API Reference

API Reference

Packages:

capsule.clastix.io/v1beta2

Resource Types:

CapsuleConfiguration

CapsuleConfiguration is the Schema for the Capsule configuration API.

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringCapsuleConfigurationtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectCapsuleConfigurationSpec defines the Capsule configuration.true
statusobjectCapsuleConfigurationStatus defines the Capsule configuration status.false

CapsuleConfiguration.spec

CapsuleConfigurationSpec defines the Capsule configuration.

NameTypeDescriptionRequired
cacheInvalidationstringDefine the period of time upon a cache invalidation is executed for all caches.
Default: 24h
true
enableTLSReconcilerbooleanToggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
Default: false
true
rbacobjectDefine Properties for managed ClusterRoles by Capsule
Default: map[]
true
administrators[]objectDefine entities which can act as Administrators in the capsule construct
These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label
for interacting with namespaces. Because if that label is not defined, it’s assumed that namespace interaction was not targeted towards a tenant and will therefore
be ignored by capsule.		false
admissionobjectConfiguration for dynamic Validating and Mutating Admission webhooks managed by Capsule.false
allowServiceAccountPromotionbooleanServiceAccounts within tenant namespaces can be promoted to owners of the given tenant
this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.
However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.
Default: false
false
forceTenantPrefixbooleanEnforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
Default: false
false
ignoreUserWithGroups[]stringDefine groups which when found in the request of a user will be ignored by the Capsule
this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.		false
impersonationobjectService Account Client configuration for impersonation propertiesfalse
nodeMetadataobjectAllows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.		false
overridesobjectAllows to set different name rather than the canonical one for the Capsule configuration objects,
such as webhook secret or configurations.
Default: map[TLSSecretName:capsule-tls mutatingWebhookConfigurationName:capsule-mutating-webhook-configuration validatingWebhookConfigurationName:capsule-validating-webhook-configuration]
false
protectedNamespaceRegexstringDisallow creation of namespaces, whose name matches this regexpfalse
userGroups[]stringDeprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)

Names of the groups considered as Capsule users.		false
userNames[]stringDeprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)

Names of the users considered as Capsule users.		false
users[]objectDefine entities which are considered part of the Capsule construct
Users not mentioned here will be ignored by Capsule		false

CapsuleConfiguration.spec.rbac

Define Properties for managed ClusterRoles by Capsule

NameTypeDescriptionRequired
administrationClusterRoles[]stringThe ClusterRoles applied for Administrators
Default: [capsule-namespace-deleter]
false
deleterstringName for the ClusterRole required to grant Namespace Deletion permissions.
Default: capsule-namespace-deleter
false
promotionClusterRoles[]stringThe ClusterRoles applied for ServiceAccounts which had owner Promotion
Default: [capsule-namespace-provisioner capsule-namespace-deleter]
false
provisionerstringName for the ClusterRole required to grant Namespace Provision permissions.
Default: capsule-namespace-provisioner
false

CapsuleConfiguration.spec.administrators[index]

NameTypeDescriptionRequired
kindenumKind of entity. Possible values are “User”, “Group”, and “ServiceAccount”
Enum: User, Group, ServiceAccount
true
namestringName of the entity.true

CapsuleConfiguration.spec.admission

Configuration for dynamic Validating and Mutating Admission webhooks managed by Capsule.

NameTypeDescriptionRequired
mutatingobjectConfigure dynamic Mutating Admission for Capsulefalse
serviceNamestringService Name of the Admission Service
Default: capsule-webhook-service
false
validatingobjectConfigure dynamic Validating Admission for Capsulefalse

CapsuleConfiguration.spec.admission.mutating

Configure dynamic Mutating Admission for Capsule

NameTypeDescriptionRequired
clientobjectwhats the problemtrue
annotationsmap[string]stringAnnotations added to the Admission Webhookfalse
labelsmap[string]stringLabels added to the Admission Webhookfalse
namestringName the Admission Webhookfalse
webhooks[]objectDefine Dynamic Admission Webhooksfalse

CapsuleConfiguration.spec.admission.mutating.client

whats the problem

NameTypeDescriptionRequired
caBundlestringcaBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate.
If unspecified, system trust roots on the apiserver are used.
Format: byte
false
serviceobjectservice is a reference to the service for this webhook. Either
service or url must be specified.

If the webhook is running within the cluster, then you should use service.		false
urlstringurl gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.

The host should not refer to a service running in the cluster; use
the service field instead. The host might be resolved via external
DNS in some apiservers (e.g., kube-apiserver cannot resolve
in-cluster DNS as that would be a layering violation). host may
also be an IP address.

Please note that using localhost or 127.0.0.1 as a host is
risky unless you take great care to run this webhook on all hosts
which run an apiserver which might need to make calls to this
webhook. Such installs are likely to be non-portable, i.e., not easy
to turn up in a new cluster.

The scheme must be “https”; the URL must begin with “https://”.

A path is optional, and if present may be any string permissible in
a URL. You may use the path to pass an arbitrary string to the
webhook, for example, a cluster identifier.

Attempting to use a user or basic auth e.g. “user:password@” is not
allowed. Fragments ("#…") and query parameters ("?…") are not
allowed, either.		false

CapsuleConfiguration.spec.admission.mutating.client.service

service is a reference to the service for this webhook. Either service or url must be specified.

If the webhook is running within the cluster, then you should use service.

NameTypeDescriptionRequired
namestringname is the name of the service.
Required		true
namespacestringnamespace is the namespace of the service.
Required		true
pathstringpath is an optional URL path which will be sent in any request to
this service.		false
portintegerIf specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
Format: int32
false

CapsuleConfiguration.spec.admission.mutating.webhooks[index]

NameTypeDescriptionRequired
admissionReviewVersions[]stringAdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects. API server will try to use first version in
the list which it supports. If none of the versions specified in this list
supported by API server, validation will fail for this object.
If a persisted webhook configuration specifies allowed versions and does not
include any versions known to the API Server, calls to the webhook will fail
and be subject to the failure policy.		true
namestringThe name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
“imagepolicy” is the name of the webhook, and kubernetes.io is the name
of the organization.
Required.		true
pathstringpath is the URL path which will be sent in any request to
this service.		true
sideEffectsstringSideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission chain and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.		true
failurePolicystringFailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.		false
matchConditions[]objectMatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.

The exact matching logic is (in order):
1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
2. If ALL matchConditions evaluate to TRUE, the webhook is called.
3. If any matchCondition evaluates to an error (but none are FALSE):
- If failurePolicy=Fail, reject the request
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped		false
matchPolicystringmatchPolicy defines how the “rules” list is used to match incoming requests.
Allowed values are “Exact” or “Equivalent”.

- Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but “rules” only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.

- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and “rules” only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.

Defaults to “Equivalent”		false
namespaceSelectorobjectNamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.

For example, to run the webhook on any objects whose namespace is not
associated with “runlevel” of “0” or “1”; you will set the selector as
follows:
“namespaceSelector”: {
“matchExpressions”: [
{
“key”: “runlevel”,
“operator”: “NotIn”,
“values”: [
“0”,
“1”
]
}
]
}

If instead you want to only run the webhook on any objects whose
namespace is associated with the “environment” of “prod” or “staging”;
you will set the selector as follows:
“namespaceSelector”: {
“matchExpressions”: [
{
“key”: “environment”,
“operator”: “In”,
“values”: [
“prod”,
“staging”
]
}
]
}

See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
for more examples of label selectors.

Default to the empty LabelSelector, which matches everything.		false
objectSelectorobjectObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.		false
optsobjectCapsule Custom Admission Optionsfalse
reinvocationPolicystringreinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
Allowed values are “Never” and “IfNeeded”.

Never: the webhook will not be called more than once in a single admission evaluation.

IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
if the object being admitted is modified by other admission plugins after the initial webhook call.
Webhooks that specify this option must be idempotent, able to process objects they previously admitted.
Note:
* the number of additional invocations is not guaranteed to be exactly one.
* if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
* webhooks that use this option may be reordered to minimize the number of additional invocations.
* to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.

Defaults to “Never”.		false
rules[]objectRules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
from putting the cluster in a state which cannot be recovered from without completely
disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.		false
timeoutSecondsintegerTimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 1 and 30 seconds.
Default to 10 seconds.
Format: int32
false

CapsuleConfiguration.spec.admission.mutating.webhooks[index].matchConditions[index]

MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.

NameTypeDescriptionRequired
expressionstringExpression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:

‘object’ - The object from the incoming request. The value is null for DELETE requests.
‘oldObject’ - The existing object. The value is null for CREATE requests.
‘request’ - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/

Required.		true
namestringName is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, ‘-’, ‘’ or ‘.’, and
must start and end with an alphanumeric character (e.g. ‘MyName’, or ‘my.name’, or
‘123-abc’, regex used for validation is ‘([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]’) with an
optional DNS subdomain prefix and ‘/’ (e.g. ’example.com/MyName’)

Required.		true

CapsuleConfiguration.spec.admission.mutating.webhooks[index].namespaceSelector

NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.

For example, to run the webhook on any objects whose namespace is not associated with “runlevel” of “0” or “1”; you will set the selector as follows: “namespaceSelector”: { “matchExpressions”: [ { “key”: “runlevel”, “operator”: “NotIn”, “values”: [ “0”, “1” ] } ] }

If instead you want to only run the webhook on any objects whose namespace is associated with the “environment” of “prod” or “staging”; you will set the selector as follows: “namespaceSelector”: { “matchExpressions”: [ { “key”: “environment”, “operator”: “In”, “values”: [ “prod”, “staging” ] } ] }

See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.

Default to the empty LabelSelector, which matches everything.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

CapsuleConfiguration.spec.admission.mutating.webhooks[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

CapsuleConfiguration.spec.admission.mutating.webhooks[index].objectSelector

ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

CapsuleConfiguration.spec.admission.mutating.webhooks[index].objectSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

CapsuleConfiguration.spec.admission.mutating.webhooks[index].opts

Capsule Custom Admission Options

NameTypeDescriptionRequired
administratorsbooleanIf enabled, the request is only sent to admission if the user is mentioned
As Part of the Capsule Administrators
Default: false
true
capsuleUsersbooleanIf enabled, the request is only sent to admission if the user is mentioned
As Part of the Capsule Users
Default: false
true

CapsuleConfiguration.spec.admission.mutating.webhooks[index].rules[index]

RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.

NameTypeDescriptionRequired
apiGroups[]stringAPIGroups is the API groups the resources belong to. ‘’ is all groups.
If ‘’ is present, the length of the slice must be one.
Required.		false
apiVersions[]stringAPIVersions is the API versions the resources belong to. ‘’ is all versions.
If ‘’ is present, the length of the slice must be one.
Required.		false
operations[]stringOperations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or
for all of those operations and any future admission operations that are added.
If ‘’ is present, the length of the slice must be one.
Required.		false
resources[]stringResources is a list of resources this rule applies to.

For example:
‘pods’ means pods.
‘pods/log’ means the log subresource of pods.
’ means all resources, but not subresources.
‘pods/’ means all subresources of pods.
/scale’ means all scale subresources.
/*’ means all resources and their subresources.

If wildcard is present, the validation rule will ensure resources do not
overlap with each other.

Depending on the enclosing object, subresources might not be allowed.
Required.		false
scopestringscope specifies the scope of this rule.
Valid values are “Cluster”, “Namespaced”, and “"
“Cluster” means that only cluster-scoped resources will match this rule.
Namespace API objects are cluster-scoped.
“Namespaced” means that only namespaced resources will match this rule.
" means that there are no scope restrictions.
Subresources match the scope of their parent resource.
Default is “*”.		false

CapsuleConfiguration.spec.admission.validating

Configure dynamic Validating Admission for Capsule

NameTypeDescriptionRequired
clientobjectwhats the problemtrue
annotationsmap[string]stringAnnotations added to the Admission Webhookfalse
labelsmap[string]stringLabels added to the Admission Webhookfalse
namestringName the Admission Webhookfalse
webhooks[]objectDefine Dynamic Admission Webhooksfalse

CapsuleConfiguration.spec.admission.validating.client

whats the problem

NameTypeDescriptionRequired
caBundlestringcaBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate.
If unspecified, system trust roots on the apiserver are used.
Format: byte
false
serviceobjectservice is a reference to the service for this webhook. Either
service or url must be specified.

If the webhook is running within the cluster, then you should use service.		false
urlstringurl gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.

The host should not refer to a service running in the cluster; use
the service field instead. The host might be resolved via external
DNS in some apiservers (e.g., kube-apiserver cannot resolve
in-cluster DNS as that would be a layering violation). host may
also be an IP address.

Please note that using localhost or 127.0.0.1 as a host is
risky unless you take great care to run this webhook on all hosts
which run an apiserver which might need to make calls to this
webhook. Such installs are likely to be non-portable, i.e., not easy
to turn up in a new cluster.

The scheme must be “https”; the URL must begin with “https://”.

A path is optional, and if present may be any string permissible in
a URL. You may use the path to pass an arbitrary string to the
webhook, for example, a cluster identifier.

Attempting to use a user or basic auth e.g. “user:password@” is not
allowed. Fragments ("#…") and query parameters ("?…") are not
allowed, either.		false

CapsuleConfiguration.spec.admission.validating.client.service

service is a reference to the service for this webhook. Either service or url must be specified.

If the webhook is running within the cluster, then you should use service.

NameTypeDescriptionRequired
namestringname is the name of the service.
Required		true
namespacestringnamespace is the namespace of the service.
Required		true
pathstringpath is an optional URL path which will be sent in any request to
this service.		false
portintegerIf specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
Format: int32
false

CapsuleConfiguration.spec.admission.validating.webhooks[index]

NameTypeDescriptionRequired
admissionReviewVersions[]stringAdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects. API server will try to use first version in
the list which it supports. If none of the versions specified in this list
supported by API server, validation will fail for this object.
If a persisted webhook configuration specifies allowed versions and does not
include any versions known to the API Server, calls to the webhook will fail
and be subject to the failure policy.		true
namestringThe name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
“imagepolicy” is the name of the webhook, and kubernetes.io is the name
of the organization.
Required.		true
pathstringpath is the URL path which will be sent in any request to
this service.		true
sideEffectsstringSideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission chain and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.		true
failurePolicystringFailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.		false
matchConditions[]objectMatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.

The exact matching logic is (in order):
1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
2. If ALL matchConditions evaluate to TRUE, the webhook is called.
3. If any matchCondition evaluates to an error (but none are FALSE):
- If failurePolicy=Fail, reject the request
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped		false
matchPolicystringmatchPolicy defines how the “rules” list is used to match incoming requests.
Allowed values are “Exact” or “Equivalent”.

- Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but “rules” only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.

- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and “rules” only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.

Defaults to “Equivalent”		false
namespaceSelectorobjectNamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.

For example, to run the webhook on any objects whose namespace is not
associated with “runlevel” of “0” or “1”; you will set the selector as
follows:
“namespaceSelector”: {
“matchExpressions”: [
{
“key”: “runlevel”,
“operator”: “NotIn”,
“values”: [
“0”,
“1”
]
}
]
}

If instead you want to only run the webhook on any objects whose
namespace is associated with the “environment” of “prod” or “staging”;
you will set the selector as follows:
“namespaceSelector”: {
“matchExpressions”: [
{
“key”: “environment”,
“operator”: “In”,
“values”: [
“prod”,
“staging”
]
}
]
}

See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors.

Default to the empty LabelSelector, which matches everything.		false
objectSelectorobjectObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.		false
optsobjectCapsule Custom Admission Optionsfalse
rules[]objectRules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
from putting the cluster in a state which cannot be recovered from without completely
disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.		false
timeoutSecondsintegerTimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 1 and 30 seconds.
Default to 10 seconds.
Format: int32
false

CapsuleConfiguration.spec.admission.validating.webhooks[index].matchConditions[index]

MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.

NameTypeDescriptionRequired
expressionstringExpression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:

‘object’ - The object from the incoming request. The value is null for DELETE requests.
‘oldObject’ - The existing object. The value is null for CREATE requests.
‘request’ - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/

Required.		true
namestringName is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, ‘-’, ‘’ or ‘.’, and
must start and end with an alphanumeric character (e.g. ‘MyName’, or ‘my.name’, or
‘123-abc’, regex used for validation is ‘([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]’) with an
optional DNS subdomain prefix and ‘/’ (e.g. ’example.com/MyName’)

Required.		true

CapsuleConfiguration.spec.admission.validating.webhooks[index].namespaceSelector

NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.

For example, to run the webhook on any objects whose namespace is not associated with “runlevel” of “0” or “1”; you will set the selector as follows: “namespaceSelector”: { “matchExpressions”: [ { “key”: “runlevel”, “operator”: “NotIn”, “values”: [ “0”, “1” ] } ] }

If instead you want to only run the webhook on any objects whose namespace is associated with the “environment” of “prod” or “staging”; you will set the selector as follows: “namespaceSelector”: { “matchExpressions”: [ { “key”: “environment”, “operator”: “In”, “values”: [ “prod”, “staging” ] } ] }

See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.

Default to the empty LabelSelector, which matches everything.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

CapsuleConfiguration.spec.admission.validating.webhooks[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

CapsuleConfiguration.spec.admission.validating.webhooks[index].objectSelector

ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

CapsuleConfiguration.spec.admission.validating.webhooks[index].objectSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

CapsuleConfiguration.spec.admission.validating.webhooks[index].opts

Capsule Custom Admission Options

NameTypeDescriptionRequired
administratorsbooleanIf enabled, the request is only sent to admission if the user is mentioned
As Part of the Capsule Administrators
Default: false
true
capsuleUsersbooleanIf enabled, the request is only sent to admission if the user is mentioned
As Part of the Capsule Users
Default: false
true

CapsuleConfiguration.spec.admission.validating.webhooks[index].rules[index]

RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.

NameTypeDescriptionRequired
apiGroups[]stringAPIGroups is the API groups the resources belong to. ‘’ is all groups.
If ‘’ is present, the length of the slice must be one.
Required.		false
apiVersions[]stringAPIVersions is the API versions the resources belong to. ‘’ is all versions.
If ‘’ is present, the length of the slice must be one.
Required.		false
operations[]stringOperations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or
for all of those operations and any future admission operations that are added.
If ‘’ is present, the length of the slice must be one.
Required.		false
resources[]stringResources is a list of resources this rule applies to.

For example:
‘pods’ means pods.
‘pods/log’ means the log subresource of pods.
’ means all resources, but not subresources.
‘pods/’ means all subresources of pods.
/scale’ means all scale subresources.
/*’ means all resources and their subresources.

If wildcard is present, the validation rule will ensure resources do not
overlap with each other.

Depending on the enclosing object, subresources might not be allowed.
Required.		false
scopestringscope specifies the scope of this rule.
Valid values are “Cluster”, “Namespaced”, and “"
“Cluster” means that only cluster-scoped resources will match this rule.
Namespace API objects are cluster-scoped.
“Namespaced” means that only namespaced resources will match this rule.
" means that there are no scope restrictions.
Subresources match the scope of their parent resource.
Default is “*”.		false

CapsuleConfiguration.spec.impersonation

Service Account Client configuration for impersonation properties

NameTypeDescriptionRequired
caSecretKeystringKey in the secret that holds the CA certificate (e.g., “ca.crt”)
Default: ca.crt
false
caSecretNamestringName of the secret containing the CA certificatefalse
caSecretNamespacestringNamespace where the CA certificate secret is locatedfalse
endpointstringKubernetes API Endpoint to use for impersonationfalse
globalDefaultServiceAccountstringDefault ServiceAccount for global resources (GlobalTenantResource)
When defined, users are required to use this ServiceAccount anywhere in the cluster
unless they explicitly provide their own.		false
globalDefaultServiceAccountNamespacestringDefault ServiceAccount for global resources (GlobalTenantResource)
When defined, users are required to use this ServiceAccount anywhere in the cluster
unless they explicitly provide their own.		false
skipTlsVerifybooleanIf true, TLS certificate verification is skipped (not recommended for production)
Default: false
false
tenantDefaultServiceAccountstringDefault ServiceAccount for namespaced resources (TenantResource)
When defined, users are required to use this ServiceAccount within the namespace
where they deploy the resource, unless they explicitly provide their own.		false

CapsuleConfiguration.spec.nodeMetadata

Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant. This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.

NameTypeDescriptionRequired
forbiddenAnnotationsobjectDefine the annotations that a Tenant Owner cannot set for their nodes.false
forbiddenLabelsobjectDefine the labels that a Tenant Owner cannot set for their nodes.false

CapsuleConfiguration.spec.nodeMetadata.forbiddenAnnotations

Define the annotations that a Tenant Owner cannot set for their nodes.

NameTypeDescriptionRequired
denied[]stringfalse
deniedRegexstringfalse

CapsuleConfiguration.spec.nodeMetadata.forbiddenLabels

Define the labels that a Tenant Owner cannot set for their nodes.

NameTypeDescriptionRequired
denied[]stringfalse
deniedRegexstringfalse

CapsuleConfiguration.spec.overrides

Allows to set different name rather than the canonical one for the Capsule configuration objects, such as webhook secret or configurations.

NameTypeDescriptionRequired
TLSSecretNamestringDefines the Secret name used for the webhook server.
Must be in the same Namespace where the Capsule Deployment is deployed.
Default: capsule-tls
true
mutatingWebhookConfigurationNamestringDeprecated: use dynamic admission instead

Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
Default: capsule-mutating-webhook-configuration
true
validatingWebhookConfigurationNamestringDeprecated: use dynamic admission instead

Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
Default: capsule-validating-webhook-configuration
true

CapsuleConfiguration.spec.users[index]

NameTypeDescriptionRequired
kindenumKind of entity. Possible values are “User”, “Group”, and “ServiceAccount”
Enum: User, Group, ServiceAccount
true
namestringName of the entity.true

CapsuleConfiguration.status

CapsuleConfigurationStatus defines the Capsule configuration status.

NameTypeDescriptionRequired
conditions[]objectConditions holds the reconciliation conditions for this CapsuleConfiguration.
Includes a Ready condition indicating whether the configuration was
successfully validated and applied.		false
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
tenants[]stringTenants is the sorted list of Tenant names currently present in the cluster.
The total count is available via len(Tenants).		false
users[]objectUsers which are considered Capsule Users and are bound to the Capsule Tenant construct.false

CapsuleConfiguration.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

CapsuleConfiguration.status.users[index]

NameTypeDescriptionRequired
kindenumKind of entity. Possible values are “User”, “Group”, and “ServiceAccount”
Enum: User, Group, ServiceAccount
true
namestringName of the entity.true

CustomQuota

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringCustomQuotatrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectCustomQuotaSpec.true
statusobjectCustomQuotaStatus defines the observed state of GlobalResourceQuota.false

CustomQuota.spec

CustomQuotaSpec.

NameTypeDescriptionRequired
limitint or stringResource Quantity as limittrue
optionsobjectAdditional Options for the CustomQuotaSpecification
Default: map[emitMetricPerClaimUsage:false]
true
sources[]objectTarget resourcetrue
scopeSelectors[]objectSelect items governed by this quotafalse

CustomQuota.spec.options

Additional Options for the CustomQuotaSpecification

NameTypeDescriptionRequired
emitMetricPerClaimUsagebooleanAdditionally expose usage metrics for each claim contributing to the quota.
This is disabled by default to avoid high cardinality in the metrics, but can be enabled for more granular monitoring and alerting.
Default: false
false

CustomQuota.spec.sources[index]

NameTypeDescriptionRequired
apiVersionstringAPI version of the referent.true
kindstringKind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds		true
openumOperation used to evaluate usage.
Enum: add, sub, count
Default: add
false
pathstringPath on GVK where usage is evaluated.
Must be empty when op is “count”.
Required and non-empty for all other operations.		false
selectors[]objectProvide more granular selectors for these sources
The ScopeSelector and NamespaceSelector are always applied
Allowing these selectors to make further selecting on the resulting subset.		false

CustomQuota.spec.sources[index].selectors[index]

NameTypeDescriptionRequired
fieldSelectors[]stringAdditional boolean JSONPath expressions.
All must evaluate to true for this selector to match.		false
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

CustomQuota.spec.sources[index].selectors[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

CustomQuota.spec.scopeSelectors[index]

A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

CustomQuota.spec.scopeSelectors[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

CustomQuota.status

CustomQuotaStatus defines the observed state of GlobalResourceQuota.

NameTypeDescriptionRequired
conditions[]objectConditionstrue
targets[]objectTargeting GVKtrue
claims[]objectObjects regarding this policyfalse
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
usageobjectUsage measurementsfalse

CustomQuota.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

CustomQuota.status.targets[index]

NameTypeDescriptionRequired
groupstringtrue
kindstringtrue
versionstringtrue
openumOperation used to evaluate usage.
Enum: add, sub, count
Default: add
false
pathstringPath on GVK where usage is evaluated.
Must be empty when op is “count”.
Required and non-empty for all other operations.		false
scopestringPath on GVK where usage is evaluatedfalse
selectors[]objectProvide more granular selectors for these sources
The ScopeSelector and NamespaceSelector are always applied
Allowing these selectors to make further selecting on the resulting subset.		false

CustomQuota.status.targets[index].selectors[index]

NameTypeDescriptionRequired
fieldSelectors[]stringAdditional boolean JSONPath expressions.
All must evaluate to true for this selector to match.		false
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

CustomQuota.status.targets[index].selectors[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

CustomQuota.status.claims[index]

NameTypeDescriptionRequired
groupstringtrue
kindstringtrue
namestringName of the referent.true
uidstringUID of the tracked Tenant to pin point trackingtrue
usageint or stringResource Quantity for given itemtrue
versionstringtrue
namespacestringNamespace of the referent, when not specified it acts as LocalObjectReference.false

CustomQuota.status.usage

Usage measurements

NameTypeDescriptionRequired
availableint or stringUsed is the current observed total available of the resource (limit - used).false
usedint or stringUsed is the current observed total usage of the resource.false

GlobalCustomQuota

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringGlobalCustomQuotatrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectClusterCustomQuotaSpec.true
statusobjectCustomQuotaStatus defines the observed state of GlobalResourceQuota.false

GlobalCustomQuota.spec

ClusterCustomQuotaSpec.

NameTypeDescriptionRequired
limitint or stringResource Quantity as limittrue
optionsobjectAdditional Options for the CustomQuotaSpecification
Default: map[emitMetricPerClaimUsage:false]
true
sources[]objectTarget resourcetrue
namespaceSelectors[]objectSelect specifc namespaces where this Quota selects items.false
scopeSelectors[]objectSelect items governed by this quotafalse

GlobalCustomQuota.spec.options

Additional Options for the CustomQuotaSpecification

NameTypeDescriptionRequired
emitMetricPerClaimUsagebooleanAdditionally expose usage metrics for each claim contributing to the quota.
This is disabled by default to avoid high cardinality in the metrics, but can be enabled for more granular monitoring and alerting.
Default: false
false

GlobalCustomQuota.spec.sources[index]

NameTypeDescriptionRequired
apiVersionstringAPI version of the referent.true
kindstringKind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds		true
openumOperation used to evaluate usage.
Enum: add, sub, count
Default: add
false
pathstringPath on GVK where usage is evaluated.
Must be empty when op is “count”.
Required and non-empty for all other operations.		false
selectors[]objectProvide more granular selectors for these sources
The ScopeSelector and NamespaceSelector are always applied
Allowing these selectors to make further selecting on the resulting subset.		false

GlobalCustomQuota.spec.sources[index].selectors[index]

NameTypeDescriptionRequired
fieldSelectors[]stringAdditional boolean JSONPath expressions.
All must evaluate to true for this selector to match.		false
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

GlobalCustomQuota.spec.sources[index].selectors[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

GlobalCustomQuota.spec.namespaceSelectors[index]

Selector for resources and their labels or selecting origin namespaces

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

GlobalCustomQuota.spec.namespaceSelectors[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

GlobalCustomQuota.spec.scopeSelectors[index]

A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

GlobalCustomQuota.spec.scopeSelectors[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

GlobalCustomQuota.status

CustomQuotaStatus defines the observed state of GlobalResourceQuota.

NameTypeDescriptionRequired
conditions[]objectConditionstrue
targets[]objectTargeting GVKtrue
claims[]objectObjects regarding this policyfalse
namespaces[]stringObserved Namespacesfalse
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
usageobjectUsage measurementsfalse

GlobalCustomQuota.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

GlobalCustomQuota.status.targets[index]

NameTypeDescriptionRequired
groupstringtrue
kindstringtrue
versionstringtrue
openumOperation used to evaluate usage.
Enum: add, sub, count
Default: add
false
pathstringPath on GVK where usage is evaluated.
Must be empty when op is “count”.
Required and non-empty for all other operations.		false
scopestringPath on GVK where usage is evaluatedfalse
selectors[]objectProvide more granular selectors for these sources
The ScopeSelector and NamespaceSelector are always applied
Allowing these selectors to make further selecting on the resulting subset.		false

GlobalCustomQuota.status.targets[index].selectors[index]

NameTypeDescriptionRequired
fieldSelectors[]stringAdditional boolean JSONPath expressions.
All must evaluate to true for this selector to match.		false
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

GlobalCustomQuota.status.targets[index].selectors[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

GlobalCustomQuota.status.claims[index]

NameTypeDescriptionRequired
groupstringtrue
kindstringtrue
namestringName of the referent.true
uidstringUID of the tracked Tenant to pin point trackingtrue
usageint or stringResource Quantity for given itemtrue
versionstringtrue
namespacestringNamespace of the referent, when not specified it acts as LocalObjectReference.false

GlobalCustomQuota.status.usage

Usage measurements

NameTypeDescriptionRequired
availableint or stringUsed is the current observed total available of the resource (limit - used).false
usedint or stringUsed is the current observed total usage of the resource.false

GlobalTenantResource

GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringGlobalTenantResourcetrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectGlobalTenantResourceSpec defines the desired state of GlobalTenantResource.true
statusobjectGlobalTenantResourceStatus defines the observed state of GlobalTenantResource.false

GlobalTenantResource.spec

GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.

NameTypeDescriptionRequired
resources[]objectDefines the rules to select targeting Namespace, along with the objects that must be replicated.true
resyncPeriodstringDefine the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
Default: 60s
true
settingsobjectProvide additional settings
Default: map[]
true
cordonedbooleanWhen cordoning a replication it will no longer execute any applies or deletions (paused).
This is useful for maintenances
Default: false
false
dependsOn[]objectDependsOn may contain a meta.NamespacedObjectReference slice
with references to TenantResource resources that must be ready before this
TenantResource can be reconciled.		false
pruningOnDeletebooleanWhen the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
Default: true
false
scopeenumResource Scope, Can either be
- Tenant: Create Resources for each tenant in selected Tenants
- Namespace: Create Resources for each namespace in selected Tenants
Enum: Namespace, Tenant, None
Default: Namespace
false
serviceAccountobjectLocal ServiceAccount which will perform all the actions defined in the TenantResource
You must provide permissions accordingly to that ServiceAccount		false
tenantSelectorobjectDefines the Tenant selector used target the tenants on which resources must be propagated.false

GlobalTenantResource.spec.resources[index]

NameTypeDescriptionRequired
additionalMetadataobjectBesides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.		false
contextobjectProvide additional template context, which can be used throughout all
the declared items for the replication		false
generators[]objectTemplates for advanced use casesfalse
namespaceSelectorobjectDefines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.		false
namespacedItems[]objectList of the resources already existing in other Namespaces that must be replicated.false
rawItems[]objectList of raw resources that must be replicated.false

GlobalTenantResource.spec.resources[index].additionalMetadata

Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.

NameTypeDescriptionRequired
annotationsmap[string]stringfalse
labelsmap[string]stringfalse

GlobalTenantResource.spec.resources[index].context

Provide additional template context, which can be used throughout all the declared items for the replication

NameTypeDescriptionRequired
resources[]objectfalse

GlobalTenantResource.spec.resources[index].context.resources[index]

NameTypeDescriptionRequired
apiVersionstringAPI version of the referent.true
kindstringKind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds		true
indexstringIndex to mount the resource in the template contextfalse
namestringName of the values referent. This is useful
when you traying to get a specific resource		false
namespacestringNamespace of the values referent.false
optionalbooleanOnly relevant if name is set. If an item is not optional, there will be an error thrown when it does not exist
Default: true
false
selectorobjectSelector which allows to get any amount of these resources based on labelsfalse

GlobalTenantResource.spec.resources[index].context.resources[index].selector

Selector which allows to get any amount of these resources based on labels

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

GlobalTenantResource.spec.resources[index].context.resources[index].selector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

GlobalTenantResource.spec.resources[index].generators[index]

NameTypeDescriptionRequired
missingKeyenumMissing Key Option for templating
Enum: invalid, zero, error
Default: zero
false
templatestringTemplate contains any amount of yaml which is applied to Kubernetes.
This can be a single resource or multiple resources		false

GlobalTenantResource.spec.resources[index].namespaceSelector

Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

GlobalTenantResource.spec.resources[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

GlobalTenantResource.spec.resources[index].namespacedItems[index]

Reference

NameTypeDescriptionRequired
apiVersionstringAPI version of the referent.true
kindstringKind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds		true
namestringName of the values referent. This is useful
when you traying to get a specific resource		false
namespacestringNamespace of the values referent.false
optionalbooleanOnly relevant if name is set. If an item is not optional, there will be an error thrown when it does not exist
Default: true
false
selectorobjectSelector which allows to get any amount of these resources based on labelsfalse

GlobalTenantResource.spec.resources[index].namespacedItems[index].selector

Selector which allows to get any amount of these resources based on labels

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

GlobalTenantResource.spec.resources[index].namespacedItems[index].selector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

GlobalTenantResource.spec.settings

Provide additional settings

NameTypeDescriptionRequired
adoptbooleanEnabling this allows TenanResources to interact with objects which were not created by a TenantResource. In this case on prune no deletion of the entire object is made.
Default: false
false
forcebooleanForce indicates that in case of conflicts with server-side apply, the client should acquire ownership of the conflicting field.
You may create collisions with this.
Default: false
false

GlobalTenantResource.spec.dependsOn[index]

LocalObjectReference contains enough information to locate the referenced Kubernetes resource object.

NameTypeDescriptionRequired
namestringName of the referent.true

GlobalTenantResource.spec.serviceAccount

Local ServiceAccount which will perform all the actions defined in the TenantResource You must provide permissions accordingly to that ServiceAccount

NameTypeDescriptionRequired
namestringName of the referent.true
namespacestringNamespace of the referent.true

GlobalTenantResource.spec.tenantSelector

Defines the Tenant selector used target the tenants on which resources must be propagated.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

GlobalTenantResource.spec.tenantSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

GlobalTenantResource.status

GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.

NameTypeDescriptionRequired
sizeintegerHow many items are being replicated by the TenantResource.true
conditions[]objectCondition of the GlobalTenantResource.false
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
processedItems[]objectList of the replicated resources for the given TenantResource.false
selectedTenants[]stringList of Tenants addressed by the GlobalTenantResource.false
serviceAccountobjectServiceaccount used for impersonationfalse

GlobalTenantResource.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

GlobalTenantResource.status.processedItems[index]

Advanced Status Item for pin pointing items in tenants/namespaces.

NameTypeDescriptionRequired
groupstringfalse
kindstringfalse
namestringfalse
namespacestringfalse
originstringfalse
statusobjectfalse
tenantstringfalse
versionstringfalse

GlobalTenantResource.status.processedItems[index].status

NameTypeDescriptionRequired
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
createdbooleanIndicates wether the resource was created or adoptedfalse
lastApplystringAn opaque value that represents the internal version of this object that can
be used by clients to determine when objects have changed. May be used for optimistic
concurrency, change detection, and the watch operation on a resource or set of resources.
Clients must treat these values as opaque and passed unmodified back to the server.
They may only be valid for a particular resource or set of resources.

Populated by the system.
Read-only.
Value must be treated as opaque by clients and .
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
Format: date-time
false
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		false

GlobalTenantResource.status.serviceAccount

Serviceaccount used for impersonation

NameTypeDescriptionRequired
namestringName of the referent.true
namespacestringNamespace of the referent.true

QuantityLedger

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringQuantityLedgertrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectQuotaLedgerSpec contains the immutable target reference.false
statusobjectQuantityLedgerStatus contains the mutable coordination state used by admission
and quota controllers.		false

QuantityLedger.spec

QuotaLedgerSpec contains the immutable target reference.

NameTypeDescriptionRequired
targetRefobjectTargetRef points to the quota object that this ledger belongs to.true

QuantityLedger.spec.targetRef

TargetRef points to the quota object that this ledger belongs to.

NameTypeDescriptionRequired
kindstringKind of the target quota resource, for example “CustomQuota” or “GlobalCustomQuota”.true
namestringName of the target quota resource.true
apiGroupstringAPIGroup of the target quota resource, for example “capsule.clastix.io”.false
namespacestringNamespace of the target quota resource.
Must be empty for cluster-scoped targets.		false
uidstringUID of the target quota resource.
Optional, but useful for stale reference detection.		false

QuantityLedger.status

QuantityLedgerStatus contains the mutable coordination state used by admission and quota controllers.

NameTypeDescriptionRequired
allocatedint or stringAllocated is the admission-owned total that has been accepted by the webhook.
It must be updated only through optimistic concurrency on QuantityLedger.		false
conditions[]objectConditions for the resource claimfalse
pendingDeletes[]objectPending delete hints carried over from admission delete handling.false
reservations[]objectActive inflight reservations for this quota.false
reservedint or stringReserved is the aggregate sum of all active reservations.
Controllers/webhooks should treat this as derived data from Reservations.		false

QuantityLedger.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

QuantityLedger.status.pendingDeletes[index]

QuantityLedgerPendingDelete tracks objects that are expected to disappear from claims soon, but may still temporarily appear during rebuild due to propagation delay.

NameTypeDescriptionRequired
createdAtstring
Format: date-time
true
objectRefobjectQuotaLedgerObjectRef identifies the object for which a reservation exists.
UID may be empty for CREATE admission before the object is persisted.		true

QuantityLedger.status.pendingDeletes[index].objectRef

QuotaLedgerObjectRef identifies the object for which a reservation exists. UID may be empty for CREATE admission before the object is persisted.

NameTypeDescriptionRequired
apiVersionstringAPIVersion of the tracked object, for example “v1”.true
kindstringKind of the tracked object, for example “Pod”.true
apiGroupstringAPIGroup of the tracked object.false
namestringName of the tracked object.false
namespacestringNamespace of the tracked object.false
uidstringUID of the tracked object.false

QuantityLedger.status.reservations[index]

QuantityLedgerReservation represents one active inflight reservation. ID should be stable for retries of the same admission request. In practice, admission.Request.UID is a good default.

NameTypeDescriptionRequired
createdAtstringTime the reservation was first created.
Format: date-time
true
idstringUnique reservation identifier.true
objectRefobjectObject that this reservation is intended to create/update.true
updatedAtstringTime the reservation was last refreshed or updated.
Format: date-time
true
usageint or stringAmount reserved for this request.true
expiresAtstringTime after which the reservation may be considered stale.
Format: date-time
false

QuantityLedger.status.reservations[index].objectRef

Object that this reservation is intended to create/update.

NameTypeDescriptionRequired
apiVersionstringAPIVersion of the tracked object, for example “v1”.true
kindstringKind of the tracked object, for example “Pod”.true
apiGroupstringAPIGroup of the tracked object.false
namestringName of the tracked object.false
namespacestringNamespace of the tracked object.false
uidstringUID of the tracked object.false

ResourcePoolClaim

ResourcePoolClaim is the Schema for the resourcepoolclaims API.

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringResourcePoolClaimtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjecttrue
statusobjectResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.false

ResourcePoolClaim.spec

NameTypeDescriptionRequired
claimmap[string]int or stringAmount which should be claimed for the resourcequotatrue
poolstringIf there’s the possability to claim from multiple global Quotas
You must be specific about which one you want to claim resources from
Once bound to a ResourcePool, this field is immutable		true

ResourcePoolClaim.status

ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.

NameTypeDescriptionRequired
conditions[]objectConditions for the resource claimtrue
allocationobjectTracks the Usage from Claimed from this claim and available resourcesfalse
conditionobjectDeprecated: Use Conditionsfalse
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
poolobjectReference to the GlobalQuota being claimed fromfalse

ResourcePoolClaim.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

ResourcePoolClaim.status.allocation

Tracks the Usage from Claimed from this claim and available resources

NameTypeDescriptionRequired
availablemap[string]int or stringUsed to track the usage of the resource in the pool (diff hard - claimed). May be used for further automationfalse
hardmap[string]int or stringHard is the set of enforced hard limits for each named resource.
More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/		false
usedmap[string]int or stringUsed is the current observed total usage of the resource in the namespace.false

ResourcePoolClaim.status.condition

Deprecated: Use Conditions

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

ResourcePoolClaim.status.pool

Reference to the GlobalQuota being claimed from

NameTypeDescriptionRequired
namestringName of the referent.true
uidstringUID of the tracked Tenant to pin point trackingtrue

ResourcePool

Resourcepools allows you to define a set of resources as known from ResoureQuotas. The Resourcepools are defined at cluster-scope an should be administrated by cluster-administrators. However they create an interface, where cluster-administrators can define from which namespaces resources from a Resourcepool can be claimed. The claiming is done via a namespaced CRD called ResourcePoolClaim. Then it’s up the group of users within these namespaces, to manage the resources they consume per namespace. Each Resourcepool provisions a ResourceQuotainto all the selected namespaces. Then essentially the ResourcePoolClaims, when they can be assigned to the ResourcePool stack resources on top of that ResourceQuota based on the namspace, where the ResourcePoolClaim was made from.

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringResourcePooltrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectResourcePoolSpec.true
statusobjectGlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.false

ResourcePool.spec

ResourcePoolSpec.

NameTypeDescriptionRequired
quotaobjectDefine the resourcequota served by this resourcepool.true
configobjectAdditional Configuration
Default: map[]
false
defaultsmap[string]int or stringThe Defaults given for each namespace, the default is not counted towards the total allocation
When you use claims it’s recommended to provision Defaults as the prevent the scheduling of any resources		false
selectors[]objectSelector to match the namespaces that should be managed by the GlobalResourceQuotafalse

ResourcePool.spec.quota

Define the resourcequota served by this resourcepool.

NameTypeDescriptionRequired
hardmap[string]int or stringhard is the set of desired hard limits for each named resource.
More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/		false
scopeSelectorobjectscopeSelector is also a collection of filters like scopes that must match each object tracked by a quota
but expressed using ScopeSelectorOperator in combination with possible values.
For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.		false
scopes[]stringA collection of filters that must match each object tracked by a quota.
If not specified, the quota matches all objects.		false

ResourcePool.spec.quota.scopeSelector

scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.

NameTypeDescriptionRequired
matchExpressions[]objectA list of scope selector requirements by scope of the resources.false

ResourcePool.spec.quota.scopeSelector.matchExpressions[index]

A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.

NameTypeDescriptionRequired
operatorstringRepresents a scope’s relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist.		true
scopeNamestringThe name of the scope that the selector applies to.true
values[]stringAn array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty.
This array is replaced during a strategic merge patch.		false

ResourcePool.spec.config

Additional Configuration

NameTypeDescriptionRequired
defaultsZerobooleanWith this option all resources which can be allocated are set to 0 for the resourcequota defaults. (Default false)
Default: false
false
deleteBoundResourcesbooleanWhen a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state. (Default false)
Default: false
false
orderedQueuebooleanClaims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
creation date. But no matter their creation time, if a claim is requesting too much resources it’s put into the queue
but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
it’s priority was lower
Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
other claim can claim the same resources with lower priority. (Default false)
Default: false
false

ResourcePool.spec.selectors[index]

Selector for resources and their labels or selecting origin namespaces

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

ResourcePool.spec.selectors[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

ResourcePool.status

GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.

NameTypeDescriptionRequired
conditions[]objectConditions for the resource claimtrue
allocationobjectTracks the Usage from Claimed against what has been granted from the poolfalse
claimCountintegerAmount of claims
Default: 0
false
claimsmap[string][]objectTracks the quotas for the Resource.false
exhaustionsmap[string]objectExhaustions from claims associated with the poolfalse
namespaceCountintegerHow many namespaces are considered
Default: 0
false
namespaces[]stringNamespaces which are considered for claimsfalse
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false

ResourcePool.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

ResourcePool.status.allocation

Tracks the Usage from Claimed against what has been granted from the pool

NameTypeDescriptionRequired
availablemap[string]int or stringUsed to track the usage of the resource in the pool (diff hard - claimed). May be used for further automationfalse
hardmap[string]int or stringHard is the set of enforced hard limits for each named resource.
More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/		false
usedmap[string]int or stringUsed is the current observed total usage of the resource in the namespace.false

ResourcePool.status.claims[key][index]

ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.

NameTypeDescriptionRequired
namestringName of the referent.true
namespacestringNamespace of the referent.true
uidstringUID of the tracked Tenant to pin point trackingtrue
claimsmap[string]int or stringClaimed resourcesfalse

ResourcePool.status.exhaustions[key]

NameTypeDescriptionRequired
availableint or stringAvailable Resources to be claimedfalse
requestingint or stringRequesting Resourcesfalse

RuleStatus

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringRuleStatustrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
spec[]objectfalse
statusobjectRuleStatus contains the accumulated rules applying to namespace it’s deployed in.false

RuleStatus.spec[index]

For future implementation where users might manage RuleStatus CRs themselves

NameTypeDescriptionRequired
enforceobjectEnforcement for given rulefalse

RuleStatus.spec[index].enforce

Enforcement for given rule

NameTypeDescriptionRequired
actionenumDeclare the action being performed on the enforcement rule:
deny: On match, deny admission request
allow: On match, allowed admission request
audit: On match, audit (post event) of admission request
Enum: allow, deny, audit
Default: deny
false
workloadsobjectEnforcement for Workloads (Pods)false

RuleStatus.spec[index].enforce.workloads

Enforcement for Workloads (Pods)

NameTypeDescriptionRequired
qosClasses[]stringDefine Pod QoS classes matched by this enforcement rule.
Supported values are Guaranteed, Burstable and BestEffort.		false
registries[]objectDefine registries which are allowed to be used within this tenant
The rules are aggregated, since you can use Regular Expressions the match registry endpoints		false
targets[]enumDefine the enforcement targets this rule applies to.
If empty, each webhook applies its own backwards-compatible default.
Enum: pod/initcontainers, pod/ephemeralcontainers, pod/containers, pod/volumes
false

RuleStatus.spec[index].enforce.workloads.registries[index]

NameTypeDescriptionRequired
expstringExpression used to evaluate regexfalse
negatebooleanNegate regular Expression
Default: false
false
policy[]stringAllowed PullPolicy for the given registry. Supplying no value allows all policies.false

RuleStatus.status

RuleStatus contains the accumulated rules applying to namespace it’s deployed in.

NameTypeDescriptionRequired
conditions[]objectConditionstrue
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
ruleobjectDeprecated: use Rules.
Rule contains a legacy flattened view and cannot fully represent action-aware rules.		false
rules[]objectRules contains the effective namespace rules after tenant rule selection.
Order is preserved from the originating Tenant rules.		false

RuleStatus.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

RuleStatus.status.rule

Deprecated: use Rules. Rule contains a legacy flattened view and cannot fully represent action-aware rules.

NameTypeDescriptionRequired
enforceobjectEnforcement for given rulefalse

RuleStatus.status.rule.enforce

Enforcement for given rule

NameTypeDescriptionRequired
actionenumDeclare the action being performed on the enforcement rule:
deny: On match, deny admission request
allow: On match, allowed admission request
audit: On match, audit (post event) of admission request
Enum: allow, deny, audit
Default: deny
false
workloadsobjectEnforcement for Workloads (Pods)false

RuleStatus.status.rule.enforce.workloads

Enforcement for Workloads (Pods)

NameTypeDescriptionRequired
qosClasses[]stringDefine Pod QoS classes matched by this enforcement rule.
Supported values are Guaranteed, Burstable and BestEffort.		false
registries[]objectDefine registries which are allowed to be used within this tenant
The rules are aggregated, since you can use Regular Expressions the match registry endpoints		false
targets[]enumDefine the enforcement targets this rule applies to.
If empty, each webhook applies its own backwards-compatible default.
Enum: pod/initcontainers, pod/ephemeralcontainers, pod/containers, pod/volumes
false

RuleStatus.status.rule.enforce.workloads.registries[index]

NameTypeDescriptionRequired
expstringExpression used to evaluate regexfalse
negatebooleanNegate regular Expression
Default: false
false
policy[]stringAllowed PullPolicy for the given registry. Supplying no value allows all policies.false

RuleStatus.status.rules[index]

For future implementation where users might manage RuleStatus CRs themselves

NameTypeDescriptionRequired
enforceobjectEnforcement for given rulefalse

RuleStatus.status.rules[index].enforce

Enforcement for given rule

NameTypeDescriptionRequired
actionenumDeclare the action being performed on the enforcement rule:
deny: On match, deny admission request
allow: On match, allowed admission request
audit: On match, audit (post event) of admission request
Enum: allow, deny, audit
Default: deny
false
workloadsobjectEnforcement for Workloads (Pods)false

RuleStatus.status.rules[index].enforce.workloads

Enforcement for Workloads (Pods)

NameTypeDescriptionRequired
qosClasses[]stringDefine Pod QoS classes matched by this enforcement rule.
Supported values are Guaranteed, Burstable and BestEffort.		false
registries[]objectDefine registries which are allowed to be used within this tenant
The rules are aggregated, since you can use Regular Expressions the match registry endpoints		false
targets[]enumDefine the enforcement targets this rule applies to.
If empty, each webhook applies its own backwards-compatible default.
Enum: pod/initcontainers, pod/ephemeralcontainers, pod/containers, pod/volumes
false

RuleStatus.status.rules[index].enforce.workloads.registries[index]

NameTypeDescriptionRequired
expstringExpression used to evaluate regexfalse
negatebooleanNegate regular Expression
Default: false
false
policy[]stringAllowed PullPolicy for the given registry. Supplying no value allows all policies.false

TenantOwner

TenantOwner is the Schema for the tenantowners API.

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringTenantOwnertrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectspec defines the desired state of TenantOwner.true
statusobjectstatus defines the observed state of TenantOwner.false

TenantOwner.spec

spec defines the desired state of TenantOwner.

NameTypeDescriptionRequired
aggregatebooleanAdds the given subject as capsule user. When enabled this subject does not have to be
mentioned in the CapsuleConfiguration as Capsule User. In almost all scenarios Tenant Owners
must be Capsule Users.
Default: true
true
kindenumKind of entity. Possible values are “User”, “Group”, and “ServiceAccount”
Enum: User, Group, ServiceAccount
true
namestringName of the entity.true
clusterRoles[]stringDefines additional cluster-roles for the specific Owner.
Default: [admin capsule-namespace-deleter]
false

TenantOwner.status

status defines the observed state of TenantOwner.

NameTypeDescriptionRequired
conditions[]objectConditions contains the reconciliation conditions for this TenantOwner.false
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
tenants[]stringTenants lists the names of all Tenants that this TenantOwner is currently matched to
via the Tenant’s spec.permissions.matchOwners selectors.		false

TenantOwner.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

TenantResource

TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace. The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces. For such cases, the GlobalTenantResource must be used.

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringTenantResourcetrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectTenantResourceSpec defines the desired state of TenantResource.true
statusobjectTenantResourceStatus defines the observed state of TenantResource.false

TenantResource.spec

TenantResourceSpec defines the desired state of TenantResource.

NameTypeDescriptionRequired
resources[]objectDefines the rules to select targeting Namespace, along with the objects that must be replicated.true
resyncPeriodstringDefine the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
Default: 60s
true
settingsobjectProvide additional settings
Default: map[]
true
cordonedbooleanWhen cordoning a replication it will no longer execute any applies or deletions (paused).
This is useful for maintenances
Default: false
false
dependsOn[]objectDependsOn may contain a meta.NamespacedObjectReference slice
with references to TenantResource resources that must be ready before this
TenantResource can be reconciled.		false
pruningOnDeletebooleanWhen the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
Default: true
false
serviceAccountobjectLocal ServiceAccount which will perform all the actions defined in the TenantResource
You must provide permissions accordingly to that ServiceAccount		false

TenantResource.spec.resources[index]

NameTypeDescriptionRequired
additionalMetadataobjectBesides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.		false
contextobjectProvide additional template context, which can be used throughout all
the declared items for the replication		false
generators[]objectTemplates for advanced use casesfalse
namespaceSelectorobjectDefines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.		false
namespacedItems[]objectList of the resources already existing in other Namespaces that must be replicated.false
rawItems[]objectList of raw resources that must be replicated.false

TenantResource.spec.resources[index].additionalMetadata

Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.

NameTypeDescriptionRequired
annotationsmap[string]stringfalse
labelsmap[string]stringfalse

TenantResource.spec.resources[index].context

Provide additional template context, which can be used throughout all the declared items for the replication

NameTypeDescriptionRequired
resources[]objectfalse

TenantResource.spec.resources[index].context.resources[index]

NameTypeDescriptionRequired
apiVersionstringAPI version of the referent.true
kindstringKind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds		true
indexstringIndex to mount the resource in the template contextfalse
namestringName of the values referent. This is useful
when you traying to get a specific resource		false
namespacestringNamespace of the values referent.false
optionalbooleanOnly relevant if name is set. If an item is not optional, there will be an error thrown when it does not exist
Default: true
false
selectorobjectSelector which allows to get any amount of these resources based on labelsfalse

TenantResource.spec.resources[index].context.resources[index].selector

Selector which allows to get any amount of these resources based on labels

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

TenantResource.spec.resources[index].context.resources[index].selector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

TenantResource.spec.resources[index].generators[index]

NameTypeDescriptionRequired
missingKeyenumMissing Key Option for templating
Enum: invalid, zero, error
Default: zero
false
templatestringTemplate contains any amount of yaml which is applied to Kubernetes.
This can be a single resource or multiple resources		false

TenantResource.spec.resources[index].namespaceSelector

Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

TenantResource.spec.resources[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

TenantResource.spec.resources[index].namespacedItems[index]

Reference

NameTypeDescriptionRequired
apiVersionstringAPI version of the referent.true
kindstringKind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds		true
namestringName of the values referent. This is useful
when you traying to get a specific resource		false
namespacestringNamespace of the values referent.false
optionalbooleanOnly relevant if name is set. If an item is not optional, there will be an error thrown when it does not exist
Default: true
false
selectorobjectSelector which allows to get any amount of these resources based on labelsfalse

TenantResource.spec.resources[index].namespacedItems[index].selector

Selector which allows to get any amount of these resources based on labels

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

TenantResource.spec.resources[index].namespacedItems[index].selector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

TenantResource.spec.settings

Provide additional settings

NameTypeDescriptionRequired
adoptbooleanEnabling this allows TenanResources to interact with objects which were not created by a TenantResource. In this case on prune no deletion of the entire object is made.
Default: false
false
forcebooleanForce indicates that in case of conflicts with server-side apply, the client should acquire ownership of the conflicting field.
You may create collisions with this.
Default: false
false

TenantResource.spec.dependsOn[index]

LocalObjectReference contains enough information to locate the referenced Kubernetes resource object.

NameTypeDescriptionRequired
namestringName of the referent.true

TenantResource.spec.serviceAccount

Local ServiceAccount which will perform all the actions defined in the TenantResource You must provide permissions accordingly to that ServiceAccount

NameTypeDescriptionRequired
namestringName of the referent.true

TenantResource.status

TenantResourceStatus defines the observed state of TenantResource.

NameTypeDescriptionRequired
sizeintegerHow many items are being replicated by the TenantResource.true
conditions[]objectCondition of the GlobalTenantResource.false
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
processedItems[]objectList of the replicated resources for the given TenantResource.false
serviceAccountobjectServiceaccount used for impersonationfalse

TenantResource.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

TenantResource.status.processedItems[index]

Advanced Status Item for pin pointing items in tenants/namespaces.

NameTypeDescriptionRequired
groupstringfalse
kindstringfalse
namestringfalse
namespacestringfalse
originstringfalse
statusobjectfalse
tenantstringfalse
versionstringfalse

TenantResource.status.processedItems[index].status

NameTypeDescriptionRequired
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
createdbooleanIndicates wether the resource was created or adoptedfalse
lastApplystringAn opaque value that represents the internal version of this object that can
be used by clients to determine when objects have changed. May be used for optimistic
concurrency, change detection, and the watch operation on a resource or set of resources.
Clients must treat these values as opaque and passed unmodified back to the server.
They may only be valid for a particular resource or set of resources.

Populated by the system.
Read-only.
Value must be treated as opaque by clients and .
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
Format: date-time
false
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		false

TenantResource.status.serviceAccount

Serviceaccount used for impersonation

NameTypeDescriptionRequired
namestringName of the referent.true
namespacestringNamespace of the referent.true

Tenant

Tenant is the Schema for the tenants API.

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta2true
kindstringTenanttrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectTenantSpec defines the desired state of Tenant.false
statusobjectReturns the observed state of the Tenant.false

Tenant.spec

TenantSpec defines the desired state of Tenant.

NameTypeDescriptionRequired
additionalRoleBindings[]objectSpecifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.false
containerRegistriesobjectDeprecated: Use Enforcement.Registries instead

Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.		false
cordonedbooleanToggling the Tenant resources cordoning, when enable resources cannot be deleted.
Default: false
false
dataJSONSpecify additional data relating to the tenant.
Mainly useable in templating and more accessible than labels/annotations.		false
deviceClassesobjectSpecifies options for the DeviceClass resources.false
forceTenantPrefixbooleanUse this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
When set to ’true’, it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,
separated by a dash (i.e. for Tenant ‘foo’, namespace names must be prefixed with ‘foo-’),
this is useful to avoid Namespace name collision.
When set to ‘false’, it allows Namespaces created for this Tenant to be named anything.
Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.
If unset, Tenant uses CapsuleConfiguration’s forceTenantPrefix
Optional		false
gatewayOptionsobjectSpecifies options for the GatewayClass resources.false
imagePullPolicies[]enumDeprecated: Use Enforcement.Registries instead

Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
Enum: Always, Never, IfNotPresent
false
ingressOptionsobjectSpecifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.false
limitRangesobjectDeprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)

Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.		false
namespaceOptionsobjectSpecifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.false
networkPoliciesobjectDeprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)

Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.		false
nodeSelectormap[string]stringSpecifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.false
owners[]objectSpecifies the owners of the Tenant.
Optional		false
permissionsobjectSpecify Permissions for the Tenant.false
podOptionsobjectSpecifies options for the Pods deployed in the Tenant namespaces, such as additional metadata.false
preventDeletionbooleanPrevent accidental deletion of the Tenant.
When enabled, the deletion request will be declined.
Default: false
false
priorityClassesobjectSpecifies the allowed priorityClasses assigned to the Tenant.
Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses.
A default value can be specified, and all the Pod resources created will inherit the declared class.
Optional.		false
resourceQuotasobjectSpecifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.false
rules[]objectSpecify enforcement specifications for the scope of the Tenant.
We are moving all configuration enforcement. per namespace into a rule construct.
It’s currently not final.

Read More: https://projectcapsule.dev/docs/tenants/rules/		false
runtimeClassesobjectSpecifies the allowed RuntimeClasses assigned to the Tenant.
Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
Optional.		false
serviceOptionsobjectSpecifies options for the Service, such as additional metadata or block of certain type of Services. Optional.false
storageClassesobjectSpecifies the allowed StorageClasses assigned to the Tenant.
Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses.
A default value can be specified, and all the PersistentVolumeClaim resources created will inherit the declared class.
Optional.		false

Tenant.spec.additionalRoleBindings[index]

NameTypeDescriptionRequired
clusterRoleNamestringtrue
subjects[]objectkubebuilder:validation:Minimum=1true
annotationsmap[string]stringAdditional Annotations for the synchronized rolebindingsfalse
labelsmap[string]stringAdditional Labels for the synchronized rolebindingsfalse

Tenant.spec.additionalRoleBindings[index].subjects[index]

Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.

NameTypeDescriptionRequired
kindstringKind of object being referenced. Values defined by this API group are “User”, “Group”, and “ServiceAccount”.
If the Authorizer does not recognized the kind value, the Authorizer should report an error.		true
namestringName of the object being referenced.true
apiGroupstringAPIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to “rbac.authorization.k8s.io” for User and Group subjects.		false
namespacestringNamespace of the referenced object. If the object kind is non-namespace, such as “User” or “Group”, and this value is not empty
the Authorizer should report an error.		false

Tenant.spec.containerRegistries

Deprecated: Use Enforcement.Registries instead

Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false

Tenant.spec.deviceClasses

Specifies options for the DeviceClass resources.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.deviceClasses.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.gatewayOptions

Specifies options for the GatewayClass resources.

NameTypeDescriptionRequired
allowedClassesobjectfalse

Tenant.spec.gatewayOptions.allowedClasses

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false
defaultstringfalse
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.gatewayOptions.allowedClasses.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.ingressOptions

Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.

NameTypeDescriptionRequired
allowWildcardHostnamesbooleanToggles the ability for Ingress resources created in a Tenant to have a hostname wildcard.false
allowedClassesobjectSpecifies the allowed IngressClasses assigned to the Tenant.
Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses.
A default value can be specified, and all the Ingress resources created will inherit the declared class.
Optional.		false
allowedHostnamesobjectSpecifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.false
hostnameCollisionScopeenumDefines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.

- Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.

- Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.

- Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.

Optional.
Enum: Cluster, Tenant, Namespace, Disabled
Default: Disabled
false

Tenant.spec.ingressOptions.allowedClasses

Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. A default value can be specified, and all the Ingress resources created will inherit the declared class. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false
defaultstringfalse
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.ingressOptions.allowedClasses.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.ingressOptions.allowedHostnames

Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false

Tenant.spec.limitRanges

Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)

Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.

NameTypeDescriptionRequired
items[]objectfalse

Tenant.spec.limitRanges.items[index]

LimitRangeSpec defines a min/max usage limit for resources that match on kind.

NameTypeDescriptionRequired
limits[]objectLimits is the list of LimitRangeItem objects that are enforced.true

Tenant.spec.limitRanges.items[index].limits[index]

LimitRangeItem defines a min/max usage limit for any resource that matches on kind.

NameTypeDescriptionRequired
typestringType of resource that this limit applies to.true
defaultmap[string]int or stringDefault resource requirement limit value by resource name if resource limit is omitted.false
defaultRequestmap[string]int or stringDefaultRequest is the default resource requirement request value by resource name if resource request is omitted.false
maxmap[string]int or stringMax usage constraints on this kind by resource name.false
maxLimitRequestRatiomap[string]int or stringMaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.false
minmap[string]int or stringMin usage constraints on this kind by resource name.false

Tenant.spec.namespaceOptions

Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.

NameTypeDescriptionRequired
additionalMetadataobjectDeprecated: Use additionalMetadataList instead (https://projectcapsule.dev/docs/tenants/metadata/#additionalmetadatalist)

Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.		false
additionalMetadataList[]objectSpecifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional.false
forbiddenAnnotationsobjectDefine the annotations that a Tenant Owner cannot set for their Namespace resources.false
forbiddenLabelsobjectDefine the labels that a Tenant Owner cannot set for their Namespace resources.false
managedMetadataOnlybooleanIf enabled only metadata from additionalMetadata is reconciled to the namespaces.
Default: false
false
quotaintegerSpecifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
Format: int32
Minimum: 1
false
requiredMetadataobjectRequired Metadata for namespace within this tenantfalse

Tenant.spec.namespaceOptions.additionalMetadata

Deprecated: Use additionalMetadataList instead (https://projectcapsule.dev/docs/tenants/metadata/#additionalmetadatalist)

Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.

NameTypeDescriptionRequired
annotationsmap[string]stringfalse
labelsmap[string]stringfalse

Tenant.spec.namespaceOptions.additionalMetadataList[index]

NameTypeDescriptionRequired
annotationsmap[string]stringfalse
labelsmap[string]stringfalse
namespaceSelectorobjectA label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.		false

Tenant.spec.namespaceOptions.additionalMetadataList[index].namespaceSelector

A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.namespaceOptions.additionalMetadataList[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.namespaceOptions.forbiddenAnnotations

Define the annotations that a Tenant Owner cannot set for their Namespace resources.

NameTypeDescriptionRequired
denied[]stringfalse
deniedRegexstringfalse

Tenant.spec.namespaceOptions.forbiddenLabels

Define the labels that a Tenant Owner cannot set for their Namespace resources.

NameTypeDescriptionRequired
denied[]stringfalse
deniedRegexstringfalse

Tenant.spec.namespaceOptions.requiredMetadata

Required Metadata for namespace within this tenant

NameTypeDescriptionRequired
annotationsmap[string]stringAnnotations that must be defined for each namespacefalse
labelsmap[string]stringLabels that must be defined for each namespacefalse

Tenant.spec.networkPolicies

Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)

Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.

NameTypeDescriptionRequired
items[]objectfalse

Tenant.spec.networkPolicies.items[index]

NetworkPolicySpec provides the specification of a NetworkPolicy

NameTypeDescriptionRequired
egress[]objectegress is a list of egress rules to be applied to the selected pods. Outgoing traffic
is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
otherwise allows the traffic), OR if the traffic matches at least one egress rule
across all of the NetworkPolicy objects whose podSelector matches the pod. If
this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
solely to ensure that the pods it selects are isolated by default).
This field is beta-level in 1.8		false
ingress[]objectingress is a list of ingress rules to be applied to the selected pods.
Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
(and cluster policy otherwise allows the traffic), OR if the traffic source is
the pod’s local node, OR if the traffic matches at least one ingress rule
across all of the NetworkPolicy objects whose podSelector matches the pod. If
this field is empty then this NetworkPolicy does not allow any traffic (and serves
solely to ensure that the pods it selects are isolated by default)		false
podSelectorobjectpodSelector selects the pods to which this NetworkPolicy object applies.
The array of rules is applied to any pods selected by this field. An empty
selector matches all pods in the policy’s namespace.
Multiple network policies can select the same set of pods. In this case,
the ingress rules for each are combined additively.
This field is optional. If it is not specified, it defaults to an empty selector.		false
policyTypes[]stringpolicyTypes is a list of rule types that the NetworkPolicy relates to.
Valid options are [“Ingress”], [“Egress”], or [“Ingress”, “Egress”].
If this field is not specified, it will default based on the existence of ingress or egress rules;
policies that contain an egress section are assumed to affect egress, and all policies
(whether or not they contain an ingress section) are assumed to affect ingress.
If you want to write an egress-only policy, you must explicitly specify policyTypes [ “Egress” ].
Likewise, if you want to write a policy that specifies that no egress is allowed,
you must specify a policyTypes value that include “Egress” (since such a policy would not include
an egress section and would otherwise default to just [ “Ingress” ]).
This field is beta-level in 1.8		false

Tenant.spec.networkPolicies.items[index].egress[index]

NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec’s podSelector. The traffic must match both ports and to. This type is beta-level in 1.8

NameTypeDescriptionRequired
ports[]objectports is a list of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.		false
to[]objectto is a list of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all destinations (traffic not restricted by
destination). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the to list.		false

Tenant.spec.networkPolicies.items[index].egress[index].ports[index]

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortintegerendPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
Format: int32
false
portint or stringport represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.		false
protocolstringprotocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index]

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

NameTypeDescriptionRequired
ipBlockobjectipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.		false
namespaceSelectorobjectnamespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.		false
podSelectorobjectpodSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy’s own namespace.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].ipBlock

ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

NameTypeDescriptionRequired
cidrstringcidr is a string representing the IPBlock
Valid examples are “192.168.1.0/24” or “2001:db8::/64”		true
except[]stringexcept is a slice of CIDRs that should not be included within an IPBlock
Valid examples are “192.168.1.0/24” or “2001:db8::/64”
Except values will be rejected if they are outside the cidr range		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].namespaceSelector

namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].podSelector

podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy’s own namespace.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].podSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.networkPolicies.items[index].ingress[index]

NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec’s podSelector. The traffic must match both ports and from.

NameTypeDescriptionRequired
from[]objectfrom is a list of sources which should be able to access the pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not restricted by
source). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the from list.		false
ports[]objectports is a list of ports which should be made accessible on the pods selected for
this rule. Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index]

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

NameTypeDescriptionRequired
ipBlockobjectipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.		false
namespaceSelectorobjectnamespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.		false
podSelectorobjectpodSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy’s own namespace.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].ipBlock

ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

NameTypeDescriptionRequired
cidrstringcidr is a string representing the IPBlock
Valid examples are “192.168.1.0/24” or “2001:db8::/64”		true
except[]stringexcept is a slice of CIDRs that should not be included within an IPBlock
Valid examples are “192.168.1.0/24” or “2001:db8::/64”
Except values will be rejected if they are outside the cidr range		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].namespaceSelector

namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].podSelector

podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy’s own namespace.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].podSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.networkPolicies.items[index].ingress[index].ports[index]

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortintegerendPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
Format: int32
false
portint or stringport represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.		false
protocolstringprotocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.		false

Tenant.spec.networkPolicies.items[index].podSelector

podSelector selects the pods to which this NetworkPolicy object applies. The array of rules is applied to any pods selected by this field. An empty selector matches all pods in the policy’s namespace. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is optional. If it is not specified, it defaults to an empty selector.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].podSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.owners[index]

NameTypeDescriptionRequired
kindenumKind of entity. Possible values are “User”, “Group”, and “ServiceAccount”
Enum: User, Group, ServiceAccount
true
namestringName of the entity.true
annotationsmap[string]stringAdditional Annotations for the synchronized rolebindingsfalse
clusterRoles[]stringDefines additional cluster-roles for the specific Owner.
Default: [admin capsule-namespace-deleter]
false
labelsmap[string]stringAdditional Labels for the synchronized rolebindingsfalse
proxySettings[]objectProxy settings for tenant owner.false

Tenant.spec.owners[index].proxySettings[index]

NameTypeDescriptionRequired
kindenum
Enum: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes
true
operations[]enum
Enum: List, Update, Delete
true

Tenant.spec.permissions

Specify Permissions for the Tenant.

NameTypeDescriptionRequired
allowOwnerPromotionbooleanClusterRoles granted to the promoted ServiceAccounts across the Tenant
Default: true
false
matchOwners[]objectMatches TenantOwner objects which are promoted to owners of this tenant
The elements are OR operations and independent. You can see the resulting Tenant Owners
in the Status.Owners specification of the Tenant.		false

Tenant.spec.permissions.matchOwners[index]

A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.permissions.matchOwners[index].matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.podOptions

Specifies options for the Pods deployed in the Tenant namespaces, such as additional metadata.

NameTypeDescriptionRequired
additionalMetadataobjectSpecifies additional labels and annotations the Capsule operator places on any Pod resource in the Tenant. Optional.false

Tenant.spec.podOptions.additionalMetadata

Specifies additional labels and annotations the Capsule operator places on any Pod resource in the Tenant. Optional.

NameTypeDescriptionRequired
annotationsmap[string]stringfalse
labelsmap[string]stringfalse

Tenant.spec.priorityClasses

Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. A default value can be specified, and all the Pod resources created will inherit the declared class. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false
defaultstringfalse
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.priorityClasses.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.resourceQuotas

Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.

NameTypeDescriptionRequired
items[]objectfalse
scopeenumDefine if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
Enum: Tenant, Namespace
Default: Tenant
false

Tenant.spec.resourceQuotas.items[index]

ResourceQuotaSpec defines the desired hard limits to enforce for Quota.

NameTypeDescriptionRequired
hardmap[string]int or stringhard is the set of desired hard limits for each named resource.
More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/		false
scopeSelectorobjectscopeSelector is also a collection of filters like scopes that must match each object tracked by a quota
but expressed using ScopeSelectorOperator in combination with possible values.
For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.		false
scopes[]stringA collection of filters that must match each object tracked by a quota.
If not specified, the quota matches all objects.		false

Tenant.spec.resourceQuotas.items[index].scopeSelector

scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.

NameTypeDescriptionRequired
matchExpressions[]objectA list of scope selector requirements by scope of the resources.false

Tenant.spec.resourceQuotas.items[index].scopeSelector.matchExpressions[index]

A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.

NameTypeDescriptionRequired
operatorstringRepresents a scope’s relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist.		true
scopeNamestringThe name of the scope that the selector applies to.true
values[]stringAn array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty.
This array is replaced during a strategic merge patch.		false

Tenant.spec.rules[index]

Rules Distributed via Tenants

NameTypeDescriptionRequired
enforceobjectEnforcement for given rulefalse
namespaceSelectorobjectSelect namespaces which are going to be targeted with this rulefalse
permissionsobjectPermissions for given rulefalse

Tenant.spec.rules[index].enforce

Enforcement for given rule

NameTypeDescriptionRequired
actionenumDeclare the action being performed on the enforcement rule:
deny: On match, deny admission request
allow: On match, allowed admission request
audit: On match, audit (post event) of admission request
Enum: allow, deny, audit
Default: deny
false
workloadsobjectEnforcement for Workloads (Pods)false

Tenant.spec.rules[index].enforce.workloads

Enforcement for Workloads (Pods)

NameTypeDescriptionRequired
qosClasses[]stringDefine Pod QoS classes matched by this enforcement rule.
Supported values are Guaranteed, Burstable and BestEffort.		false
registries[]objectDefine registries which are allowed to be used within this tenant
The rules are aggregated, since you can use Regular Expressions the match registry endpoints		false
targets[]enumDefine the enforcement targets this rule applies to.
If empty, each webhook applies its own backwards-compatible default.
Enum: pod/initcontainers, pod/ephemeralcontainers, pod/containers, pod/volumes
false

Tenant.spec.rules[index].enforce.workloads.registries[index]

NameTypeDescriptionRequired
expstringExpression used to evaluate regexfalse
negatebooleanNegate regular Expression
Default: false
false
policy[]stringAllowed PullPolicy for the given registry. Supplying no value allows all policies.false

Tenant.spec.rules[index].namespaceSelector

Select namespaces which are going to be targeted with this rule

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.rules[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.rules[index].permissions

Permissions for given rule

NameTypeDescriptionRequired
promotions[]objectDefine Promotion Rules which distributed additional ClusterRoles across the Tenant
for promoted ServiceAccounts.		false

Tenant.spec.rules[index].permissions.promotions[index]

NameTypeDescriptionRequired
clusterRoles[]stringClusterRoles granted to the promoted ServiceAccounts across the Tenant
kubebuilder:validation:Minimum=1		false
selectorobjectMatch ServiceAccounts which are promoted which are granted these additional ClusterRoles
across the Tenant		false

Tenant.spec.rules[index].permissions.promotions[index].selector

Match ServiceAccounts which are promoted which are granted these additional ClusterRoles across the Tenant

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.rules[index].permissions.promotions[index].selector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.runtimeClasses

Specifies the allowed RuntimeClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false
defaultstringfalse
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.runtimeClasses.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.serviceOptions

Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.

NameTypeDescriptionRequired
additionalMetadataobjectSpecifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.false
allowedServicesobjectBlock or deny certain type of Services. Optional.false
externalIPsobjectSpecifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.false
forbiddenAnnotationsobjectDefine the annotations that a Tenant Owner cannot set for their Service resources.false
forbiddenLabelsobjectDefine the labels that a Tenant Owner cannot set for their Service resources.false

Tenant.spec.serviceOptions.additionalMetadata

Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.

NameTypeDescriptionRequired
annotationsmap[string]stringfalse
labelsmap[string]stringfalse

Tenant.spec.serviceOptions.allowedServices

Block or deny certain type of Services. Optional.

NameTypeDescriptionRequired
externalNamebooleanSpecifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
Default: true
false
loadBalancerbooleanSpecifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
Default: true
false
nodePortbooleanSpecifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
Default: true
false

Tenant.spec.serviceOptions.externalIPs

Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.

NameTypeDescriptionRequired
allowed[]stringtrue

Tenant.spec.serviceOptions.forbiddenAnnotations

Define the annotations that a Tenant Owner cannot set for their Service resources.

NameTypeDescriptionRequired
denied[]stringfalse
deniedRegexstringfalse

Tenant.spec.serviceOptions.forbiddenLabels

Define the labels that a Tenant Owner cannot set for their Service resources.

NameTypeDescriptionRequired
denied[]stringfalse
deniedRegexstringfalse

Tenant.spec.storageClasses

Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. A default value can be specified, and all the PersistentVolumeClaim resources created will inherit the declared class. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false
defaultstringfalse
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.storageClasses.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.status

Returns the observed state of the Tenant.

NameTypeDescriptionRequired
conditions[]objectTenant Conditiontrue
sizeintegerHow many namespaces are assigned to the Tenant.true
stateenumThe operational state of the Tenant. Possible values are “Active”, “Cordoned” or “Terminating”.
Enum: Cordoned, Active, Terminating
Default: Active
true
classesobjectAvailable Class Types within Tenantfalse
namespaces[]stringList of namespaces assigned to the Tenant. (Deprecated)false
observedGenerationintegerObservedGeneration is the most recent generation the controller has observed.
Format: int64
false
owners[]objectCollected owners for this tenantfalse
promotions[]objectPromoted ServiceAccounts across the Tenantfalse
spaces[]objectTracks state for the namespaces associated with this tenantfalse

Tenant.status.conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

Tenant.status.classes

Available Class Types within Tenant

NameTypeDescriptionRequired
device[]stringAvailable DeviceClassesfalse
gateway[]stringAvailable GatewayClassesfalse
priority[]stringAvailable PriorityClassesfalse
runtime[]stringAvailable StorageClassesfalse
storage[]stringAvailable Storageclasses (Only collected if any matching condition is specified)false

Tenant.status.owners[index]

NameTypeDescriptionRequired
kindenumKind of entity. Possible values are “User”, “Group”, and “ServiceAccount”
Enum: User, Group, ServiceAccount
true
namestringName of the entity.true
clusterRoles[]stringDefines additional cluster-roles for the specific Owner.
Default: [admin capsule-namespace-deleter]
false

Tenant.status.promotions[index]

NameTypeDescriptionRequired
kindenumKind of entity. Possible values are “User”, “Group”, and “ServiceAccount”
Enum: User, Group, ServiceAccount
true
namestringName of the entity.true
clusterRoles[]stringDefines additional cluster-roles for the specific Owner.
Default: [admin capsule-namespace-deleter]
false
targets[]stringDefines additional cluster-roles for the specific Owner.false

Tenant.status.spaces[index]

NameTypeDescriptionRequired
conditions[]objectConditionstrue
namestringNamespace Nametrue
enforceobjectManaged Metadatafalse
metadataobjectManaged Metadatafalse
uidstringNamespace UIDfalse

Tenant.status.spaces[index].conditions[index]

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestringlastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Format: date-time
true
messagestringmessage is a human readable message indicating details about the transition.
This may be an empty string.		true
reasonstringreason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.		true
statusenumstatus of the condition, one of True, False, Unknown.
Enum: True, False, Unknown
true
typestringtype of condition in CamelCase or in foo.example.com/CamelCase.true
observedGenerationintegerobservedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
Format: int64
Minimum: 0
false

Tenant.status.spaces[index].enforce

Managed Metadata

NameTypeDescriptionRequired
registry[]objectRegistries which are allowed within this namespacefalse

Tenant.status.spaces[index].enforce.registry[index]

NameTypeDescriptionRequired
expstringExpression used to evaluate regexfalse
negatebooleanNegate regular Expression
Default: false
false
policy[]stringAllowed PullPolicy for the given registry. Supplying no value allows all policies.false

Tenant.status.spaces[index].metadata

Managed Metadata

NameTypeDescriptionRequired
annotationsmap[string]stringManaged Annotationsfalse
labelsmap[string]stringManaged Labelsfalse

capsule.clastix.io/v1beta1

Resource Types:

Tenant

Tenant is the Schema for the tenants API.

NameTypeDescriptionRequired
apiVersionstringcapsule.clastix.io/v1beta1true
kindstringTenanttrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobjectTenantSpec defines the desired state of Tenant.true
statusobjectReturns the observed state of the Tenant.false

Tenant.spec

TenantSpec defines the desired state of Tenant.

NameTypeDescriptionRequired
owners[]objectSpecifies the owners of the Tenant. Mandatory.true
additionalRoleBindings[]objectSpecifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.false
containerRegistriesobjectSpecifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.false
imagePullPolicies[]enumSpecify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
Enum: Always, Never, IfNotPresent
false
ingressOptionsobjectSpecifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.false
limitRangesobjectSpecifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.false
namespaceOptionsobjectSpecifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.false
networkPoliciesobjectSpecifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.false
nodeSelectormap[string]stringSpecifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.false
priorityClassesobjectSpecifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.false
resourceQuotasobjectSpecifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.false
serviceOptionsobjectSpecifies options for the Service, such as additional metadata or block of certain type of Services. Optional.false
storageClassesobjectSpecifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.false

Tenant.spec.owners[index]

NameTypeDescriptionRequired
kindenumKind of tenant owner. Possible values are “User”, “Group”, and “ServiceAccount”
Enum: User, Group, ServiceAccount
true
namestringName of tenant owner.true
proxySettings[]objectProxy settings for tenant owner.false

Tenant.spec.owners[index].proxySettings[index]

NameTypeDescriptionRequired
kindenum
Enum: Nodes, StorageClasses, IngressClasses, PriorityClasses
true
operations[]enum
Enum: List, Update, Delete
true

Tenant.spec.additionalRoleBindings[index]

NameTypeDescriptionRequired
clusterRoleNamestringtrue
subjects[]objectkubebuilder:validation:Minimum=1true
annotationsmap[string]stringAdditional Annotations for the synchronized rolebindingsfalse
labelsmap[string]stringAdditional Labels for the synchronized rolebindingsfalse

Tenant.spec.additionalRoleBindings[index].subjects[index]

Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.

NameTypeDescriptionRequired
kindstringKind of object being referenced. Values defined by this API group are “User”, “Group”, and “ServiceAccount”.
If the Authorizer does not recognized the kind value, the Authorizer should report an error.		true
namestringName of the object being referenced.true
apiGroupstringAPIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to “rbac.authorization.k8s.io” for User and Group subjects.		false
namespacestringNamespace of the referenced object. If the object kind is non-namespace, such as “User” or “Group”, and this value is not empty
the Authorizer should report an error.		false

Tenant.spec.containerRegistries

Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false

Tenant.spec.ingressOptions

Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.

NameTypeDescriptionRequired
allowedClassesobjectSpecifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.false
allowedHostnamesobjectSpecifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.false
hostnameCollisionScopeenumDefines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.

- Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.

- Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.

- Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.

Optional.
Enum: Cluster, Tenant, Namespace, Disabled
Default: Disabled
false

Tenant.spec.ingressOptions.allowedClasses

Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false

Tenant.spec.ingressOptions.allowedHostnames

Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false

Tenant.spec.limitRanges

Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.

NameTypeDescriptionRequired
items[]objectfalse

Tenant.spec.limitRanges.items[index]

LimitRangeSpec defines a min/max usage limit for resources that match on kind.

NameTypeDescriptionRequired
limits[]objectLimits is the list of LimitRangeItem objects that are enforced.true

Tenant.spec.limitRanges.items[index].limits[index]

LimitRangeItem defines a min/max usage limit for any resource that matches on kind.

NameTypeDescriptionRequired
typestringType of resource that this limit applies to.true
defaultmap[string]int or stringDefault resource requirement limit value by resource name if resource limit is omitted.false
defaultRequestmap[string]int or stringDefaultRequest is the default resource requirement request value by resource name if resource request is omitted.false
maxmap[string]int or stringMax usage constraints on this kind by resource name.false
maxLimitRequestRatiomap[string]int or stringMaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.false
minmap[string]int or stringMin usage constraints on this kind by resource name.false

Tenant.spec.namespaceOptions

Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.

NameTypeDescriptionRequired
additionalMetadataobjectSpecifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.false
quotaintegerSpecifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
Format: int32
Minimum: 1
false

Tenant.spec.namespaceOptions.additionalMetadata

Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.

NameTypeDescriptionRequired
annotationsmap[string]stringfalse
labelsmap[string]stringfalse

Tenant.spec.networkPolicies

Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.

NameTypeDescriptionRequired
items[]objectfalse

Tenant.spec.networkPolicies.items[index]

NetworkPolicySpec provides the specification of a NetworkPolicy

NameTypeDescriptionRequired
egress[]objectegress is a list of egress rules to be applied to the selected pods. Outgoing traffic
is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
otherwise allows the traffic), OR if the traffic matches at least one egress rule
across all of the NetworkPolicy objects whose podSelector matches the pod. If
this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
solely to ensure that the pods it selects are isolated by default).
This field is beta-level in 1.8		false
ingress[]objectingress is a list of ingress rules to be applied to the selected pods.
Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
(and cluster policy otherwise allows the traffic), OR if the traffic source is
the pod’s local node, OR if the traffic matches at least one ingress rule
across all of the NetworkPolicy objects whose podSelector matches the pod. If
this field is empty then this NetworkPolicy does not allow any traffic (and serves
solely to ensure that the pods it selects are isolated by default)		false
podSelectorobjectpodSelector selects the pods to which this NetworkPolicy object applies.
The array of rules is applied to any pods selected by this field. An empty
selector matches all pods in the policy’s namespace.
Multiple network policies can select the same set of pods. In this case,
the ingress rules for each are combined additively.
This field is optional. If it is not specified, it defaults to an empty selector.		false
policyTypes[]stringpolicyTypes is a list of rule types that the NetworkPolicy relates to.
Valid options are [“Ingress”], [“Egress”], or [“Ingress”, “Egress”].
If this field is not specified, it will default based on the existence of ingress or egress rules;
policies that contain an egress section are assumed to affect egress, and all policies
(whether or not they contain an ingress section) are assumed to affect ingress.
If you want to write an egress-only policy, you must explicitly specify policyTypes [ “Egress” ].
Likewise, if you want to write a policy that specifies that no egress is allowed,
you must specify a policyTypes value that include “Egress” (since such a policy would not include
an egress section and would otherwise default to just [ “Ingress” ]).
This field is beta-level in 1.8		false

Tenant.spec.networkPolicies.items[index].egress[index]

NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec’s podSelector. The traffic must match both ports and to. This type is beta-level in 1.8

NameTypeDescriptionRequired
ports[]objectports is a list of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.		false
to[]objectto is a list of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all destinations (traffic not restricted by
destination). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the to list.		false

Tenant.spec.networkPolicies.items[index].egress[index].ports[index]

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortintegerendPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
Format: int32
false
portint or stringport represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.		false
protocolstringprotocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index]

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

NameTypeDescriptionRequired
ipBlockobjectipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.		false
namespaceSelectorobjectnamespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.		false
podSelectorobjectpodSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy’s own namespace.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].ipBlock

ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

NameTypeDescriptionRequired
cidrstringcidr is a string representing the IPBlock
Valid examples are “192.168.1.0/24” or “2001:db8::/64”		true
except[]stringexcept is a slice of CIDRs that should not be included within an IPBlock
Valid examples are “192.168.1.0/24” or “2001:db8::/64”
Except values will be rejected if they are outside the cidr range		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].namespaceSelector

namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].podSelector

podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy’s own namespace.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].egress[index].to[index].podSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.networkPolicies.items[index].ingress[index]

NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec’s podSelector. The traffic must match both ports and from.

NameTypeDescriptionRequired
from[]objectfrom is a list of sources which should be able to access the pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not restricted by
source). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the from list.		false
ports[]objectports is a list of ports which should be made accessible on the pods selected for
this rule. Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index]

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

NameTypeDescriptionRequired
ipBlockobjectipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.		false
namespaceSelectorobjectnamespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.		false
podSelectorobjectpodSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy’s own namespace.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].ipBlock

ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

NameTypeDescriptionRequired
cidrstringcidr is a string representing the IPBlock
Valid examples are “192.168.1.0/24” or “2001:db8::/64”		true
except[]stringexcept is a slice of CIDRs that should not be included within an IPBlock
Valid examples are “192.168.1.0/24” or “2001:db8::/64”
Except values will be rejected if they are outside the cidr range		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].namespaceSelector

namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].podSelector

podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy’s own namespace.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].ingress[index].from[index].podSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.networkPolicies.items[index].ingress[index].ports[index]

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortintegerendPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
Format: int32
false
portint or stringport represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.		false
protocolstringprotocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.		false

Tenant.spec.networkPolicies.items[index].podSelector

podSelector selects the pods to which this NetworkPolicy object applies. The array of rules is applied to any pods selected by this field. An empty selector matches all pods in the policy’s namespace. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is optional. If it is not specified, it defaults to an empty selector.

NameTypeDescriptionRequired
matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.false
matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.		false

Tenant.spec.networkPolicies.items[index].podSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystringkey is the label key that the selector applies to.true
operatorstringoperator represents a key’s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.		true
values[]stringvalues is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.		false

Tenant.spec.priorityClasses

Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false

Tenant.spec.resourceQuotas

Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.

NameTypeDescriptionRequired
items[]objectfalse
scopeenumDefine if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
Enum: Tenant, Namespace
Default: Tenant
false

Tenant.spec.resourceQuotas.items[index]

ResourceQuotaSpec defines the desired hard limits to enforce for Quota.

NameTypeDescriptionRequired
hardmap[string]int or stringhard is the set of desired hard limits for each named resource.
More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/		false
scopeSelectorobjectscopeSelector is also a collection of filters like scopes that must match each object tracked by a quota
but expressed using ScopeSelectorOperator in combination with possible values.
For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.		false
scopes[]stringA collection of filters that must match each object tracked by a quota.
If not specified, the quota matches all objects.		false

Tenant.spec.resourceQuotas.items[index].scopeSelector

scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.

NameTypeDescriptionRequired
matchExpressions[]objectA list of scope selector requirements by scope of the resources.false

Tenant.spec.resourceQuotas.items[index].scopeSelector.matchExpressions[index]

A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.

NameTypeDescriptionRequired
operatorstringRepresents a scope’s relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist.		true
scopeNamestringThe name of the scope that the selector applies to.true
values[]stringAn array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty.
This array is replaced during a strategic merge patch.		false

Tenant.spec.serviceOptions

Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.

NameTypeDescriptionRequired
additionalMetadataobjectSpecifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.false
allowedServicesobjectBlock or deny certain type of Services. Optional.false
externalIPsobjectSpecifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.false
forbiddenAnnotationsobjectDefine the annotations that a Tenant Owner cannot set for their Service resources.false
forbiddenLabelsobjectDefine the labels that a Tenant Owner cannot set for their Service resources.false

Tenant.spec.serviceOptions.additionalMetadata

Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.

NameTypeDescriptionRequired
annotationsmap[string]stringfalse
labelsmap[string]stringfalse

Tenant.spec.serviceOptions.allowedServices

Block or deny certain type of Services. Optional.

NameTypeDescriptionRequired
externalNamebooleanSpecifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
Default: true
false
loadBalancerbooleanSpecifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
Default: true
false
nodePortbooleanSpecifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
Default: true
false

Tenant.spec.serviceOptions.externalIPs

Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.

NameTypeDescriptionRequired
allowed[]stringtrue

Tenant.spec.serviceOptions.forbiddenAnnotations

Define the annotations that a Tenant Owner cannot set for their Service resources.

NameTypeDescriptionRequired
denied[]stringfalse
deniedRegexstringfalse

Tenant.spec.serviceOptions.forbiddenLabels

Define the labels that a Tenant Owner cannot set for their Service resources.

NameTypeDescriptionRequired
denied[]stringfalse
deniedRegexstringfalse

Tenant.spec.storageClasses

Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.

NameTypeDescriptionRequired
allowed[]stringMatch exact elements which are allowed as class names within this tenantfalse
allowedRegexstringDeprecated: will be removed in a future release

Match elements by regex.		false

Tenant.status

Returns the observed state of the Tenant.

NameTypeDescriptionRequired
sizeintegerHow many namespaces are assigned to the Tenant.true
stateenumThe operational state of the Tenant. Possible values are “Active”, “Cordoned”.
Enum: Cordoned, Active
Default: Active
true
namespaces[]stringList of namespaces assigned to the Tenant.false
Last modified June 10, 2026: feat: clarify matching strategies (#95) (b7ccea4)