What's New ✨

Security

• Advisory GHSA-2ww6-hf35-mfjm - Moderate - Users may hijack namespaces via namespaces/status privileges. These privileges must have been explicitly granted by Platform Administrators through RBAC rules to be affected. Requests for the namespaces/status subresource are now sent to the Capsule admission webhook as well.

Breaking Changes

• By default, Capsule now uses self-signed cert-manager certificates for its admission webhooks. This used to be an optional setting and has now become the default. If you don’t have cert-manager installed, you must explicitly re-enable the Capsule TLS controller as documented here.

Features

• Added RequiredMetadata for Namespaces created in a Tenant. For details, see the Required metadata documentation.
• Added implicit assignment of TenantOwner. For details, see Implicit tenant assignment.
• Added aggregation of TenantOwner. For details, see Tenant owner aggregation.
• Introduced the new RuleStatus CRD. For details, see the Rules documentation.
• Introduced new OCI registry enforcement. For details, see Registry rules.
• Added the projectcapsule.dev/tenant label to all namespaced resources belonging to a Tenant. For details, see Managed metadata.
• Added configuration options for managed RBAC. For details, see RBAC configuration.
• Added configuration options for impersonation. For details, see Impersonation configuration.
• Added configuration options for cache invalidation. For details, see Cache invalidation configuration.
• Added configuration options for dynamic admission webhooks. For details, see Admission configuration.

Fixes

• Fixed ResourcePool resource quota calculation when multiple ResourcePoolClaims are present in a namespace but not everything is used. For details, see ResourcePools bound behavior.

• Improved matchConditions for admission webhooks that intercept all namespaced items, to avoid processing subresource requests and Events, improving performance and reducing log noise.

Documentation

We have added new documentation for a better experience. See the following topics:

• Improved installation overview
• Capsule strict RBAC installation

Ecosystem

Newly added documentation to integrate Capsule with other applications:

• CoreDNS Plugin (Community Contribution)
• Argo CD
• Flux CD