feat: add ruleset api(#1844)

* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <[email protected]>

* chore: modernize golang

Signed-off-by: Oliver Bähler <[email protected]>

* chore: modernize golang

Signed-off-by: Oliver Bähler <[email protected]>

* chore: modernize golang

Signed-off-by: Oliver Bähler <[email protected]>

* fix(config): remove usergroups default

Signed-off-by: Oliver Bähler <[email protected]>

* fix(config): remove usergroups default

Signed-off-by: Oliver Bähler <[email protected]>

* sec(GHSA-2ww6-hf35-mfjm): intercept namespace subresource

Signed-off-by: Oliver Bähler <[email protected]>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* chore: conflicts

Signed-off-by: Oliver Bähler <[email protected]>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <[email protected]>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <[email protected]>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <[email protected]>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <[email protected]>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <[email protected]>

* feat(api): add rulestatus api

Signed-off-by: Oliver Bähler <[email protected]>

---------

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

.github/workflows/e2e.yml

@@ -45,7 +45,6 @@ jobs:
       fail-fast: false
       matrix:
         k8s-version:
-          - 'v1.30.0'
           - 'v1.31.0'
           - 'v1.32.0'
           - 'v1.33.0'

.github/workflows/releaser.yml

@@ -32,7 +32,7 @@ jobs:
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
       - uses: anchore/sbom-action/download-syft@0b82b0b1a22399a1c542d4d656f70cd903571b5c
       - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:

.nwa-config

@@ -1,12 +1,13 @@
 nwa:
   cmd: "update"
   holder: "Project Capsule Authors"
-  year: "2020-2025"
+  year: "2020-2026"
   spdxids: "Apache-2.0"
   path:
     - "pkg/**/*.go"
     - "cmd/**/*.go"
     - "api/**/*.go"
+    - "internal/**/*.go"
     - "controllers/**/*.go"
     - "main.go"
   mute: false

Makefile

@@ -92,7 +92,7 @@ helm-schema: helm-plugin-schema
 helm-test: HELM_KIND_CONFIG ?= ""
 helm-test: kind
 	@mkdir -p /tmp/results || true
-	@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config $(HELM_KIND_CONFIG)
+	@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config ./hack/kind-cluster.yaml
 	@make helm-test-exec
 	@$(KIND) delete cluster --name capsule-charts
 
@@ -104,7 +104,7 @@ helm-test-exec: ct helm-controller-version ko-build-all
 
 # Setup development env
 dev-build: kind
-	$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
+	$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config ./hack/kind-cluster.yaml
 	$(MAKE) dev-install-deps
 
 .PHONY: dev-destroy
@@ -220,12 +220,12 @@ dev-setup-capsule: dev-setup-fluxcd
 
 dev-setup-capsule-example: dev-setup-fluxcd
 	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/capsule/example-setup | envsubst | kubectl apply -f -
-	@$(KUBECTL) create ns wind-test --as joe --as-group projectcapsule.dev
-	@$(KUBECTL) create ns wind-prod --as joe --as-group projectcapsule.dev
-	@$(KUBECTL) create ns green-test --as bob --as-group projectcapsule.dev
-	@$(KUBECTL) create ns green-prod --as bob --as-group projectcapsule.dev
-	@$(KUBECTL) create ns solar-test --as alice --as-group projectcapsule.dev
-	@$(KUBECTL) create ns solar-prod --as alice --as-group projectcapsule.dev
+	@$(KUBECTL) create ns wind-test --as joe --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns wind-prod --as joe --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns green-test --as bob --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns green-prod --as bob --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns solar-test --as alice --as-group projectcapsule.dev || true
+	@$(KUBECTL) create ns solar-prod --as alice --as-group projectcapsule.dev || true
 
 wait-for-helmreleases:
 	@ echo "Waiting for all HelmReleases to have observedGeneration >= 0..."
@@ -316,7 +316,7 @@ e2e-build: kind
 	$(MAKE) e2e-install
 
 .PHONY: e2e-install
-e2e-install: ko-build-all
+e2e-install: helm-controller-version ko-build-all
 	$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
 	$(HELM) upgrade \
 	    --dependency-update \
@@ -331,6 +331,7 @@ e2e-install: ko-build-all
 		--set 'manager.livenessProbe.failureThreshold=10' \
 		--set 'webhooks.hooks.nodes.enabled=true' \
 		--set "webhooks.exclusive=true"\
+		--set "manager.options.logLevel=debug"\
 		capsule \
 		./charts/capsule
 

api/v1beta1/owner_list_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/tenant_webhook.go

@@ -15,7 +15,6 @@ func (in *Tenant) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		return nil
 	}
 
-	return ctrl.NewWebhookManagedBy(mgr).
-		For(in).
+	return ctrl.NewWebhookManagedBy(mgr, in).
 		Complete()
 }

api/v1beta2/capsuleconfiguration_status.go

@@ -4,11 +4,16 @@
 package v1beta2
 
 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 // CapsuleConfigurationStatus defines the Capsule configuration status.
 type CapsuleConfigurationStatus struct {
+	// Last time all caches were invalided
+	LastCacheInvalidation metav1.Time `json:"lastCacheInvalidation,omitempty"`
+
 	// Users which are considered Capsule Users and are bound to the Capsule Tenant construct.
 	Users api.UserListSpec `json:"users,omitempty"`
 }

api/v1beta2/capsuleconfiguration_types.go

@@ -4,6 +4,7 @@
 package v1beta2
 
 import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/projectcapsule/capsule/pkg/api"
@@ -53,6 +54,50 @@ type CapsuleConfigurationSpec struct {
 	// for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor
 	// be ignored by capsule.
 	Administrators api.UserListSpec `json:"administrators,omitempty"`
+	// Configuration for dynamic Validating and Mutating Admission webhooks managed by Capsule.
+	Admission DynamicAdmission `json:"admission,omitempty"`
+	// Define Properties for managed ClusterRoles by Capsule
+	// +kubebuilder:default={}
+	RBAC *RBACConfiguration `json:"rbac"`
+	// Define the period of time upon a cache invalidation is executed for all caches.
+	// +kubebuilder:default="24h"
+	CacheInvalidation metav1.Duration `json:"cacheInvalidation"`
+}
+
+type RBACConfiguration struct {
+	// The ClusterRoles applied for Administrators
+	// +kubebuilder:default={capsule-namespace-deleter}
+	AdministrationClusterRoles []string `json:"administrationClusterRoles,omitempty"`
+	// The ClusterRoles applied for ServiceAccounts which had owner Promotion
+	// +kubebuilder:default={capsule-namespace-provisioner,capsule-namespace-deleter}
+	PromotionClusterRoles []string `json:"promotionClusterRoles,omitempty"`
+	// Name for the ClusterRole required to grant Namespace Deletion permissions.
+	// +kubebuilder:default=capsule-namespace-deleter
+	DeleterClusterRole string `json:"deleter,omitempty"`
+	// Name for the ClusterRole required to grant Namespace Provision permissions.
+	// +kubebuilder:default=capsule-namespace-provisioner
+	ProvisionerClusterRole string `json:"provisioner,omitempty"`
+}
+
+type DynamicAdmission struct {
+	// Configure dynamic Mutating Admission for Capsule
+	Mutating DynamicAdmissionConfig `json:"mutating,omitempty"`
+
+	// Configure dynamic Validating Admission for Capsule
+	Validating DynamicAdmissionConfig `json:"validating,omitempty"`
+}
+
+type DynamicAdmissionConfig struct {
+	// Name the Admission Webhook
+	Name api.Name `json:"name,omitempty"`
+	// Labels added to the Admission Webhook
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+	// Annotations added to the Admission Webhook
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// From the upstram struct
+	Client admissionregistrationv1.WebhookClientConfig `json:"client"`
 }
 
 type NodeMetadata struct {

api/v1beta2/namespace_rule_type.go

@@ -0,0 +1,33 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+)
+
+// +kubebuilder:object:generate=true
+type NamespaceRule struct {
+	// Enforce these properties via Rules
+	NamespaceRuleBody `json:",inline"`
+
+	// Select namespaces which are going to usese
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type NamespaceRuleBody struct {
+	// Enforcement Rules applied
+	//+optional
+	Enforce NamespaceRuleEnforceBody `json:"enforce,omitzero"`
+}
+
+// +kubebuilder:object:generate=true
+type NamespaceRuleEnforceBody struct {
+	// Define registries which are allowed to be used within this tenant
+	// The rules are aggregated, since you can use Regular Expressions the match registry endpoints
+	Registries []api.OCIRegistry `json:"registries,omitempty"`
+}

api/v1beta2/resourcepool_func_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 Project Capsule Authors
+// Copyright 2020-2026 Project Capsule Authors
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2