### Tenant ResourceQuota Example for Migration Source: https://projectcapsule.dev/docs/resource-management/resourcepools/_print This YAML manifest shows an example of a Tenant's ResourceQuota configuration. It serves as a starting point for understanding the structure that needs to be migrated to ResourcePools. ```yaml apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: labels: kubernetes.io/metadata.name: migration name: migration spec: owners: - clusterRoles: - admin - capsule-namespace-deleter kind: User name: bob preventDeletion: false resourceQuotas: items: - hard: limits.cpu: "2" limits.memory: 2Gi requests.cpu: "2" requests.memory: 2Gi - hard: pods: "7" scope: Tenant status: namespaces: - migration-dev - migration-prod - migration-test size: 3 state: Active ``` -------------------------------- ### Example Allowed Service: internal.git.com Source: https://projectcapsule.dev/docs/tenants/rules/enforcement An example Service of type ExternalName with an allowed hostname. ```yaml apiVersion: v1 kind: Service metadata: name: git spec: type: ExternalName externalName: internal.git.com ports: - name: https port: 443 targetPort: 443 ``` -------------------------------- ### Tenant Table Output Source: https://projectcapsule.dev/docs/guides/namespace-migration-across-tenants Example output showing the list of tenants, their state, and namespace count. This is typically seen after running 'kubectl get tenants'. ```text NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE solar Active 1 46s wind Active 1 39s ``` -------------------------------- ### Pod Deployment Example Source: https://projectcapsule.dev/docs/tenants/rules/_print Example Pod definition with containers and image volumes, used to test registry enforcement rules. ```yaml apiVersion: v1 kind: Pod metadata: name: image-volume spec: containers: - name: shell command: ["sleep", "infinity"] imagePullPolicy: IfNotPresent image: harbor/customer/test-image/debian:latest volumeMounts: - name: volume mountPath: /volume volumes: - name: volume image: reference: quay.io/crio/artifact:v2 pullPolicy: IfNotPresent ``` -------------------------------- ### Install Capsule Proxy (Legacy) Source: https://projectcapsule.dev/docs/proxy/setup/installation Installs the Capsule Proxy using the legacy Helm chart. Ensure the 'capsule-system' namespace exists or is created. ```bash helm install capsule-proxy projectcapsule/capsule-proxy -n capsule-system --create-namespace ``` -------------------------------- ### Define a Resource Pool with Quotas and Namespace Selectors Source: https://projectcapsule.dev/docs/resource-management/resourcepools/_print This snippet shows how to define a ResourcePool named 'example'. It specifies hard quotas for CPU, memory, and storage, and selects namespaces belonging to the 'example' tenant using label selectors. ```yaml apiVersion: capsule.clastix.io/v1beta2 kind: ResourcePool metadata: name: example spec: quota: hard: limits.cpu: "2" limits.memory: 2Gi requests.cpu: "2" requests.memory: 2Gi requests.storage: "5Gi" selectors: - matchLabels: capsule.clastix.io/tenant: example ``` -------------------------------- ### Enable Gangplank Installation Source: https://projectcapsule.dev/docs/proxy/_print Enable Gangplank installation by setting the `enabled` flag to `true` in your configuration. ```yaml gangplank: enabled: true ``` -------------------------------- ### ResourcePool with Defaults and Hard Quotas Source: https://projectcapsule.dev/docs/resource-management/resourcepools/_print An example ResourcePool named 'example' that defines default resource requests for storage ('0Gi') and sets hard quotas for CPU, memory, and storage limits and requests. It selects tenants with the label 'capsule.clastix.io/tenant: example'. ```yaml apiVersion: capsule.clastix.io/v1beta2 kind: ResourcePool metadata: name: example spec: defaults: requests.storage: "0Gi" quota: hard: limits.cpu: "2" limits.memory: 2Gi requests.cpu: "2" requests.memory: 2Gi requests.storage: "5Gi" selectors: - matchLabels: capsule.clastix.io/tenant: example ``` -------------------------------- ### Example Allowed Service: api.example.com Source: https://projectcapsule.dev/docs/tenants/rules/enforcement An example Service of type ExternalName with a hostname matching a regular expression. ```yaml apiVersion: v1 kind: Service metadata: name: api spec: type: ExternalName externalName: api.example.com ports: - name: https port: 443 targetPort: 443 ``` -------------------------------- ### Tenant Promotion Rules Example Source: https://projectcapsule.dev/docs/_print Defines promotion rules for ServiceAccounts within a Tenant. This example shows how to assign ClusterRoles universally or based on labels, and how to scope promotions to specific namespaces. ```yaml --- aspect: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: solar spec: ... rules: - permissions: promotions: # Every promoted ServiceAccount receives this ClusterRole in all Namespaces of Tenant solar. - clusterRoles: - "configmap-replicator" # Every promoted ServiceAccount with the matching labels receives this ClusterRole. - clusterRoles: - "secret-replicator" selector: matchLabels: super: "account" - namespaceSelector: matchExpressions: - key: env operator: In values: ["prod"] permissions: promotions: # Promoted ServiceAccounts receive this ClusterRole only in namespaces matching env=prod. - clusterRoles: - "secret-replicator:prod" ``` -------------------------------- ### Install Capsule-Proxy (OCI) Source: https://projectcapsule.dev/docs/proxy/_print Installs the capsule-proxy using the OCI-compatible Helm chart. Ensures the target namespace is created if it does not exist. ```bash helm install capsule-proxy oci://ghcr.io/projectcapsule/charts/capsule-proxy -n capsule-system --create-namespace ``` -------------------------------- ### Install Capsule Proxy (OCI) Source: https://projectcapsule.dev/docs/proxy/setup/installation Installs the Capsule Proxy using the OCI-compliant Helm chart. Ensure the 'capsule-system' namespace exists or is created. ```bash helm install capsule-proxy oci://ghcr.io/projectcapsule/charts/capsule-proxy -n capsule-system --create-namespace ``` -------------------------------- ### Example Service Enforcement Rule Source: https://projectcapsule.dev/docs/tenants/rules/enforcement A comprehensive example demonstrating how to configure service enforcement with various types and constraints. ```yaml rules: - enforce: action: allow services: types: - ClusterIP - NodePort - LoadBalancer - ExternalName loadBalancers: cidrs: - 10.0.0.2/32 externalNames: hostnames: - exp: ".*\\.example\\.com" exact: - internal.git.com nodePorts: ports: - from: 30000 to: 32767 ``` -------------------------------- ### Pod Deployment Example Source: https://projectcapsule.dev/docs/tenants/rules/enforcement Example Pod definition to test registry enforcement rules. This Pod uses an image that should be denied by a specific rule. ```yaml apiVersion: v1 kind: Pod metadata: name: image-volume spec: containers: - name: shell command: ["sleep", "infinity"] imagePullPolicy: IfNotPresent image: harbor/customer/test-image/debian:latest volumeMounts: - name: volume mountPath: /volume volumes: - name: volume image: reference: quay.io/crio/artifact:v2 pullPolicy: IfNotPresent ``` -------------------------------- ### Production Pod Deployment Example Source: https://projectcapsule.dev/docs/tenants/rules/enforcement Example Pod definition for a production environment, utilizing a specific image allowed by a namespace-scoped rule. ```yaml apiVersion: v1 kind: Pod metadata: name: prod-image spec: containers: - name: shell command: ["sleep", "infinity"] imagePullPolicy: Always image: harbor/customer/prod-image/debian:latest ``` -------------------------------- ### Complete Tenant Service Enforcement Example Source: https://projectcapsule.dev/docs/tenants/rules/enforcement This example demonstrates a comprehensive set of service enforcement rules, including type, CIDR, hostname, and NodePort restrictions, along with audit rules and namespace exceptions. Use this as a template for defining granular control over tenant services. ```yaml --- apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: solar spec: ... rules: - enforce: action: allow services: types: - ClusterIP - NodePort - LoadBalancer - ExternalName - enforce: action: allow services: loadBalancers: cidrs: - 10.0.0.2/32 - 10.0.1.0/24 - enforce: action: allow services: externalNames: hostnames: - exact: - internal.git.com - exp: ".*\\.example\\.com" - enforce: action: allow services: nodePorts: ports: - from: 30000 to: 30100 - from: 30500 to: 30500 - enforce: action: deny services: nodePorts: ports: - from: 30090 to: 30090 - enforce: action: deny services: loadBalancers: cidrs: - 10.0.66.0/24 - enforce: action: audit services: externalNames: hostnames: - exp: "audit\\..*" - namespaceSelector: matchLabels: environment: prod enforce: action: allow services: loadBalancers: cidrs: - 10.0.171.0/24 ``` -------------------------------- ### Complete Service Enforcement Example Source: https://projectcapsule.dev/docs/tenants/_print This example demonstrates a comprehensive Tenant configuration combining type enforcement, LoadBalancer CIDR restrictions, ExternalName hostname restrictions, NodePort range restrictions, audit rules, and namespace-specific exceptions. Use this to set up granular control over service deployments. ```yaml apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: solar spec: ... rules: - enforce: action: allow services: types: - ClusterIP - NodePort - LoadBalancer - ExternalName - enforce: action: allow services: loadBalancers: cidrs: - 10.0.0.2/32 - 10.0.1.0/24 - enforce: action: allow services: externalNames: hostnames: - exact: - internal.git.com - exp: ".*\\.example\\.com" - enforce: action: allow services: nodePorts: ports: - from: 30000 to: 30100 - from: 30500 to: 30500 - enforce: action: deny services: nodePorts: ports: - from: 30090 to: 30090 - enforce: action: deny services: loadBalancers: cidrs: - 10.0.66.0/24 - enforce: action: audit services: externalNames: hostnames: - exp: "audit\\..*" - namespaceSelector: matchLabels: environment: prod enforce: action: allow services: loadBalancers: cidrs: - 10.0.171.0/24 ``` -------------------------------- ### Create Namespace and Deploy Resources for 'gas' Tenant Source: https://projectcapsule.dev/docs/overview/benchmark As the 'gas' tenant owner ('joe'), this command sequence creates a namespace 'gas-production', sets it as the current context, and deploys an 'nginx' web server with a service. ```bash kubectl --kubeconfig joe create ns gas-production kubectl --kubeconfig joe config set-context --current --namespace gas-production kubectl --kubeconfig joe run webserver --image nginx:latest kubectl --kubeconfig joe expose pod webserver --port 80 ``` -------------------------------- ### Helm Values for Controller Configuration Source: https://projectcapsule.dev/docs/operating/setup/_print When installing via Helm, additional options can be defined in the `values.yaml` file. This example shows how to enable leader election. ```yaml manager: extraArgs: - "--enable-leader-election=true" ``` -------------------------------- ### Create Namespace and Deploy Resources for 'oil' Tenant Source: https://projectcapsule.dev/docs/overview/benchmark As the 'oil' tenant owner ('alice'), this command sequence creates a namespace 'oil-production', sets it as the current context, and deploys an 'nginx' web server with a service. ```bash kubectl --kubeconfig alice create ns oil-production kubectl --kubeconfig alice config set-context --current --namespace oil-production kubectl --kubeconfig alice run webserver --image nginx:latest kubectl --kubeconfig alice expose pod webserver --port 80 ``` -------------------------------- ### Create Namespace as Tenant User Source: https://projectcapsule.dev/docs/operating/setup/managed-kubernetes Switch to the tenant user's context (alice) and create a namespace. This verifies that the tenant configuration is working correctly. ```bash # Unset AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if defined unset AWS_ACCESS_KEY_ID unset AWS_SECRET_ACCESS_KEY kubectl create namespace test --kubeconfig="kubeconfig-alice.conf" ``` -------------------------------- ### Checking GlobalTenantResource Status Source: https://projectcapsule.dev/docs/_print Demonstrates how to check the status of GlobalTenantResource objects using `kubectl get globaltenantresource`. It shows examples of resources that are not ready due to failed applications or missing dependencies. ```bash kubectl get globaltenantresource ``` ```text NAME ITEM COUNT READY STATUS AGE custom-cm 6 False applying of 6 resources failed 12h gitops-owners 6 False dependency custom-cm-2 not found 8h ``` ```bash kubectl get globaltenantresource gitops-owners ``` ```text NAME ITEM COUNT READY STATUS AGE gitops-owners 6 False dependency custom-cm-2 not found 8h ``` -------------------------------- ### Create Namespaces Source: https://projectcapsule.dev/docs/tenants/quickstart Create namespaces for tenant production and development environments. ```bash kubectl create namespace solar-production kubectl create namespace solar-development ``` -------------------------------- ### Create User and Namespace Source: https://projectcapsule.dev/docs/_print These commands create a user and then a namespace within the specified tenant. The user 'alice' is granted ownership of the 'oil' tenant. ```bash ./create-user.sh alice oil ``` ```bash kubectl --kubeconfig alice create ns oil-production ``` ```bash kubectl --kubeconfig alice config set-context --current --namespace oil-production ``` -------------------------------- ### Tenant Definition Example Source: https://projectcapsule.dev/docs/_print This is an example of a Tenant definition in Kubernetes, used to configure multi-tenant environments. ```yaml ---apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: solar spec: owners: - name: alice kind: User nodeSelector: node-role.kubernetes.io/worker: '' ``` -------------------------------- ### Create ClusterRole per Tenant with Go Template Source: https://projectcapsule.dev/docs/replications/tenant This example demonstrates creating a ClusterRole for each Tenant using a Go template. It ensures that any referenced context keys are present, otherwise it will stop execution with an error. ```yaml --- apiVersion: capsule.clastix.io/v1beta2 kind: TenantResource metadata: name: tenant-cluster-rbac spec: resources: - generators: - missingKey: error template: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tenant:{{$.tenant.metadata.name}}:reader rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] ``` -------------------------------- ### Example Denied Service: api.bad.com Source: https://projectcapsule.dev/docs/tenants/rules/enforcement An example Service of type ExternalName with a hostname that does not match any allowed rules. ```yaml apiVersion: v1 kind: Service metadata: name: api spec: type: ExternalName externalName: api.bad.com ports: - name: https port: 443 targetPort: 443 ``` -------------------------------- ### Create Tenant with Resource Quotas Source: https://projectcapsule.dev/docs/overview/benchmark Use this snippet to create a new tenant and define its resource quotas for CPU, memory, and storage. This ensures isolation and fairness across tenants. ```yaml apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: oil spec: owners: - kind: User name: alice resourceQuotas: items: - hard: limits.cpu: "8" limits.memory: 16Gi requests.cpu: "8" requests.memory: 16Gi - hard: requests.storage: 100Gi ``` -------------------------------- ### Example Tenant Promotion Status Source: https://projectcapsule.dev/docs/tenants/rules/permissions An example of the status output showing a promoted ServiceAccount and its target namespaces. ```json [ { "clusterRoles": [ "tenant-replicator" ], "kind": "ServiceAccount", "name": "system:serviceaccount:solar-test:gitops-reconcile", "targets": [ "solar-test", "solar-prod" ] } ] ``` -------------------------------- ### Tenant Reconciliation Error Example Source: https://projectcapsule.dev/docs/tenants/rules/permissions An example of a Tenant reconciliation error message indicating a missing ClusterRole. ```yaml conditions: - lastTransitionTime: "2026-02-16T23:08:59Z" message: 'cannot sync rolebindings items: rolebindings.rbac.authorization.k8s.io "tenant-replicator" not found' ``` -------------------------------- ### RBAC Forbidden Error Example Source: https://projectcapsule.dev/docs/operating/setup/_print Example of a status message indicating RBAC permission issues for a tenant. ```text NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR READY STATUS AGE green Active 2 False cannot sync rolebindings items: rolebindings.rbac.authorization.k8s.io "capsule:managed:658936e7f2a30e35" is forbidden: user "system:serviceaccount:capsule-system:capsule" (groups=["system:serviceaccounts" "system:serviceaccounts:capsule-system" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:... 5s ``` -------------------------------- ### Create Tenant with Network Policy Source: https://projectcapsule.dev/docs/_print As a cluster admin, create a tenant with specific network policy configurations. ```bash kubectl create -f - <