feat: add recommended kyverno rules (#46)

* feat: add versioning

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat: add recommended kyverno policies

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(docs): add opencost integration (#41)

* feat(docs): add opencost integration

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat(docs): add opencost integration

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat(docs): add opencost integration

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat(docs): add opencost integration

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat(docs): add opencost integration

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat(docs): add opencost integration

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat(docs): add opencost integration

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat(docs): add opencost integration

Signed-off-by: Hristo Hristov <me@hhristov.info>

---------

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(website): separate preview and production deployments (#42)

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(actions): fix action image

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(docs): make apidocs-capsule-proxy and apidocs-capsule

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(docs): fix docs lint

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(docs): add integration for teleport (#44)

Signed-off-by: Adrian Berger <adrian.berger@bedag.ch>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(docs): add versioned documentation

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(docs): add versioned documentation

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(docs): add versioned documentation

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(docs): add versioned documentation

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(docs): add versioned documentation

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(docs): add versioned documentation

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat: align with fixed metrics

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Adrian Berger <adrian.berger@bedag.ch>
Co-authored-by: Hristo Hristov <me@hhristov.info>
Co-authored-by: Adrian Berger <43774417+adberger@users.noreply.github.com>

Author: 3 people

content/en/docs/operating/monitoring.md

@@ -169,29 +169,48 @@ capsule_pool_usage_percentage{pool="solar-compute",resource="requests.memory"} 4
 capsule_pool_usage_percentage{pool="solar-size",resource="pods"} 42.857142857142854
 ```
 
+## Tenants
 
-## Quotas
-
-Instrumentation for [Quotas](../tenants/quotas/).
+Instrumentation for [Tenants](../tenants/).
 
 ### Metrics
 
 The following Metrics are exposed and can be used for monitoring:
 
 ```shell
+# HELP capsule_tenant_condition Provides per tenant condition status for each condition
+# TYPE capsule_tenant_condition gauge
+capsule_tenant_condition{condition="Cordoned",tenant="solar"} 0
+capsule_tenant_condition{condition="Ready",tenant="solar"} 1
+
+
+# HELP capsule_tenant_namespace_condition Provides per namespace within a tenant condition status for each condition
+# TYPE capsule_tenant_namespace_condition gauge
+capsule_tenant_namespace_condition{condition="Cordoned",target_namespace="earth",tenant="solar"} 0
+capsule_tenant_namespace_condition{condition="Cordoned",target_namespace="fire",tenant="solar"} 0
+capsule_tenant_namespace_condition{condition="Cordoned",target_namespace="foild",tenant="solar"} 0
+capsule_tenant_namespace_condition{condition="Cordoned",target_namespace="green",tenant="solar"} 0
+capsule_tenant_namespace_condition{condition="Cordoned",target_namespace="solar",tenant="solar"} 0
+capsule_tenant_namespace_condition{condition="Cordoned",target_namespace="wind",tenant="solar"} 0
+capsule_tenant_namespace_condition{condition="Ready",target_namespace="earth",tenant="solar"} 1
+capsule_tenant_namespace_condition{condition="Ready",target_namespace="fire",tenant="solar"} 1
+capsule_tenant_namespace_condition{condition="Ready",target_namespace="foild",tenant="solar"} 1
+capsule_tenant_namespace_condition{condition="Ready",target_namespace="green",tenant="solar"} 1
+capsule_tenant_namespace_condition{condition="Ready",target_namespace="solar",tenant="solar"} 1
+capsule_tenant_namespace_condition{condition="Ready",target_namespace="wind",tenant="solar"} 1
+
 # HELP capsule_tenant_namespace_count Total number of namespaces currently owned by the tenant
 # TYPE capsule_tenant_namespace_count gauge
 capsule_tenant_namespace_count{tenant="solar"} 6
 
 # HELP capsule_tenant_namespace_relationship Mapping metric showing namespace to tenant relationships
 # TYPE capsule_tenant_namespace_relationship gauge
-capsule_tenant_namespace_relationship{namespace="earth",tenant="solar"} 1
-capsule_tenant_namespace_relationship{namespace="wind",tenant="solar"} 1
-capsule_tenant_namespace_relationship{namespace="fire",tenant="solar"} 1
-
-# HELP capsule_tenant_status Tenant cordon state indicating if tenant operations are restricted (1) or allowed (0) for resource creation and modification
-# TYPE capsule_tenant_status gauge
-capsule_tenant_status{tenant="limiting-resources"} 0
+capsule_tenant_namespace_relationship{target_namespace="earth",tenant="solar"} 1
+capsule_tenant_namespace_relationship{target_namespace="fire",tenant="solar"} 1
+capsule_tenant_namespace_relationship{target_namespace="soil",tenant="solar"} 1
+capsule_tenant_namespace_relationship{target_namespace="green",tenant="solar"} 1
+capsule_tenant_namespace_relationship{target_namespace="solar",tenant="solar"} 1
+capsule_tenant_namespace_relationship{target_namespace="wind",tenant="solar"} 1
 
 # HELP capsule_tenant_resource_limit Current resource limit for a given resource in a tenant
 # TYPE capsule_tenant_resource_limit gauge

content/en/docs/operating/setup/configuration.md

@@ -7,57 +7,131 @@ description: >
 
 The configuration for the capsule controller is done via it's dedicated configration Custom Resource. You can explain the configuration options and how to use them:
 
-
-
 ## CapsuleConfiguration
 
 The configuration for Capsule is done via it's dedicated configration Custom Resource. You can explain the configuration options and how to use them:
 
-```bash
+```shell
 kubectl explain capsuleConfiguration.spec
 ```
 
-### enableTLSReconciler
+### `enableTLSReconciler`
 Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
 
-### forceTenantPrefix
+```yaml
+tls:
+  enableController: true
+```
+
+### `forceTenantPrefix`
 Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
 
-### nodeMetadata
+```yaml
+manager:
+  options:
+    forceTenantPrefix: true
+```
+
+### `nodeMetadata`
 Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant. This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
 
-### overrides
+```yaml
+manager:
+  options:
+    nodeMetadata:
+      forbiddenLabels:
+        denied:
+          - "node-role.kubernetes.io/*"
+        deniedRegex: ""
+      forbiddenAnnotations:
+        denied:
+          - "node.alpha.kubernetes.io/*"
+        deniedRegex: ""
+```
+
+[Read More](/docs/tenants/enforcement/#nodes)
+
+
+### `overrides`
 Allows to set different name rather than the canonical one for the Capsule configuration objects, such as webhook secret or configurations.
 
-### protectedNamespaceRegex
+### `protectedNamespaceRegex`
 Disallow creation of namespaces, whose name matches this regexp
 
-### userGroups
+```yaml
+manager:
+  options:
+    protectedNamespaceRegex: "^(kube|default|capsule|admin|system|com|org|local|localhost|io)$"
+```
+
+### `userGroups`
 Names of the groups for Capsule users. Users must have this group to be considered for the Capsule tenancy. If a user does not have any group mentioned here, they are not recognized as a Capsule user.
 
-### userNames
+```yaml
+manager:
+  options:
+    capsuleUserGroups:
+      - system:serviceaccounts:tenants-gitops
+      - company:org:users
+```
+
+### `userNames`
 Names of the users for Capsule users. Users must have this name to be considered for the Capsule tenancy. If userGroups are set, the properties are ORed, meaning that a user can be recognized as a Capsule user if they have one of the groups or one of the names.
 
-### ignoreUserWithGroups
+```yaml
+manager:
+  options:
+    userNames:
+      - system:serviceaccount:crossplane-system:crossplane-k8s-provider
+```
+
+### `ignoreUserWithGroups`
 Define groups which when found in the request of a user will be ignored by the Capsule. This might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.
 
+```yaml
+manager:
+  options:
+    ignoreUserWithGroups:
+      - company:org:administrators
+```
+
+### `allowServiceAccountPromotion`
+
+ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant. However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.
+
+[Read More](/docs/tenants/permissions/#serviceaccount-promotion)
+
+```yaml
+manager:
+  options:
+    allowServiceAccountPromotion: true
+```
+
 ## Controller Options
 
 Depending on the version of the Capsule Controller, the configuration options may vary. You can view the options for the latest version of the Capsule Controller or by executing the controller locally:
 
 ```bash
-$ docker run ghcr.io/projectcapsule/capsule:v0.6.0-rc0 -h
-2024/02/25 13:21:21 maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined
-Usage of /ko-app/capsule:
+$ go run ./cmd/. --zap-log-level 7 -h
+2025/09/13 23:50:30 maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined
+Usage of /var/folders/ts/43yg7sk56ls3r3xjf66npgpm0000gn/T/go-build2624543463/b001/exe/cmd:
       --configuration-name string         The CapsuleConfiguration resource name to use (default "default")
       --enable-leader-election            Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
       --metrics-addr string               The address the metric endpoint binds to. (default ":8080")
       --version                           Print the Capsule version and exit
       --webhook-port int                  The port the webhook server binds to. (default 9443)
       --zap-devel                         Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error)
       --zap-encoder encoder               Zap log encoding (one of 'json' or 'console')
-      --zap-log-level level               Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity
+      --zap-log-level level               Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', 'panic'or any integer value > 0 which corresponds to custom debug levels of increasing verbosity
       --zap-stacktrace-level level        Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic').
       --zap-time-encoding time-encoding   Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano'). Defaults to 'epoch'.
 ```
 
+Define additional options in the `values.yaml` when installing via Helm:
+
+```yaml
+manager:
+  extraArgs:
+  - "--enable-leader-election=true"
+```
+

content/en/docs/operating/setup/installation.md

@@ -58,6 +58,12 @@ Perform the following steps to install the capsule Operator:
 
 Here are some key considerations to keep in mind when installing Capsule. Also check out the **[Best Practices](/docs/operating/best-practices)** for more information.
 
+### Admission Policies 
+
+While Capsule provides a robust framework for managing multi-tenancy in Kubernetes, it does not include built-in admission policies for enforcing specific security or operational standards for all possible aspects of a Kubernetes cluster. Therefore, it is recommended to use additional tools like [Kyverno](https://kyverno.io/) to enforce admission policies that align with your organization's requirements.
+
+[We provide policy recommendations for Kyverno here](/ecosystem/integrations/kyverno/#recommended-policies).
+
 ### Certificate Management
 
 We recommend using [cert-manager](https://cert-manager.io/) to manage the TLS certificates for Capsule. This will ensure that your Capsule installation is secure and that the certificates are automatically renewed. Capsule requires a valid TLS certificate for it's Admission Webserver. By default Capsule reconciles it's own TLS certificate. To use cert-manager, you can set the following values:

content/en/docs/tenants/permissions.md

@@ -164,6 +164,28 @@ system:serviceaccounts:{service-account-namespace}
 
 You have to add `system:serviceaccounts:{service-account-namespace}` to the CapsuleConfiguration [Group Scope](#group-scope) to make it work.
 
+### ServiceAccount Promotion
+
+Within a tenant, a ServiceAccount can be promoted to a Tenant Owner. For example, Alice can create a ServiceAccount called robot in the solar tenant and promote it to be a Tenant Owner (This requires Alice to be an owner of the tenant as well):
+
+```yaml
+kubectl label sa gitops-reconcile -n green-test owner.projectcapsule.dev/promote=true --as alice --as-group projectcapsule.dev
+```
+
+Now the ServiceAccount robot can create namespaces in the solar tenant:
+
+```bash
+kubectl create ns green-valkey--as system:serviceaccount:green-test:gitops-reconcile
+```
+
+To revoke the promotion, Alice can just remove the label:
+
+```yaml
+kubectl label sa gitops-reconcile -n green-test owner.projectcapsule.dev/promote-  --as alice --as-group projectcapsule.dev
+```
+
+This feature must be enabled in the [CapsuleConfiguration](/docs/operating/setup/configuration/#allowserviceaccountpromotion).
+
 
 ### Owner Roles
 

content/en/docs/whats-new.md

@@ -5,22 +5,21 @@ description: >
 weight: 1
 ---
 
-
 ## Features
 
-* includes a new approach to how Resources (ResourceQuotas) should be handled across multiple namespaces. With this release, we are introducing the concept of ResourcePools and ResourcePoolClaims. Essentially, you can now define Resources and the audience (namespaces) that can claim these Resources from a ResourcePool. This introduces a shift-left in resource management, where Tenant Owners themselves are responsible for organizing their resources. Comes with a Queuing-Mechanism already in place. This new feature works with all namespaces — not just exclusive Capsule namespaces. [Read More](/docs/resourcepools/)
-
-* Added support for GatewayAPI v1 (Gateway-Class control). [Read More](/docs/tenants/enforcement/#gatewayclasses)
+* Owners can promote ServiceAccounts from their Tenant namespaces to Owners of the Tenant [Read More](/docs/tenants/permissions/#serviceaccount-promotion)
 
-- Added a more sophisticated way to control metadata for namespaces within a tenant. This allows you to distribute labels and annotations to namespaces based on more specific conditions. It's now also possible so use simple templating to assign metadata. [Read More](/docs/tenants/enforcement/#namespaces)
+* Reworked Metrics based on improved Tenant state management via Conditions. [Read More](/docs/operating/monitoring/#metrics-1)
 
+* Includes a new approach to how Resources (ResourceQuotas) should be handled across multiple namespaces. With this release, we are introducing the concept of ResourcePools and ResourcePoolClaims. Essentially, you can now define Resources and the audience (namespaces) that can claim these Resources from a ResourcePool. This introduces a shift-left in resource management, where Tenant Owners themselves are responsible for organizing their resources. Comes with a Queuing-Mechanism already in place. This new feature works with all namespaces — not just exclusive Capsule namespaces. [Read More](/docs/resourcepools/)
 
 ## Documentation
 
 We have added new documentation for a better experience. See the following Topics:
 
 * **[Best Practices](/docs/operating/best-practices/)**
 * **[Installation](/docs/operating/setup/installation/)**
+* **[Kyverno Policy Recommendations](/ecosystem/integrations/kyverno/#recommended-policies)**
 
 ## Ecosystem
 
@@ -29,4 +28,5 @@ Newly added documentation to integrate Capsule with other applications:
 * [OpenCost](/ecosystem/integrations/opencost/)
 * [Headlamp](/ecosystem/integrations/headlamp/)
 * [Gangplank](/ecosystem/integrations/gangplank/)
-* [Openshift](/docs/operating/setup/openshift/)
+* [Teleport](/ecosystem/integrations/teleport/)
+* [Openshift](/docs/operating/setup/openshift/)