diff --git a/content/en/docs/tenants/enforcement.md b/content/en/docs/tenants/enforcement.md
index 23d6a10..1eaa205 100644
--- a/content/en/docs/tenants/enforcement.md
+++ b/content/en/docs/tenants/enforcement.md
@@ -10,6 +10,51 @@ description: >
### Namespaces
+#### AdditionalMetadataList
+
+The cluster admin can "taint" the namespaces created by tenant owners with additional metadata as labels and annotations. There is no specific semantic assigned to these labels and annotations: they will be assigned to the namespaces in the tenant as they are created. However you have the option to be more specific by selecting to which namespaces you want to assign what kind of metadata:
+
+```yaml
+apiVersion: capsule.clastix.io/v1beta2
+kind: Tenant
+metadata:
+ name: oil
+spec:
+ owners:
+ - name: alice
+ kind: User
+ namespaceOptions:
+ additionalMetadataList:
+ # An item without any further selectors is applied to all namspaces
+ - annotations:
+ storagelocationtype: s3
+ labels:
+ projectcapsule.dev/backup: "true"
+
+ # Select a subset of namespaces to apply metadata on
+ - namespaceSelector:
+ matchExpressions:
+ - key: projectcapsule.dev/low_security_profile
+ operator: NotIn
+ values: ["true"]
+ labels:
+ pod-security.kubernetes.io/enforce: baseline
+
+ - namespaceSelector:
+ matchExpressions:
+ - key: projectcapsule.dev/low_security_profile
+ operator: In
+ values: ["true"]
+ labels:
+ pod-security.kubernetes.io/enforce: privileged
+```
+
+
+#### AdditionalMetadata
+
+> [!WARNING]
+> This feature is deprecated and will be removed in a future release of Capsule. Migrate to using [AdditionalMetadataList](#additionalmetadatalist)
+
The cluster admin can "taint" the namespaces created by tenant owners with additional metadata as labels and annotations. There is no specific semantic assigned to these labels and annotations: they will be assigned to the namespaces in the tenant as they are created. This can help the cluster admin to implement specific use cases as, for example, leave only a given tenant to be backed up by a backup service.
Assigns additional labels and annotations to all namespaces created in the `solar` tenant:
@@ -90,9 +135,9 @@ spec:
### Nodes
+> [!WARNING]
> Due to [CVE-2021-25735](https://github.com/kubernetes/kubernetes/issues/100096) this feature is only supported for Kubernetes version older than: v1.18.18, v1.19.10, v1.20.6, v1.21.0
-
When using capsule together with [capsule-proxy](/docs/integrations/capsule-proxy), Bill can allow Tenant Owners to modify Nodes.
By default, it will allow tenant owners to add and modify any label or annotation on their nodes.
@@ -211,7 +256,8 @@ metadata:
### LimitRanges
-> This feature will be deprecated in a future release of Capsule. Instead use [TenantReplications](#limitrange-distribution-with-tenantreplications)
+> [!WARNING]
+> This feature is deprecated and will be removed in a future release of Capsule. Migrate to using [TenantReplications](#limitrange-distribution-with-tenantreplications)
Bill, the cluster admin, can also set Limit Ranges for each namespace in Alice's tenant by defining limits for pods and containers in the tenant spec:
@@ -925,7 +971,10 @@ If an Ingress has no value for `spec.ingressClassName` or `metadata.annotations.
### NetworkPolicies
-> This feature will be deprecated in a future release of Capsule. Instead use [TenantReplications](#networkpolicy-distribution-with-tenantreplications). This is also true if you would like other NetworkPolicy implementation like [Cilium](https://cilium.io/).
+
+> [!WARNING]
+> This feature is deprecated and will be removed in a future release of Capsule. Migrate to using [TenantReplications](#networkpolicy-distribution-with-tenantreplications). This is also true if you would like other NetworkPolicy implementation like [Cilium](https://cilium.io/).
+
Kubernetes network policies control network traffic between namespaces and between pods in the same namespace. Bill, the cluster admin, can enforce network traffic isolation between different tenants while leaving to Alice, the tenant owner, the freedom to set isolation between namespaces in the same tenant or even between pods in the same namespace.
diff --git a/content/en/docs/tenants/quotas.md b/content/en/docs/tenants/quotas.md
index d8fbb7b..48bb3a2 100644
--- a/content/en/docs/tenants/quotas.md
+++ b/content/en/docs/tenants/quotas.md
@@ -7,103 +7,10 @@ description: >
With help of Capsule, Bill, the cluster admin, can set and enforce resources quota and limits for Alice's tenant.
-Set resources quota for each namespace in the Alice's tenant by defining them in the tenant spec:
-
-
-## GlobalResourceQuotas
-
-We have reworked the entire ResourceQuota approach and have decided to create a dedicated resource called `GlobalResourceQuota`. The purpose of this resource is tracking the resource consumption across a set of selected namespaces (not only exclusive to one tenant). This allows for much more flexibility when it comes to sharing resources. With that same rework, we made sure overprovisioning is no longer possible ([issue/49](https://github.com/projectcapsule/capsule/issues/49))
-
-Let's look at a simple example:
-
-```yaml
-apiVersion: capsule.clastix.io/v1beta2
-kind: GlobalResourceQuota
-metadata:
- name: global-quota
-spec:
- selectors:
- - matchLabels:
- capsule.clastix.io/tenant: solar
- quotas:
- scheduling:
- hard:
- limits.cpu: "2"
- limits.memory: 2Gi
- requests.cpu: "2"
- requests.memory: 2Gi
- pods:
- hard:
- pods: "3"
- best-effort:
- hard:
- pods: "20"
- scopeSelector:
- matchExpressions:
- - operator: In
- scopeName: PriorityClass
- values: ["medium"]
-
-```
-
-We have the `selectors` section and `quotas` sections. With the `selectors` you define
-
-Each key below `quotas` represents an implementation of a [ResourceQuota](https://kubernetes.io/docs/concepts/policy/resource-quotas/) object. Meaning we can distribute multiple [ResourceQuota](https://kubernetes.io/docs/concepts/policy/resource-quotas/) objects from one `GlobalResourceQuota`. The `quotas` are arranged in map, because their name must be unique and is used for tracking (therefor no longer an array).
-
-All these `quotas` are distributed among the selected namespaces. With `selectors` the target namespaces are selected. Since you can define a list of `selectors`, each `selector` is treated seperatly but all results are combined to a total list of selected namespaces (they are nod `&&`, but `||`).
-
-
-
-
-
-
-> Namespaces/Tenants which were previously overprovisioned, will still be overprovisioned. To change that you either increase the capacity for the quota or you need to remove resources, until you are below the quota limit. Then it's capped at this limit and no overprovisioning should be possible.
-
-
-
-
-
-### LimitRanges (Example)
-
-When defining ResourceQuotas you might want to consider distributing [LimitRanges](https://kubernetes.io/docs/concepts/policy/limit-range/) via [Tenant Replications](/docs/tenants/replications):
-
-```yaml
-apiVersion: capsule.clastix.io/v1beta2
-kind: TenantResource
-metadata:
- name: solar-limitranges
- namespace: solar-system
-spec:
- resyncPeriod: 60s
- resources:
- - namespaceSelector:
- matchLabels:
- capsule.clastix.io/tenant: solar
- rawItems:
- - apiVersion: v1
- kind: LimitRange
- metadata:
- name: cpu-resource-constraint
- spec:
- limits:
- - default: # this section defines default limits
- cpu: 500m
- defaultRequest: # this section defines default requests
- cpu: 500m
- max: # max and min define the limit range
- cpu: "1"
- min:
- cpu: 100m
- type: Container
-```
-
-This way you can ensure resources are correctly distriputed amongst the selected namespaces.
-
+There are different elements, where quotas can be defined.
## Resource Quota
-> This feature will be deprecated in a future release of Capsule. Instead use [GlobalResourceQuotas](#globalresourcequotas)
-
With help of Capsule, Bill, the cluster admin, can set and enforce resources quota and limits for Alice's tenant.
Set resources quota for each namespace in the Alice's tenant by defining them in the tenant spec:
diff --git a/data/addons.yaml b/data/addons.yaml
index c5af02a..21e8945 100644
--- a/data/addons.yaml
+++ b/data/addons.yaml
@@ -1,6 +1,6 @@
addons:
- - name: "Capsule Proxy"
- logo: "https://raw.githubusercontent.com/cncf/artwork/dea12221052d349eaa73a9cc01cb22e137758f86/projects/capsule/horizontal/color/capsule-horizontal-color.svg"
+ - name: "Proxy"
+ logo: "https://raw.githubusercontent.com/cncf/artwork/refs/heads/main/projects/capsule/icon/color/capsule-icon-color.svg"
tags:
- "core"
- "ux"
@@ -8,11 +8,12 @@ addons:
- link: "/docs/proxy/"
icon: "fa fa-book"
description: "Enhance the user experience by allowing users to query the Kubernetes API and only getting the results, they are supposed to get."
- #background: "#0000000"
+ size: 50%
+ background: "#00264d"
#layoutColor: "#0000000"
#descriptionColor: "#000000"
- - name: "ArgoCD Addon"
+ - name: "ArgoCD"
logo: "https://github.com/peak-scale/capsule-argo-addon/blob/main/docs/images/capsule-argo.png?raw=true"
tags:
- "vendor"
@@ -25,16 +26,33 @@ addons:
layoutColor: "#FFFFFF"
descriptionColor: "#FFEBEE"
+ - name: "Sops Operator"
+ background: "#000000"
+ logo: "https://raw.githubusercontent.com/cncf/artwork/refs/heads/main/projects/capsule/icon/color/capsule-icon-color.svg"
+ size: 50%
+ tags:
+ - "core"
+ - "secrets"
+ - "gitops"
+ links:
+ - link: "https://github.com/peak-scale/sops-operator"
+ icon: "fab fa-github"
+ description: "Handle SOPS Secrets in a multi-tenant and kubernetes-native way."
- - name: "Flux Addon"
- logo: "https://raw.githubusercontent.com/cncf/artwork/dea12221052d349eaa73a9cc01cb22e137758f86/projects/capsule/horizontal/color/capsule-horizontal-color.svg"
+ - name: "FluxCD"
+ background: "#00264d"
+ logo: "https://raw.githubusercontent.com/cncf/artwork/refs/heads/main/projects/capsule/icon/color/capsule-icon-color.svg"
+ size: 50%
tags:
- "core"
- "gitops"
links:
- link: "https://github.com/projectcapsule/capsule-addon-fluxcd"
icon: "fab fa-github"
- description: "In particular enables Tenants to manage their resources, including creating Namespaces, respecting the [Flux multi-tenancy lockdown](https://fluxcd.io/flux/installation/configuration/multitenancy/)."
+ - link: "https://fluxcd.io/flux/installation/configuration/multitenancy/"
+ icon: "fa fa-book"
+
+ description: "In particular enables Tenants to manage their resources, including creating Namespaces."
#background: "#FF5722"
#layoutColor: "#FFFFFF"
#descriptionColor: "#FFEBEE"
@@ -48,5 +66,3 @@ addons:
- link: "https://github.com/projectcapsule/cortex-proxy"
icon: "fab fa-github"
description: "Route metrics to cortex organizations based on the relational of namespace metrics to capsule tenants."
-
-
diff --git a/layouts/shortcodes/addons.html b/layouts/shortcodes/addons.html
index f9bc053..c43c3d1 100644
--- a/layouts/shortcodes/addons.html
+++ b/layouts/shortcodes/addons.html
@@ -28,13 +28,14 @@