kubectl. Capsule integrates with Kyverno to provide a set of policies that can be used to improve the security and governance of the Kubernetes cluster. Permissions Some policies are attempting to query Capsule specific information, such as the tenant name based on the namespace.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/lens/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/lens/With Capsule extension for Lens, a cluster administrator can easily manage from a single pane of glass all resources of a Kubernetes cluster, including all the Tenants created through the Capsule Operator. Features Capsule extension for Lens provides these capabilities: List all tenants See tenant details and change through the embedded Lens editor Check Resources Quota and Budget at both the tenant and namespace level Please, see the README for details about the installation of the Capsule Lens Extension.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/monitoring/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/monitoring/While we can not provide a full list of all the monitoring solutions available, we can provide some guidance on how to integrate Capsule with some of the most popular ones. Also this is dependent on how you have set up your monitoring solution. We will just explore the options available to you. Logging Loki Promtail config: clients: - url: "https://loki.company.com/loki/api/v1/push" # Maximum wait period before sending batch batchwait: 1s # Maximum batch size to accrue before sending, unit is byte batchsize: 102400 # Maximum time to wait for server to respond to a request timeout: 10s backoff_config: # Initial backoff time between retries min_period: 100ms # Maximum backoff time between retries max_period: 5s # Maximum number of retries when sending batches, 0 means infinite retries max_retries: 20 tenant_id: "tenant" external_labels: cluster: "${cluster_name}" serverPort: 3101 positions: filename: /run/promtail/positions.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/opencost/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/opencost/This guide explains how to integrate OpenCost with Capsule to provide cost visibility and chargeback/showback per tenant. You can group workloads into tenants by annotating namespaces (for example, opencost.projectcapsule.dev/tenant: {{ tenant.name }}). OpenCost can use this annotation to aggregate costs, enabling accurate cost allocation across clusters, nodes, namespaces, controller kinds, controllers, services, pods, and containers for each tenant. Prerequisites Capsule v0.10.8 or later Prometheus Operator Prometheus OpenCost Installation Capsule Create a tenant with spec.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/openshift/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/openshift/https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/rancher/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/rancher/https://deploy-preview-80--docs-projectcapsule.netlify.app/search/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/search/https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/tekton/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/tekton/With Capsule extension for Lens, a cluster administrator can easily manage from a single pane of glass all resources of a Kubernetes cluster, including all the Tenants created through the Capsule Operator. Prerequisites Tekton must be already installed on your cluster, if that’s not the case consult the documentation here: Tekton Cluster Scoped Permissions Tekton Dashboard Now for the enduser experience we are going to deploy the tekton dashboard. When using oauth2-proxy we can deploy one single dashboard, which can be used for all tenants.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/teleport/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/teleport/Teleport is an open-source tool that provides zero trust access to servers and cloud applications using SSH, Kubernetes, Database, Remote Desktop Protocol and HTTPS. It can eliminate the need for VPNs by providing a single gateway to access computing infrastructure via SSH, Kubernetes clusters, and cloud applications via a built-in proxy.1 If you want to pass requests from teleport users through the capsule-proxy for users to be able to do things like listing namespaces scoped to their own tenants, this integration is for you.https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/velero/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-80--docs-projectcapsule.netlify.app/ecosystem/integrations/velero/