Reference document for Capsule Operator configuration

Custom Resource Definition

Capsule operator uses a Custom Resources Definition (CRD) for Tenants. Tenants are cluster wide resources, so you need cluster level permissions to work with tenants. You can learn about tenant CRDs in the following section

Capsule Configuration

The Capsule configuration can be piloted by a Custom Resource definition named CapsuleConfiguration.

kind: CapsuleConfiguration
  name: default
  annotations: "capsule-ca" "capsule-tls" "capsule-mutating-webhook-configuration" "capsule-validating-webhook-configuration"
  userGroups: [""]
  forceTenantPrefix: false
  protectedNamespaceRegex: ""
Option Description Default
.spec.forceTenantPrefix Force the tenant name as prefix for namespaces: <tenant_name>-<namespace>. false
.spec.userGroups Array of Capsule groups to which all tenant owners must belong. []
.spec.protectedNamespaceRegex Disallows creation of namespaces matching the passed regexp. null Set the Capsule Certificate Authority secret name capsule-ca Set the Capsule TLS secret name capsule-tls Set the MutatingWebhookConfiguration name mutating-webhook-configuration-name Set the ValidatingWebhookConfiguration name validating-webhook-configuration-name

Upon installation using Kustomize or Helm, a capsule-default resource will be created. The reference to this configuration is managed by the CLI flag --configuration-name.

Capsule Permissions

In the current implementation, the Capsule operator requires cluster admin permissions to fully operate. Make sure you deploy Capsule having access to the default cluster-admin ClusterRole.

Admission Controllers

Capsule implements Kubernetes multi-tenancy capabilities using a minimum set of standard Admission Controllers enabled on the Kubernetes APIs server.

Here the list of required Admission Controllers you have to enable to get full support from Capsule:

  • PodNodeSelector
  • LimitRanger
  • ResourceQuota
  • MutatingAdmissionWebhook
  • ValidatingAdmissionWebhook

In addition to the required controllers above, Capsule implements its own set through the Dynamic Admission Controller mechanism, providing callbacks to add further validation or resource patching.

To see Admission Controls installed by Capsule:

$ kubectl get ValidatingWebhookConfiguration
NAME                                       WEBHOOKS   AGE
capsule-validating-webhook-configuration   8          2h

$ kubectl get MutatingWebhookConfiguration
NAME                                       WEBHOOKS   AGE
capsule-mutating-webhook-configuration     1          2h

Command Options

The Capsule operator provides the following command options:

Option Description Default
--metrics-addr The address and port where /metrics are exposed.
--enable-leader-election Start a leader election client and gain leadership before executing the main loop. true
--zap-log-level The log verbosity with a value from 1 to 10 or the basic keywords. 4
--zap-devel The flag to get the stack traces for deep debugging. null
--configuration-name The Capsule Configuration CRD name, default is installed automatically capsule-default

Created Resources

Once installed, the Capsule operator creates the following resources in your cluster:

capsule-system  secret/capsule-ca
capsule-system  secret/capsule-tls
capsule-system  service/capsule-controller-manager-metrics-service
capsule-system  service/capsule-webhook-service
capsule-system  deployment.apps/capsule-controller-manager