feat(docs): improve setup and ecosystem

Author: oliverbaehler

config/_default/hugo.yaml

@@ -159,17 +159,22 @@ menu:
       pre: <i class='fas fa-users'></i>
       weight: 13
 
+    - name: Live-Demo
+      url: https://killercoda.com/peak-scale-test/course/playgrounds/capsule
+      pre: <i class='fas fa-terminal'></i>
+      weight: 14
+
     - name: Resources
       url: /resources/
       pre: <i class='fa-brands fa-readme'></i>
-      weight: 14
+      weight: 15
 
     - name: Support
       url: /support/
       pre: <i class='fas fa-briefcase'></i>
-      weight: 15
+      weight: 16
 
     - name: Project
       url: /project/
       pre: <i class='fas fa-flask'></i>
-      weight: 16
+      weight: 17

content/en/_index.md

@@ -12,7 +12,7 @@ title: Project Capsule
 </a>
 
 <a class="btn btn-lg btn-primary me-3 mb-4" href="https://killercoda.com/peak-scale-test/course/playgrounds/capsule">
-  Demo <i class="fas fa-arrow-alt-circle-right ms-2"></i>
+  Live-Demo <i class="fas fa-arrow-alt-circle-right ms-2"></i>
 </a>
 </div>
 

content/en/docs/operating/authentication.md

@@ -4,7 +4,7 @@ description: Integrate Capsule with Authentication of your Kubernetes cluster
 weight: 5
 ---
 
-Capsule does not care about the authentication strategy used in the cluster and all the Kubernetes methods of authentication are supported. The only requirement to use Capsule is to assign tenant users to the group defined by userGroups option in the CapsuleConfiguration, which defaults to capsule.clastix.io.
+Capsule does not care about the authentication strategy used in the cluster and all the Kubernetes methods of authentication are supported. The only requirement to use Capsule is to assign tenant users to the group defined by userGroups option in the CapsuleConfiguration, which defaults to `projectcapsule.dev`.
 
 ## OIDC
 
@@ -15,16 +15,17 @@ In the following guide, we'll use [Keycloak](https://www.keycloak.org/) an Open
 Configure Keycloak as OIDC server:
 
   * Add a realm called caas, or use any existing realm instead
-  * Add a group capsule.clastix.io
-  * Add a user alice assigned to group capsule.clastix.io
-  * Add an OIDC client called kubernetes
+  * Add a group `projectcapsule.dev`
+  * Add a user alice assigned to group `projectcapsule.dev`
+  * Add an OIDC client called `kubernetes` (Public)
+  * Add an OIDC client called `kubernetes-auth` (Confidential (Client Secret))
 
 For the kubernetes client, create protocol mappers called groups and audience
 If everything is done correctly, now you should be able to authenticate in Keycloak and see user groups in JWT tokens. Use the following snippet to authenticate in Keycloak as alice user:
 
 ```bash
 $ KEYCLOAK=sso.clastix.io
-$ REALM=caas
+$ REALM=kubernetes-auth
 $ OIDC_ISSUER=${KEYCLOAK}/realms/${REALM}
 
 $ curl -k -s https://${OIDC_ISSUER}/protocol/openid-connect/token \
@@ -54,7 +55,7 @@ To introspect the `ID_TOKEN` token run:
 ```bash
 $ curl -k -s https://${OIDC_ISSUER}/protocol/openid-connect/introspect \
      -d token=${ID_TOKEN} \
-     --user ${OIDC_CLIENT_ID}:${OIDC_CLIENT_SECRET} | jq
+     --user kubernetes-auth:${OIDC_CLIENT_SECRET} | jq
 ```
 
 The result will be like the following:
@@ -82,6 +83,45 @@ The result will be like the following:
 
 Configuring Kubernetes for OIDC Authentication requires adding several parameters to the API Server. Please, refer to the [documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for details and examples. Most likely, your kube-apiserver.yaml manifest will looks like the following:
 
+#### Authentication Configuration (Recommended)
+
+The configuration file approach allows you to configure multiple JWT authenticators, each with a unique issuer.url and issuer.discoveryURL. The configuration file even allows you to specify CEL expressions to map claims to user attributes, and to validate claims and user information. 
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    url: https://${OIDC_ISSUER}
+    audiences:
+    - kubernetes
+    - kubernetes-auth
+    audienceMatchPolicy: MatchAny
+  claimMappings:
+    username:
+      claim: 'email'
+      prefix: ""
+    groups:
+      claim: 'groups'
+      prefix: ""
+  certificateAuthority: <PEM encoded CA certificates>
+```
+
+This file must be present and consistent across all kube-apiserver instances in the cluster. Add the following flag to the kube-apiserver manifest:
+
+```yaml
+spec:
+  containers:
+  - command:
+    - kube-apiserver
+    ...
+    - --authentication-configuration-file=/etc/kubernetes/authentication/authentication.yaml
+```
+
+[Read More](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration)
+
+#### OIDC Flags (Legacy)
+
 ```yaml
 spec:
   containers:
@@ -90,7 +130,7 @@ spec:
     ...
     - --oidc-issuer-url=https://${OIDC_ISSUER}
     - --oidc-ca-file=/etc/kubernetes/oidc/ca.crt
-    - --oidc-client-id=${OIDC_CLIENT_ID}
+    - --oidc-client-id=kubernetes
     - --oidc-username-claim=preferred_username
     - --oidc-groups-claim=groups
     - --oidc-username-prefix=-
@@ -112,7 +152,7 @@ nodes:
            extraArgs:
              oidc-issuer-url: https://${OIDC_ISSUER}
              oidc-username-claim: preferred_username
-             oidc-client-id: ${OIDC_CLIENT_ID}
+             oidc-client-id: kubernetes
              oidc-username-prefix: "keycloak:"
              oidc-groups-claim: groups
              oidc-groups-prefix: "keycloak:"
@@ -133,7 +173,7 @@ One way to use OIDC authentication is the use of a kubectl plugin. The [Kubelogi
 ```shell
 kubectl oidc-login setup \
 	--oidc-issuer-url=https://${OIDC_ISSUER} \
-	--oidc-client-id=${OIDC_CLIENT_ID} \
+	--oidc-client-id=kubernetes-auth \
 	--oidc-client-secret=${OIDC_CLIENT_SECRET}
 ```
 
@@ -146,7 +186,7 @@ $ kubectl config set-credentials oidc \
     --auth-provider=oidc \
     --auth-provider-arg=idp-issuer-url=https://${OIDC_ISSUER} \
     --auth-provider-arg=idp-certificate-authority=/path/to/ca.crt \
-    --auth-provider-arg=client-id=${OIDC_CLIENT_ID} \
+    --auth-provider-arg=client-id=kubernetes-auth \
     --auth-provider-arg=client-secret=${OIDC_CLIENT_SECRET} \
     --auth-provider-arg=refresh-token=${REFRESH_TOKEN} \
     --auth-provider-arg=id-token=${ID_TOKEN} \

…g/best-practices/control-pod-security.md …cs/operating/best-practices/workloads.mdcontent/en/docs/operating/best-practices/control-pod-security.md renamed to content/en/docs/operating/best-practices/workloads.md content/en/docs/operating/best-practices/control-pod-security.md renamed to content/en/docs/operating/best-practices/workloads.md

@@ -1,17 +1,88 @@
 ---
-title: Pod Security Standards
+title: Workloads
 weight: 3
-description: Control the security of the pods running in the tenant namespaces
+description: Control the security of the workloads running in the tenant namespaces
 ---
 
+## User Namespaces
+
+{{% alert title="Info" color="info" %}}
+The FeatureGate `UserNamespacesSupport` is active by default since [Kubernetes 1.33](https://kubernetes.io/blog/2025/04/25/userns-enabled-by-default/). However every pod must still [opt-in](#admission)
+
+When you are also enabling the FeatureGate `UserNamespacesPodSecurityStandards` you may relax the Pod Security Standards for your workloads. [Read More](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#integration-with-pod-security-admission-checks)
+{{% /alert %}}
+
+A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace. [Read More](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/)
+
+### Kubelet
+
+On your Kubelet you must use the [FeatureGates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/):
+
+* `UserNamespacesSupport`
+* `UserNamespacesPodSecurityStandards` (Optional)
+
+### Sysctls
+
+```yaml
+user.max_user_namespaces: "11255"
+```
+
+### Admission (Kyverno)
+
+To make sure all the workloads are forced to use dedicated User Namespaces, we recommend to mutate pods at admission. See the following examples.
+
+#### Kyverno
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-hostusers-spec
+  annotations:
+    policies.kyverno.io/title: Add HostUsers
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/subject: Pod,User Namespace
+    kyverno.io/kubernetes-version: "1.31"
+    policies.kyverno.io/description: >-
+      Do not use the host's user namespace. A new userns is created for the pod. 
+      Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root
+      without actually having root privileges on the host. This field is
+      alpha-level and is only honored by servers that enable the
+      UserNamespacesSupport feature.
+spec:
+  rules:
+  - name: add-host-users
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          namespaceSelector:
+            matchExpressions:
+            - key: capsule.clastix.io/tenant
+              operator: Exists
+    preconditions:
+      all:
+      - key: "{{request.operation || 'BACKGROUND'}}"
+        operator: AnyIn
+        value:
+          - CREATE
+          - UPDATE
+    mutate:
+      patchStrategicMerge:
+        spec:
+          hostUsers: false
+```
+
+## Pod Security Standards
+
 In Kubernetes, by default, workloads run with administrative access, which might be acceptable if there is only a single application running in the cluster or a single user accessing it. This is seldom required and you’ll consequently suffer a noisy neighbour effect along with large security blast radiuses.
 
 Many of these concerns were addressed initially by [PodSecurityPolicies](https://kubernetes.io/docs/concepts/security/pod-security-policy) which have been present in the Kubernetes APIs since the very early days.
 
 The Pod Security Policies are deprecated in Kubernetes 1.21 and removed entirely in 1.25. As replacement, the [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) and [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) has been introduced. Capsule support the new standard for tenants under its control as well as the oldest approach.
 
 
-## Pod Security Standards
 One of the issues with Pod Security Policies is that it is difficult to apply restrictive permissions on a granular level, increasing security risk. Also the Pod Security Policies get applied when the request is submitted and there is no way of applying them to pods that are already running. For these, and other reasons, the Kubernetes community decided to deprecate the Pod Security Policies.
 
 As the Pod Security Policies get deprecated and removed, the [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) is used in place. It defines three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive:
@@ -165,76 +236,6 @@ kubectl --kubeconfig alice-solar.kubeconfig label ns solar-production \
 Error from server (Label pod-security.kubernetes.io/audit is forbidden for namespaces in the current Tenant ...
 ```
 
-## User Namespaces
-
-{{% alert title="Info" color="info" %}}
-The FeatureGate `UserNamespacesSupport` is active by default since [Kubernetes 1.33](https://kubernetes.io/blog/2025/04/25/userns-enabled-by-default/). However every pod must still [opt-in](#admission)
-
-When you are also enabling the FeatureGate `UserNamespacesPodSecurityStandards` you may relax the Pod Security Standards for your workloads. [Read More](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#integration-with-pod-security-admission-checks)
-{{% /alert %}}
-
-A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace. [Read More](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/)
-
-### Kubelet
-
-On your Kubelet you must use the [FeatureGates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/):
-
-* `UserNamespacesSupport`
-* `UserNamespacesPodSecurityStandards` (Optional)
-
-### Sysctls
-
-```yaml
-user.max_user_namespaces: "11255"
-```
-
-### Admission (Kyverno)
-
-To make sure all the workloads are forced to use dedicated User Namespaces, we recommend to mutate pods at admission. See the following examples.
-
-#### Kyverno
-
-```yaml
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: add-hostusers-spec
-  annotations:
-    policies.kyverno.io/title: Add HostUsers
-    policies.kyverno.io/category: Security
-    policies.kyverno.io/subject: Pod,User Namespace
-    kyverno.io/kubernetes-version: "1.31"
-    policies.kyverno.io/description: >-
-      Do not use the host's user namespace. A new userns is created for the pod. 
-      Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root
-      without actually having root privileges on the host. This field is
-      alpha-level and is only honored by servers that enable the
-      UserNamespacesSupport feature.
-spec:
-  rules:
-  - name: add-host-users
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-          namespaceSelector:
-            matchExpressions:
-            - key: capsule.clastix.io/tenant
-              operator: Exists
-    preconditions:
-      all:
-      - key: "{{request.operation || 'BACKGROUND'}}"
-        operator: AnyIn
-        value:
-          - CREATE
-          - UPDATE
-    mutate:
-      patchStrategicMerge:
-        spec:
-          hostUsers: false
-```
-
 ## Pod Security Policies
 
 As stated in the documentation, *"PodSecurityPolicies enable fine-grained authorization of pod creation and updates. A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The `PodSecurityPolicy` objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields."*

content/en/docs/operating/installation/_index.md

@@ -0,0 +1,7 @@
+---
+title: Setup
+weight: 1
+description: "Setting up your environment for Capsule"
+type: docs
+weight: 1
+---