What's New ✨

Security 🔒

• Advisory GHSA-qjjm-7j9w-pw72 - High - Users can create cluster scoped resources anywhere in the cluster if they are allowed to create TenantResources. To immediately mitigate this, make sure to use Impersonation for TenantResources.

• Advisory GHSA-2ww6-hf35-mfjm - Moderate - Users may hijack namespaces via namespaces/status privileges. These privileges must have been explicitly granted by Platform Administrators through RBAC rules to be affected. Requests for the namespaces/status subresource are now sent to the Capsule admission webhook as well.

• (Enterprise): Projectcapsule is now providing their releases on an immutable OCI registry, which allows users to verify the integrity of the images and provides a more secure way to distribute the images. Which is not possible on GHCR due to the fact that GHCR does not support immutability of images.

Breaking Changes ⚠️

• By default, Capsule now uses self-signed cert-manager certificates for its admission webhooks. This used to be an optional setting and has now become the default. If you don’t have cert-manager installed, you must explicitly re-enable the Capsule TLS controller as documented here.

Features ✨

• Add new Quota System with GlobalCustomQuotas and CustomQuotas. Read More.
• Complete Renovation of Replications Read More.
• Introducing new rule approach for tenant enforcement Read More.
• Added RequiredMetadata for Namespaces created in a Tenant Read More.
• Additional Metadata is now validated at admission.
• Introducing new OCI Registry enforcement Read More
• Added rule-based promotions for ServiceAccounts in Tenants Read More.
• Added Implicit Assignment of TenantOwner Read More.
• Added Aggregation of TenantOwner Read More.
• Introducing data field for Tenants Read More.
• Added new label projectcapsule.dev/tenant which is added for all namespaced resources belonging to a Tenant Read More.
• Resources labeled with projectcapsule.dev/managed-by=controller can only be created, updated or deleted by the Capsule controller and administrators, and are rejected for all other operations. This prevents deletion of managed resources by users, which are not identified as capsule users (current behavior).
• Added configuration options for managed RBAC Read More
• Added configuration options for Impersonation Read More
• Added configuration options for Cache invalidation Read More
• Added configuration options for Dynamic Admission Webhooks Read More
• Migrated event emissions to events.k8s.io/v1 from legacy core/v1.
• Proxy: Added Built-In Installation for Gangplank Read More
• Proxy: Added support for Forwarded Client Certificate Authentication (XFCC) Read More
• Proxy: Added trusted source configuration Read More

Fixes 🐛

• Fixed ResourcePool resource quota calculation when multiple ResourcePoolClaims are present in a namespace but not everything is used. For details, see ResourcePools bound behavior.
• Improved matchConditions for admission webhooks that intercept all namespaced items, to avoid processing subresource requests and Events, improving performance and reducing log noise.
• Namespaces are considered active until all unmanaged namespaced resources are deleted. Read More
• PersistentVolumeClaims support now providing .spec.selector. When .spec.selector is provided we always aggregate a custom matchExpressions for the PersistentVolumeClaims to ensure that only the PersistentVolumeClaims created in the Tenant can mount PersistentVolumes provisioned from/for the same Tenant Read More
• Regex-Selectors were not considered on classes driven Tenant status reconciles.
• A single Unready namespace could cause the entire Tenant reconcilation to be incomplete. Now unready or terminating namespaces are ignored for further processing ensuring that ready/new namespaces get their required contents.
• When a Tenant is cordoned, namespaces can no longer be deleted.
• When classes issue a reconcile for a tenant, only the tenant.status.classes spec is updated instead of the entire tenant.status, to avoid conflicts with other controllers and reduce the risk of losing changes made by other controllers.
• Our E2E-Testing has been changed to be highly concurrent to simulate large scale setups and uncover potential race conditions or performance issues that may arise in such environments. This has led to the discovery and fixing of several issues related to concurrency and performance, which has improved the overall stability and reliability of Capsule.
• TLS controller correctly patches all the webhooks with the same CA Bundle, to avoid issues with multiple webhooks and ensure that all webhooks are correctly secured, if enabled. Read More

Documentation 📚

We have added new documentation for a better experience. See the following topics:

• Improved installation overview
• Capsule strict RBAC installation

Ecosystem 🌐

Newly added documentation to integrate Capsule with other applications:

• CoreDNS Plugin (Community Contribution)
• Argo CD
• Flux CD

Project Updates 💫

• Incubating Sander (ODC Noord) as Maintainer for documentation and website improvements.

Roadmap 🗺️

In the upcoming releases we are planning to work on the following features:

• Capsule: Porting more Properties to the Namespace Rule Approach.
• Capsule: Adding transformers for Global/TenantResources.
• Capsule: Adding healthChecks for Global/TenantResources.
• Capsule: Introducing Break-The-Glass to allow temporary elevation of permissions for Tenant Owners, with an approval process by Platform Administrators.
• Capsule: Adding custom health checks for ArgoCD to upstream
• Capsule: Adding Generic Implementation for Global/TenantResources.
• Website: Improving the documentation with more examples and use-cases.
• Capsule-Proxy: Bringing back RBAC reflection to Capsule-Proxy (Generic Namespaced List Permissions)
• Capsule-Proxy: Deprecating ProxySettings on Tenants in favour of GlobalProxySettings

Events 📅

• Capsule Roundtable Summer 2026 🇨🇭
  • We are planning to host a Capsule Roundtable in Summer 2026 in Switzerland (28. Mai 2026). The exact date and location will be announced soon, but we are looking forward to meeting the community in person and discussing the future of Capsule. If you are interested in attending or want to know more about the event, feel free to reach out to us. The event is intended for users to present their use-cases and share their experiences with the project, as well as for us to present the roadmap and gather feedback from the community (Not a sales event).