diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 5c801e7a2..cad886b0e 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -9,7 +9,7 @@ assignees: ''
# Bug description
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index 9064b53b3..d857c979c 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -32,4 +32,4 @@ How would the new interaction with Capsule look like? E.g.
Feel free to add a diagram if that helps explain things.
# Expected behavior
-A clear and concise description of what you expect to happen.
\ No newline at end of file
+A clear and concise description of what you expect to happen.
diff --git a/.github/configs/lintconf.yaml b/.github/configs/lintconf.yaml
index 577d81e61..191ee7efa 100644
--- a/.github/configs/lintconf.yaml
+++ b/.github/configs/lintconf.yaml
@@ -6,6 +6,11 @@ ignore:
rules:
truthy:
level: warning
+ allowed-values:
+ - "true"
+ - "false"
+ - "on"
+ - "off"
check-keys: false
braces:
min-spaces-inside: 0
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index f8b330c51..9406934ce 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -14,28 +14,6 @@ concurrency:
cancel-in-progress: true
jobs:
- compliance:
- name: "License Compliance"
- runs-on: ubuntu-24.04
- steps:
- - name: "Checkout Code"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - name: Check secret
- id: checksecret
- uses: ./.github/actions/exists
- with:
- value: ${{ secrets.FOSSA_API_KEY }}
- - name: "Run FOSSA Scan"
- if: steps.checksecret.outputs.result == 'true'
- uses: fossas/fossa-action@c0a7d013f84c8ee5e910593186598625513cc1e4 # v1.6.0
- with:
- api-key: ${{ secrets.FOSSA_API_KEY }}
- - name: "Run FOSSA Test"
- if: steps.checksecret.outputs.result == 'true'
- uses: fossas/fossa-action@c0a7d013f84c8ee5e910593186598625513cc1e4 # v1.6.0
- with:
- api-key: ${{ secrets.FOSSA_API_KEY }}
- run-tests: true
sast:
name: "SAST"
runs-on: ubuntu-24.04
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 94fe40689..b3f374417 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -34,14 +34,5 @@ jobs:
- uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
with:
version: v3.14.2
- - name: unit tracing
- run: sudo make trace-unit
- - name: e2e tracing
- run: sudo make trace-e2e
- - name: build seccomp profile
- run: make seccomp
- - name: upload artifact
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- with:
- name: capsule-seccomp
- path: capsule-seccomp.json
+ - name: e2e testing
+ run: make e2e
diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml
index 9e536725a..82baba3c4 100644
--- a/.github/workflows/releaser.yml
+++ b/.github/workflows/releaser.yml
@@ -11,41 +11,40 @@ concurrency:
cancel-in-progress: true
jobs:
- seccomp-generation:
- name: Seccomp Generation
- strategy:
- fail-fast: false
- matrix:
- # differently from the e2e workflow
- # we don't need all the versions of kubernetes
- # to generate the seccomp profile.
- k8s-version:
- - "v1.30.0"
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- fetch-depth: 0
- - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
- with:
- go-version-file: 'go.mod'
- - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
- with:
- version: v3.14.2
- - name: unit tracing
- run: sudo make trace-unit
- - name: e2e tracing
- run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
- - name: build seccomp profile
- run: make seccomp
- - name: upload artifact
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- with:
- name: capsule-seccomp
- path: capsule-seccomp.json
-
+ # seccomp-generation:
+ # name: Seccomp Generation
+ # strategy:
+ # fail-fast: false
+ # matrix:
+ # # differently from the e2e workflow
+ # # we don't need all the versions of kubernetes
+ # # to generate the seccomp profile.
+ # k8s-version:
+ # - "v1.30.0"
+ # runs-on: ubuntu-latest
+ # steps:
+ # - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ # with:
+ # fetch-depth: 0
+ # - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+ # with:
+ # go-version-file: 'go.mod'
+ # - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
+ # with:
+ # version: v3.14.2
+ # - name: unit tracing
+ # run: sudo make trace-unit
+ # - name: e2e tracing
+ # run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
+ # - name: build seccomp profile
+ # run: make seccomp
+ # - name: upload artifact
+ # uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+ # with:
+ # name: capsule-seccomp
+ # path: capsule-seccomp.json
create-release:
- needs: seccomp-generation
+ # needs: seccomp-generation
runs-on: ubuntu-latest
permissions:
contents: write
@@ -66,12 +65,12 @@ jobs:
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
- uses: anchore/sbom-action/download-syft@9f7302141466aa6482940f15371237e9d9f4c34a
- name: Install Cosign
- uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- - name: download artifact
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
- with:
- name: capsule-seccomp
- path: ./capsule-seccomp.json
+ uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+ # - name: download artifact
+ # uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+ # with:
+ # name: capsule-seccomp
+ # path: ./capsule-seccomp.json
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index a37a2ed37..f8a53f493 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -56,8 +56,8 @@ release:
Thanks to all the contributors! 🚀 🦄
- extra_files:
- - glob: ./capsule-seccomp.json
+ # extra_files:
+ # - glob: ./capsule-seccomp.json
checksum:
name_template: 'checksums.txt'
changelog:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index fc18315b5..3bc99f0f3 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -35,24 +35,8 @@ repos:
entry: make helm-lint
language: system
files: ^charts/
- # Currently too slow smw
- # - id: golangci-lint
- # name: Execute golangci-lint
- # entry: make golint
- # language: system
- # files: \.go$
-# - repo: https://github.com/tekwizely/pre-commit-golang
-# rev: v1.0.0-rc.1
-# hooks:
-# - id: go-vet
-# - id: go-vet-mod
-# - id: go-vet-pkg
-# - id: go-vet-repo-mod
-# - id: go-vet-repo-pkg
-# - id: go-revive
-# - id: go-revive-mod
-# - id: go-revive-repo-mod
-# - id: go-sec-mod
-# - id: go-sec-pkg
-# - id: go-sec-repo-mod
-# - id: go-sec-repo-pkg
+ - id: golangci-lint
+ name: Execute golangci-lint
+ entry: make golint
+ language: system
+ files: \.go$
diff --git a/ADOPTERS.md b/ADOPTERS.md
index 7e7864840..e4926946a 100644
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -7,6 +7,9 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
### [Bedag Informatik AG](https://www.bedag.ch/)
+### [Begasoft AG](https://www.begasoft.ch)
+
+
### [Department of Defense](https://www.defense.gov/)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7df3bddbb..6cb83494d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,4 +7,4 @@ See the [Releases](https://github.com/projectcapsule/capsule/releases)
## Helm Chart
-For the helm chart, a dedicated changelog is created based on the chart's annotations ([See](./DEVELOPMENT.md#helm-changelog)).
\ No newline at end of file
+For the helm chart, a dedicated changelog is created based on the chart's annotations ([See](./DEVELOPMENT.md#helm-changelog)).
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index f90ad2f90..a2e16f6bc 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -45,7 +45,7 @@ Prereleases are marked as `-rc.x` (release candidate) and may refere to any type
The pull request title is checked according to the described [semantics](#semantics) (pull requests don't require a scope). However pull requests are currently not used to generate the changelog. Check if your pull requests body meets the following criteria:
-- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests
+- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests
- splitting changes into several and documented small commits
- limit the git subject to 50 characters and write as the continuation of the
sentence "If applied, this commit will ..."
@@ -104,7 +104,7 @@ To reorganise your commits, do the following (or use your way of doing it):
1. Pull upstream changes
-
+
```bash
git remote add upstream git@github.com:projectcapsule/capsule.git
git pull upstream main
@@ -186,4 +186,3 @@ The following types are allowed for commits and pull requests:
* `fix`: bug fixes
* `test`: test related changes
* `sec`: security related changes
-
diff --git a/DEPENDENCY.md b/DEPENDENCY.md
index ad5eb0baf..40176d63a 100644
--- a/DEPENDENCY.md
+++ b/DEPENDENCY.md
@@ -23,10 +23,10 @@ Capsule maintainers must follow these guidelines when consuming third-party pack
When adding a new third-party package to Capsule, maintainers must follow these steps:
-1. Evaluate the need for the package. Is it necessary for the functionality of Capsule?
-2. Research the package. Is it well-maintained? Does it have a good reputation?
-3. Choose a version of the package. Use the latest version whenever possible.
-4. Pin the package to the specific version in the Capsule codebase.
+1. Evaluate the need for the package. Is it necessary for the functionality of Capsule?
+2. Research the package. Is it well-maintained? Does it have a good reputation?
+3. Choose a version of the package. Use the latest version whenever possible.
+4. Pin the package to the specific version in the Capsule codebase.
5. Update the Capsule documentation to reflect the new dependency.
## Archive/Deprecation
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index 4b1e09c48..056fb455b 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -60,7 +60,7 @@ To achieve that, there are some necessary steps we need to walk through, which h
So the TL;DR answer is:
-**Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup.
+**Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup.
```bash
# If you haven't installed or run `make deploy` before, do it first
@@ -222,12 +222,12 @@ time="2023-10-23T13:45:08Z" level=info msg="Found Chart directories [charts/caps
time="2023-10-23T13:45:08Z" level=info msg="Generating README Documentation for chart /helm-docs/charts/capsule"
```
-This will update the documentation for the chart in the `README.md` file.
+This will update the documentation for the chart in the `README.md` file.
-### Helm Changelog
+### Helm Changelog
The `version` of the chart does not require a bump, since it's driven by our release process. The `appVersion` of the chart is the version of the Capsule project. This is the version that should be bumped when a new Capsule version is released. This will be done by the maintainers.
To create the proper changelog for the helm chart, all changes which affect the helm chart must be documented as chart annotation. See all the available [chart annotations](https://artifacthub.io/docs/topics/annotations/helm/).
-This annotation can be provided using two different formats: using a plain list of strings with the description of the change or using a list of objects with some extra structured information (see example below). Please feel free to use the one that better suits your needs. The UI experience will be slightly different depending on the choice. When using the list of objects option the valid supported kinds are `added`, `changed`, `deprecated`, `removed`, `fixed` and `security`.
\ No newline at end of file
+This annotation can be provided using two different formats: using a plain list of strings with the description of the change or using a list of objects with some extra structured information (see example below). Please feel free to use the one that better suits your needs. The UI experience will be slightly different depending on the choice. When using the list of objects option the valid supported kinds are `added`, `changed`, `deprecated`, `removed`, `fixed` and `security`.
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
index 4c23f5723..44083b84c 100644
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -77,7 +77,7 @@ Maintainers who are selected will be granted the necessary GitHub rights.
Maintainers may resign at any time if they feel that they will not be able to
continue fulfilling their project duties.
-Maintainers may also be removed after being inactive, failure to fulfill their
+Maintainers may also be removed after being inactive, failure to fulfill their
Maintainer responsibilities, violating the Code of Conduct, or other reasons.
A Maintainer may be removed at any time by a 2/3 vote of the remaining maintainers.
@@ -88,7 +88,7 @@ and can be rapidly returned to Maintainer status if their availability changes.
## Meetings
Time zones permitting, Maintainers are expected to participate in the public
-developer meeting and/or public discussions.
+developer meeting and/or public discussions.
Maintainers will also have closed meetings in order to discuss security reports
or Code of Conduct violations. Such meetings should be scheduled by any
@@ -110,7 +110,7 @@ violations by community members will be discussed and resolved in private Mainta
The Maintainers will appoint a Security Response Team to handle security reports.
This committee may simply consist of the Maintainer Council themselves. If this
-responsibility is delegated, the Maintainers will appoint a team of at least two
+responsibility is delegated, the Maintainers will appoint a team of at least two
contributors to handle it. The Maintainers will review who is assigned to this
at least once a year.
@@ -119,15 +119,15 @@ holes and breaches according to the [security policy](TODO:Link to security.md).
## Voting
-While most business in Capsule Project is conducted by "[lazy consensus](https://community.apache.org/committers/lazyConsensus.html)",
+While most business in Capsule Project is conducted by "[lazy consensus](https://community.apache.org/committers/lazyConsensus.html)",
periodically the Maintainers may need to vote on specific actions or changes.
Any Maintainer may demand a vote be taken.
Most votes require a simple majority of all Maintainers to succeed, except where
-otherwise noted. Two-thirds majority votes mean at least two-thirds of all
+otherwise noted. Two-thirds majority votes mean at least two-thirds of all
existing maintainers.
## Modifying this Charter
-Changes to this Governance and its supporting documents may be approved by
-a 2/3 vote of the Maintainers.
\ No newline at end of file
+Changes to this Governance and its supporting documents may be approved by
+a 2/3 vote of the Maintainers.
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
index 29c24b72a..ec1b3401a 100644
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -10,4 +10,4 @@ The current Maintainers Group for the [TODO: Projectname] Project consists of:
This list must be kept in sync with the [CNCF Project Maintainers list](https://github.com/cncf/foundation/blob/master/project-maintainers.csv).
-See [the project Governance](GOVERNANCE.md) for how maintainers are selected and replaced.
\ No newline at end of file
+See [the project Governance](GOVERNANCE.md) for how maintainers are selected and replaced.
diff --git a/ROADMAP.md b/ROADMAP.md
index 448086d0b..0ed5c2d05 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,3 +1,3 @@
# Roadmap
-future features and fixes are planned with [release milestones on GitHub](https://github.com/projectcapsule/capsule/milestones?direction=asc&sort=due_date&state=open). You can influence the roadmap by opening issues or joining our community meetings.
\ No newline at end of file
+future features and fixes are planned with [release milestones on GitHub](https://github.com/projectcapsule/capsule/milestones?direction=asc&sort=due_date&state=open). You can influence the roadmap by opening issues or joining our community meetings.
diff --git a/SELF_ASSESSMENT.md b/SELF_ASSESSMENT.md
index d1a86d28a..c5f6fb23a 100644
--- a/SELF_ASSESSMENT.md
+++ b/SELF_ASSESSMENT.md
@@ -81,7 +81,7 @@ Capsule was accepted as a CNCF sandbox project in December 2022.
It's the Operator which provides all the multi-tenant capabilities offered by Capsule.
It's made of two internal components, such as the webhooks server (known as _policy engine_), and the _tenant controller_.
-**Capsule Tenant Controller**
+**Capsule Tenant Controller**
The controller is responsible for managing the tenants by reconciling the required objects at the Namespace level, such as _Network Policy_, _LimitRange_, _ResourceQuota_, _Role Binding_, as well as labelling the Namespace objects belonging to a Tenant according to their desired metadata.
It is responsible for binding Namespaces to the selected Tenant, and managing their lifecycle.
@@ -90,10 +90,10 @@ Furthermore, the manager can replicate objects thanks to the **Tenant Resource**
The replicated resources are dynamically created, and replicated by Capsule itself, as well as preserving the deletion of these objects by the Tenant owner.
-**Capsule Tenant Controller (Policy Engine)**
+**Capsule Tenant Controller (Policy Engine)**
Policies are defined on a Tenant basis: therefore the policy engine is enforcing these policies on the tenants's Namespaces and their children's resources.
-The Policy Engine is currently not a dedicated component, but a part of the Capsule Tenant Controller.
+The Policy Engine is currently not a dedicated component, but a part of the Capsule Tenant Controller.
The webhook server, also known as the policy engine, interpolates the Tenant rules and takes full advantage of the dynamic admission controllers offered by Kubernetes itself (such as `ValidatingWebhookConfiguration` and `MutatingWebhookConfiguration`).
Thanks to the _policy engine_ the cluster administrators can enforce specific rules such as preventing _Pod_ objects from untrusted registries to run or preventing the creation of _PersistentVolumeClaim_ resources using a non-allowed _StorageClass_, etc.
@@ -152,7 +152,7 @@ This is a further abstraction from having cluster defaults (eg. default `Storage
**General**
-* **Control Plane**: Capsule can't mimic for each tenant a feeling of a dedicated control plane.
+* **Control Plane**: Capsule can't mimic for each tenant a feeling of a dedicated control plane.
* **Custom Resource Definitions**: Capsule doesn't want to provide virtual cluster capabilities and it's sticking to the native Kubernetes user experience and design; rather, its focus is to provide a governance solution by focusing on resource optimization and security lockdown.
diff --git a/assets/adopters/begasoft.png b/assets/adopters/begasoft.png
new file mode 100644
index 000000000..b47545d4d
Binary files /dev/null and b/assets/adopters/begasoft.png differ
diff --git a/charts/capsule/ci/tracing-values.yaml b/charts/capsule/ci/tracing-draft.yaml
similarity index 100%
rename from charts/capsule/ci/tracing-values.yaml
rename to charts/capsule/ci/tracing-draft.yaml
diff --git a/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch b/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch
index 1fbdd74a1..85faa2451 100644
--- a/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch
+++ b/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch
@@ -11,4 +11,4 @@ spec:
{{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
conversionReviewVersions:
- v1beta1
- - v1beta2
\ No newline at end of file
+ - v1beta2
diff --git a/charts/capsule/crds/capsule.clastix.io_tenants.patch b/charts/capsule/crds/capsule.clastix.io_tenants.patch
index 9da6b07e5..de356eb4e 100644
--- a/charts/capsule/crds/capsule.clastix.io_tenants.patch
+++ b/charts/capsule/crds/capsule.clastix.io_tenants.patch
@@ -11,4 +11,4 @@ spec:
{{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
conversionReviewVersions:
- v1beta1
- - v1beta2
\ No newline at end of file
+ - v1beta2
diff --git a/charts/capsule/templates/_helpers.tpl b/charts/capsule/templates/_helpers.tpl
index 41e6659d7..1dc9bb75e 100644
--- a/charts/capsule/templates/_helpers.tpl
+++ b/charts/capsule/templates/_helpers.tpl
@@ -154,5 +154,3 @@ Capsule Webhook endpoint CA Bundle
caBundle: {{ $.Values.webhooks.service.caBundle -}}
{{- end -}}
{{- end -}}
-
-
diff --git a/charts/capsule/templates/certificate.yaml b/charts/capsule/templates/certificate.yaml
index 9ad96f056..bf14c1f79 100644
--- a/charts/capsule/templates/certificate.yaml
+++ b/charts/capsule/templates/certificate.yaml
@@ -28,7 +28,7 @@ spec:
- {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
- {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
{{- range .Values.certManager.additionalSANS }}
- - {{ toYaml . }}
+ - {{ toYaml . }}
{{- end }}
issuerRef:
kind: Issuer
diff --git a/charts/capsule/templates/configuration-default.yaml b/charts/capsule/templates/configuration-default.yaml
index bc3b07ec8..3cc5422c9 100644
--- a/charts/capsule/templates/configuration-default.yaml
+++ b/charts/capsule/templates/configuration-default.yaml
@@ -26,4 +26,3 @@ spec:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
-
diff --git a/charts/capsule/templates/crd-lifecycle/_helpers.tpl b/charts/capsule/templates/crd-lifecycle/_helpers.tpl
index 7ffc1a066..54b2f419e 100644
--- a/charts/capsule/templates/crd-lifecycle/_helpers.tpl
+++ b/charts/capsule/templates/crd-lifecycle/_helpers.tpl
@@ -13,5 +13,3 @@ crd-install-hook
{{- define "capsule.crds.regexReplace" -}}
{{- printf "%s" ($ | base | trimSuffix ".yaml" | regexReplaceAll "[_.]" "-") -}}
{{- end }}
-
-
diff --git a/charts/capsule/templates/crd-lifecycle/crds.tpl b/charts/capsule/templates/crd-lifecycle/crds.tpl
index 7432561f4..5716540e4 100644
--- a/charts/capsule/templates/crd-lifecycle/crds.tpl
+++ b/charts/capsule/templates/crd-lifecycle/crds.tpl
@@ -53,4 +53,4 @@ data:
{{- end }}
{{ end }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/crd-lifecycle/job.yaml b/charts/capsule/templates/crd-lifecycle/job.yaml
index 7e3fe4307..6b3390014 100644
--- a/charts/capsule/templates/crd-lifecycle/job.yaml
+++ b/charts/capsule/templates/crd-lifecycle/job.yaml
@@ -47,7 +47,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.topologySpreadConstraints }}
- topologySpreadConstraints:
+ topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.priorityClassName }}
@@ -56,7 +56,7 @@ spec:
{{- with $Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
- {{- end }}
+ {{- end }}
serviceAccountName: {{ include "capsule.crds.name" . }}
containers:
- name: crds-hook
@@ -98,4 +98,4 @@ spec:
path: {{ $path | base }}
{{- end }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/crd-lifecycle/rbac.yaml b/charts/capsule/templates/crd-lifecycle/rbac.yaml
index a7ae80d32..b4a138a62 100644
--- a/charts/capsule/templates/crd-lifecycle/rbac.yaml
+++ b/charts/capsule/templates/crd-lifecycle/rbac.yaml
@@ -49,4 +49,4 @@ subjects:
- kind: ServiceAccount
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/crd-lifecycle/serviceaccount.yaml b/charts/capsule/templates/crd-lifecycle/serviceaccount.yaml
index 64b4d6a6b..91a432f65 100644
--- a/charts/capsule/templates/crd-lifecycle/serviceaccount.yaml
+++ b/charts/capsule/templates/crd-lifecycle/serviceaccount.yaml
@@ -11,4 +11,4 @@ metadata:
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/mutatingwebhookconfiguration.yaml b/charts/capsule/templates/mutatingwebhookconfiguration.yaml
index 68ab405f5..ada65e946 100644
--- a/charts/capsule/templates/mutatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/mutatingwebhookconfiguration.yaml
@@ -31,7 +31,7 @@ webhooks:
- pods
scope: "Namespaced"
namespaceSelector:
- {{- toYaml .namespaceSelector | nindent 4}}
+ {{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
@@ -53,11 +53,11 @@ webhooks:
- persistentvolumeclaims
scope: "Namespaced"
namespaceSelector:
- {{- toYaml .namespaceSelector | nindent 4}}
+ {{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
-{{- with .Values.webhooks.hooks.defaults.ingress }}
+{{- with .Values.webhooks.hooks.defaults.ingress }}
- admissionReviewVersions:
- v1
clientConfig:
@@ -81,7 +81,7 @@ webhooks:
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
-{{- with .Values.webhooks.hooks.namespaceOwnerReference }}
+{{- with .Values.webhooks.hooks.namespaceOwnerReference }}
- admissionReviewVersions:
- v1
- v1beta1
diff --git a/charts/capsule/templates/post-install/_helpers.tpl b/charts/capsule/templates/post-install/_helpers.tpl
index 5c4e24287..966b8e196 100644
--- a/charts/capsule/templates/post-install/_helpers.tpl
+++ b/charts/capsule/templates/post-install/_helpers.tpl
@@ -9,4 +9,3 @@
{{- define "capsule.post-install.component" -}}
post-install-hook
{{- end }}
-
diff --git a/charts/capsule/templates/post-install/job.yaml b/charts/capsule/templates/post-install/job.yaml
index 7e42f0533..7858f2b6b 100644
--- a/charts/capsule/templates/post-install/job.yaml
+++ b/charts/capsule/templates/post-install/job.yaml
@@ -44,7 +44,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.topologySpreadConstraints }}
- topologySpreadConstraints:
+ topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.priorityClassName }}
@@ -59,7 +59,7 @@ spec:
- name: post-install
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ $Values.image.pullPolicy }}
- command:
+ command:
- "sh"
- "-c"
- |
@@ -81,4 +81,4 @@ spec:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/post-install/rbac.yaml b/charts/capsule/templates/post-install/rbac.yaml
index 613b0789b..db735da34 100644
--- a/charts/capsule/templates/post-install/rbac.yaml
+++ b/charts/capsule/templates/post-install/rbac.yaml
@@ -41,4 +41,4 @@ subjects:
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/post-install/serviceaccount.yaml b/charts/capsule/templates/post-install/serviceaccount.yaml
index 420162e9b..5f5f75ee5 100644
--- a/charts/capsule/templates/post-install/serviceaccount.yaml
+++ b/charts/capsule/templates/post-install/serviceaccount.yaml
@@ -12,4 +12,4 @@ metadata:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/pre-delete/_helpers.tpl b/charts/capsule/templates/pre-delete/_helpers.tpl
index 2ae818ea7..3dc4bcf53 100644
--- a/charts/capsule/templates/pre-delete/_helpers.tpl
+++ b/charts/capsule/templates/pre-delete/_helpers.tpl
@@ -12,4 +12,3 @@
{{- define "capsule.pre-delete.component" -}}
pre-delete-hook
{{- end }}
-
diff --git a/charts/capsule/templates/pre-delete/job.yaml b/charts/capsule/templates/pre-delete/job.yaml
index 0426ca270..d757a5437 100644
--- a/charts/capsule/templates/pre-delete/job.yaml
+++ b/charts/capsule/templates/pre-delete/job.yaml
@@ -44,7 +44,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.topologySpreadConstraints }}
- topologySpreadConstraints:
+ topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.priorityClassName }}
@@ -82,4 +82,4 @@ spec:
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/pre-delete/rbac.yaml b/charts/capsule/templates/pre-delete/rbac.yaml
index 3a6f3a33b..b2c186bec 100644
--- a/charts/capsule/templates/pre-delete/rbac.yaml
+++ b/charts/capsule/templates/pre-delete/rbac.yaml
@@ -87,4 +87,4 @@ subjects:
- kind: ServiceAccount
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/pre-delete/serviceaccount.yaml b/charts/capsule/templates/pre-delete/serviceaccount.yaml
index 198509866..fcf7ae3b2 100644
--- a/charts/capsule/templates/pre-delete/serviceaccount.yaml
+++ b/charts/capsule/templates/pre-delete/serviceaccount.yaml
@@ -11,4 +11,4 @@ metadata:
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capsule/templates/servicemonitor.yaml b/charts/capsule/templates/servicemonitor.yaml
index 41852edf8..ef4c656ab 100644
--- a/charts/capsule/templates/servicemonitor.yaml
+++ b/charts/capsule/templates/servicemonitor.yaml
@@ -29,7 +29,7 @@ spec:
{{- with .relabelings }}
relabelings: {{- toYaml . | nindent 6 }}
{{- end }}
- {{- end }}
+ {{- end }}
jobLabel: app.kubernetes.io/name
{{- with .Values.serviceMonitor.targetLabels }}
targetLabels: {{- toYaml . | nindent 4 }}
@@ -46,4 +46,3 @@ spec:
- {{ .Release.Namespace }}
{{- end }}
{{- end }}
-
diff --git a/charts/capsule/templates/validatingwebhookconfiguration.yaml b/charts/capsule/templates/validatingwebhookconfiguration.yaml
index d0f35b89a..59e71e25b 100644
--- a/charts/capsule/templates/validatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/validatingwebhookconfiguration.yaml
@@ -274,4 +274,4 @@ webhooks:
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/commitlint.config.cjs b/commitlint.config.cjs
index b1331587a..86c25a7f9 100644
--- a/commitlint.config.cjs
+++ b/commitlint.config.cjs
@@ -16,5 +16,5 @@ const Configuration = {
helpUrl:
'https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md#commits',
};
-
- module.exports = Configuration;
\ No newline at end of file
+
+ module.exports = Configuration;
diff --git a/docs/content/assets/capsule-operator.svg b/docs/content/assets/capsule-operator.svg
index 230f1d354..534f099bd 100644
--- a/docs/content/assets/capsule-operator.svg
+++ b/docs/content/assets/capsule-operator.svg
@@ -1,3 +1,3 @@
-
\ No newline at end of file
+
diff --git a/docs/content/contributing/development.md b/docs/content/contributing/development.md
index 43184ffed..ce230d408 100644
--- a/docs/content/contributing/development.md
+++ b/docs/content/contributing/development.md
@@ -29,7 +29,7 @@ $ export LAPTOP_HOST_IP=192.168.10.101
# Refer to here for more options: https://k3d.io/v4.4.8/usage/commands/k3d_cluster_create/
$ k3d cluster create k3s-capsule --servers 1 --agents 1 --no-lb --k3s-server-arg --tls-san=${LAPTOP_HOST_IP}
-# Get Kubeconfig
+# Get Kubeconfig
$ k3d kubeconfig get k3s-capsule > /tmp/k3s-capsule && export KUBECONFIG="/tmp/k3s-capsule"
# This will create a cluster with 1 server and 1 worker node
diff --git a/docs/content/contributing/governance.md b/docs/content/contributing/governance.md
index 6c012d881..5075370b6 100644
--- a/docs/content/contributing/governance.md
+++ b/docs/content/contributing/governance.md
@@ -21,4 +21,4 @@ Please, refer to the [maintainers file](https://github.com/projectcapsule/capsul
## Roadmap Planning
-Maintainers will share roadmap and release versions as milestones in GitHub.
\ No newline at end of file
+Maintainers will share roadmap and release versions as milestones in GitHub.
diff --git a/docs/content/general/crds-apis.md b/docs/content/general/crds-apis.md
index e75d1ad9f..ed03878ee 100644
--- a/docs/content/general/crds-apis.md
+++ b/docs/content/general/crds-apis.md
@@ -5936,4 +5936,4 @@ Returns the observed state of the Tenant.
false
-
\ No newline at end of file
+
diff --git a/docs/content/general/getting-started.md b/docs/content/general/getting-started.md
index cedb40687..ee6c39131 100644
--- a/docs/content/general/getting-started.md
+++ b/docs/content/general/getting-started.md
@@ -10,7 +10,7 @@ You can use the [Capsule Helm Chart](https://github.com/projectcapsule/capsule/b
### Install with Helm Chart
-Please, refer to the instructions reported in the Capsule Helm Chart [README](https://github.com/projectcapsule/capsule/blob/master/charts/capsule/README.md).
+Please, refer to the instructions reported in the Capsule Helm Chart [README](https://github.com/projectcapsule/capsule/blob/master/charts/capsule/README.md).
## Create your first Tenant
@@ -90,7 +90,7 @@ $ kubectl create namespace oil-development
And operate with fully admin permissions:
```
-$ kubectl -n oil-development run nginx --image=docker.io/nginx
+$ kubectl -n oil-development run nginx --image=docker.io/nginx
$ kubectl -n oil-development get pods
```
diff --git a/docs/content/general/mtb.md b/docs/content/general/mtb.md
index edf8368f5..ea9f9a3c5 100644
--- a/docs/content/general/mtb.md
+++ b/docs/content/general/mtb.md
@@ -78,22 +78,22 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, retrieve the networkpolicies resources in the tenant namespace
-```bash
-kubectl --kubeconfig alice get networkpolicies
+```bash
+kubectl --kubeconfig alice get networkpolicies
NAME POD-SELECTOR AGE
capsule-oil-0 7m5s
```
As a tenant, checks for permissions to manage networkpolicy for each verb
-```bash
+```bash
kubectl --kubeconfig alice auth can-i get networkpolicies
kubectl --kubeconfig alice auth can-i create networkpolicies
kubectl --kubeconfig alice auth can-i update networkpolicies
@@ -107,7 +107,7 @@ Each command must return 'yes'
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -145,14 +145,14 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner check for permissions to manage rolebindings for each verb
-```bash
+```bash
kubectl --kubeconfig alice auth can-i get rolebindings
kubectl --kubeconfig alice auth can-i create rolebindings
kubectl --kubeconfig alice auth can-i update rolebindings
@@ -166,7 +166,7 @@ Each command must return 'yes'
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -204,14 +204,14 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, check for permissions to manage roles for each verb
-```bash
+```bash
kubectl --kubeconfig alice auth can-i get roles
kubectl --kubeconfig alice auth can-i create roles
kubectl --kubeconfig alice auth can-i update roles
@@ -225,7 +225,7 @@ Each command must return 'yes'
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -261,12 +261,12 @@ EOF
```
As cluster admin, run the following command to retrieve the list of non-namespaced resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin api-resources --namespaced=false
```
For all non-namespaced resources, and each verb (get, list, create, update, patch, watch, delete, and deletecollection) issue the following command:
-```bash
+```bash
kubectl --kubeconfig alice auth can-i
```
Each command must return `no`
@@ -275,7 +275,7 @@ Each command must return `no`
It should, but it does not:
-```bash
+```bash
kubectl --kubeconfig alice auth can-i create selfsubjectaccessreviews
yes
kubectl --kubeconfig alice auth can-i create selfsubjectrulesreviews
@@ -286,7 +286,7 @@ yes
Any kubernetes user can create `SelfSubjectAccessReview` and `SelfSubjectRulesReviews` to checks whether he/she can act. First, two exceptions are not an issue.
-```bash
+```bash
kubectl --anyuser auth can-i --list
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
@@ -322,7 +322,7 @@ Role:
Subjects:
Kind Name Namespace
---- ---- ---------
- Group capsule.clastix.io
+ Group capsule.clastix.io
kubectl describe clusterrole capsule-namespace-provisioner
Name: capsule-namespace-provisioner
@@ -339,7 +339,7 @@ Capsule controls self-service namespace creation by limiting the number of names
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -397,15 +397,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, retrieve the networkpolicies resources in the tenant namespace
-```bash
-kubectl --kubeconfig alice get networkpolicies
+```bash
+kubectl --kubeconfig alice get networkpolicies
NAME POD-SELECTOR AGE
capsule-oil-0 7m5s
capsule-oil-1 7m5s
@@ -413,13 +413,13 @@ capsule-oil-1 7m5s
As tenant owner try to modify or delete one of the networkpolicies
-```bash
+```bash
kubectl --kubeconfig alice delete networkpolicies capsule-oil-0
```
You should receive an error message denying the edit/delete request
-```bash
+```bash
Error from server (Forbidden): networkpolicies.networking.k8s.io "capsule-oil-0" is forbidden:
User "oil" cannot delete resource "networkpolicies" in API group "networking.k8s.io" in the namespace "oil-production"
```
@@ -434,7 +434,7 @@ metadata:
name: hijacking
namespace: oil-production
spec:
- egress:
+ egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
@@ -448,7 +448,7 @@ However, due to the additive nature of networkpolicies, the `DENY ALL` policy se
As tenant owner list RBAC permissions set by Capsule
-```bash
+```bash
kubectl --kubeconfig alice get rolebindings
NAME ROLE AGE
capsule-oil-0-admin ClusterRole/admin 11h
@@ -457,7 +457,7 @@ capsule-oil-1-capsule-namespace-deleter ClusterRole/capsule-namespace-deleter
As tenant owner, try to change/delete the rolebinding to escalate permissions
-```bash
+```bash
kubectl --kubeconfig alice edit/delete rolebinding capsule-oil-0-admin
```
@@ -495,7 +495,7 @@ EOF
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -551,14 +551,14 @@ EOF
As `oil` tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As `gas` tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig joe create ns gas-production
kubectl --kubeconfig joe config set-context --current --namespace gas-production
```
@@ -566,8 +566,8 @@ kubectl --kubeconfig joe config set-context --current --namespace gas-production
As `oil` tenant owner, try to retrieve the resources in the `gas` tenant namespaces
-```bash
-kubectl --kubeconfig alice get serviceaccounts --namespace gas-production
+```bash
+kubectl --kubeconfig alice get serviceaccounts --namespace gas-production
```
You must receive an error message:
@@ -579,8 +579,8 @@ User "oil" cannot list resource "serviceaccounts" in API group "" in the namespa
As `gas` tenant owner, try to retrieve the resources in the `oil` tenant namespaces
-```bash
-kubectl --kubeconfig joe get serviceaccounts --namespace oil-production
+```bash
+kubectl --kubeconfig joe get serviceaccounts --namespace oil-production
```
You must receive an error message:
@@ -593,7 +593,7 @@ User "joe" cannot list resource "serviceaccounts" in API group "" in the namespa
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenants oil gas
```
@@ -681,15 +681,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod and see new capabilities cannot be added in the tenant namespaces
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -713,7 +713,7 @@ You must have the pod blocked by PodSecurityPolicy.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
@@ -765,14 +765,14 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, check the permissions to modify/delete the quota in the tenant namespace:
-```bash
+```bash
kubectl --kubeconfig alice auth can-i create quota
kubectl --kubeconfig alice auth can-i update quota
kubectl --kubeconfig alice auth can-i patch quota
@@ -785,7 +785,7 @@ Each command must return 'no'
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -859,7 +859,7 @@ EOF
As `oil` tenant owner, run the following commands to create a namespace and resources in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
kubectl --kubeconfig alice run webserver --image nginx:latest
@@ -868,7 +868,7 @@ kubectl --kubeconfig alice expose pod webserver --port 80
As `gas` tenant owner, run the following commands to create a namespace and resources in the given tenant
-```bash
+```bash
kubectl --kubeconfig joe create ns gas-production
kubectl --kubeconfig joe config set-context --current --namespace gas-production
kubectl --kubeconfig joe run webserver --image nginx:latest
@@ -877,14 +877,14 @@ kubectl --kubeconfig joe expose pod webserver --port 80
As `oil` tenant owner, verify you can access the service in `oil` tenant namespace but not in the `gas` tenant namespace
-```bash
+```bash
kubectl --kubeconfig alice exec webserver -- curl http://webserver.oil-production.svc.cluster.local
kubectl --kubeconfig alice exec webserver -- curl http://webserver.gas-production.svc.cluster.local
```
Viceversa, as `gas` tenant owner, verify you can access the service in `gas` tenant namespace but not in the `oil` tenant namespace
-```bash
+```bash
kubectl --kubeconfig alice exec webserver -- curl http://webserver.oil-production.svc.cluster.local
kubectl --kubeconfig alice exec webserver -- curl http://webserver.gas-production.svc.cluster.local
```
@@ -893,7 +893,7 @@ kubectl --kubeconfig alice exec webserver -- curl http://webserver.gas-productio
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenants oil gas
```
@@ -977,15 +977,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod or container that sets `allowPrivilegeEscalation=true` in its `securityContext`.
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -1007,7 +1007,7 @@ You must have the pod blocked by `PodSecurityPolicy`.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
@@ -1094,15 +1094,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod or container that sets privileges in its `securityContext`.
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -1124,7 +1124,7 @@ You must have the pod blocked by `PodSecurityPolicy`.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
@@ -1163,7 +1163,7 @@ EOF
As tenant owner, check if you can access the persistent volumes
-```bash
+```bash
kubectl --kubeconfig alice auth can-i get persistentvolumes
kubectl --kubeconfig alice auth can-i list persistentvolumes
kubectl --kubeconfig alice auth can-i watch persistentvolumes
@@ -1253,15 +1253,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod mounting the host IPC namespace.
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -1281,7 +1281,7 @@ You must have the pod blocked by `PodSecurityPolicy`.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
@@ -1370,15 +1370,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod using `hostNetwork`
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -1396,8 +1396,8 @@ EOF
As tenant owner, create a pod defining a container using `hostPort`
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -1418,7 +1418,7 @@ In both the cases above, you must have the pod blocked by `PodSecurityPolicy`.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
@@ -1511,15 +1511,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod defining a volume of type `hostpath`.
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -1547,7 +1547,7 @@ You must have the pod blocked by `PodSecurityPolicy`.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
@@ -1635,15 +1635,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod mounting the host PID namespace.
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -1663,7 +1663,7 @@ You must have the pod blocked by `PodSecurityPolicy`.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
@@ -1705,7 +1705,7 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
@@ -1743,7 +1743,7 @@ NodePort service types are forbidden for the tenant: please, reach out to the sy
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -1789,20 +1789,20 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, retrieve the configured quotas in the tenant namespace:
-```bash
+```bash
kubectl --kubeconfig alice get quota
NAME AGE REQUEST LIMIT
capsule-oil-0 23s persistentvolumeclaims: 0/100,
pods: 0/100, services: 0/50,
services.loadbalancers: 0/3,
- services.nodeports: 0/20
+ services.nodeports: 0/20
```
Make sure that a quota is configured for API objects: `PersistentVolumeClaim`, `LoadBalancer`, `NodePort`, `Pods`, etc
@@ -1810,7 +1810,7 @@ Make sure that a quota is configured for API objects: `PersistentVolumeClaim`, `
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -1857,18 +1857,18 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, retrieve the configured quotas in the tenant namespace:
-```bash
+```bash
kubectl --kubeconfig alice get quota
NAME AGE REQUEST LIMIT
-capsule-oil-0 24s requests.cpu: 0/8, requests.memory: 0/16Gi limits.cpu: 0/8, limits.memory: 0/16Gi
-capsule-oil-1 24s requests.storage: 0/10Gi
+capsule-oil-0 24s requests.cpu: 0/8, requests.memory: 0/16Gi limits.cpu: 0/8, limits.memory: 0/16Gi
+capsule-oil-1 24s requests.storage: 0/10Gi
```
Make sure that a quota is configured for CPU, memory, and storage resources.
@@ -1876,7 +1876,7 @@ Make sure that a quota is configured for CPU, memory, and storage resources.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -1915,7 +1915,7 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
@@ -1948,7 +1948,7 @@ ImagePullPolicy IfNotPresent for container nginx is forbidden, use one of the fo
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
@@ -1978,7 +1978,7 @@ spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
- volumes:
+ volumes:
- 'persistentVolumeClaim'
runAsUser:
rule: RunAsAny
@@ -2035,15 +2035,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod defining a volume of any of the core type except `PersistentVolumeClaim`. For example:
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -2071,7 +2071,7 @@ You must have the pod blocked by `PodSecurityPolicy`.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
@@ -2126,7 +2126,7 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
@@ -2160,7 +2160,7 @@ A valid Storage Class must be used, one of the following (delete-policy)
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete storageclass delete-policy
```
@@ -2252,15 +2252,15 @@ EOF
As tenant owner, run the following command to create a namespace in the given tenant
-```bash
+```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```
As tenant owner, create a pod or container that does not set `runAsNonRoot` to `true` in its `securityContext`, and `runAsUser` must not be set to 0.
-```yaml
-kubectl --kubeconfig alice apply -f - << EOF
+```yaml
+kubectl --kubeconfig alice apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
@@ -2279,7 +2279,7 @@ You must have the pod blocked by `PodSecurityPolicy`.
**Cleanup:**
As cluster admin, delete all the created resources
-```bash
+```bash
kubectl --kubeconfig cluster-admin delete tenant oil
kubectl --kubeconfig cluster-admin delete PodSecurityPolicy tenant
kubectl --kubeconfig cluster-admin delete ClusterRole tenant:psp
diff --git a/docs/content/general/proxy.md b/docs/content/general/proxy.md
index 237df36ae..0fe115688 100644
--- a/docs/content/general/proxy.md
+++ b/docs/content/general/proxy.md
@@ -70,7 +70,7 @@ Here how it looks like when exposed through an Ingress Controller:
kubectl ------>|:443 |--------->|:9001 |-------->|:6443 |
+-----------+ +-----------+ +-----------+
ingress-controller capsule-proxy kube-apiserver
-```
+```
## CLI flags
@@ -420,7 +420,7 @@ spec:
operator: Exists
values:
- bronze
- - silver
+ - silver
```
In the Kubernetes cluster we could have more RuntimeClasses resources, some of them forbidden and non-usable by the Tenant owner.
diff --git a/docs/content/general/references.md b/docs/content/general/references.md
index 8b959c7c1..8ae3f68dc 100644
--- a/docs/content/general/references.md
+++ b/docs/content/general/references.md
@@ -4,8 +4,8 @@ Reference document for Capsule Operator configuration
## Custom Resource Definition
-Capsule operator uses a Custom Resources Definition (CRD) for _Tenants_.
-Tenants are cluster wide resources, so you need cluster level permissions to work with tenants.
+Capsule operator uses a Custom Resources Definition (CRD) for _Tenants_.
+Tenants are cluster wide resources, so you need cluster level permissions to work with tenants.
You can learn about tenant CRDs in the following [section](./crds-apis)
## Capsule Configuration
@@ -39,7 +39,7 @@ Option | Description
`.metadata.annotations.capsule.clastix.io/validating-webhook-configuration-name` | Set the ValidatingWebhookConfiguration name | `validating-webhook-configuration-name`
Upon installation using Kustomize or Helm, a `capsule-default` resource will be created.
-The reference to this configuration is managed by the CLI flag `--configuration-name`.
+The reference to this configuration is managed by the CLI flag `--configuration-name`.
## Capsule Permissions
@@ -105,4 +105,4 @@ capsule-system secret/capsule-tls
capsule-system service/capsule-controller-manager-metrics-service
capsule-system service/capsule-webhook-service
capsule-system deployment.apps/capsule-controller-manager
-```
\ No newline at end of file
+```
diff --git a/docs/content/general/tutorial.md b/docs/content/general/tutorial.md
index 403b959ec..fd851c157 100644
--- a/docs/content/general/tutorial.md
+++ b/docs/content/general/tutorial.md
@@ -7,7 +7,7 @@ Capsule is a framework to implement multi-tenant and policy-driven scenarios in
* ***Bill***: the cluster administrator from the operations department of _Acme Corp_.
* ***Alice***: the project leader in the _Oil_ & _Gas_ departments. She is responsible for a team made of different job responsibilities: e.g. developers, administrators, SRE engineers, etc.
-
+
* ***Joe***: works as a lead developer of a distributed team in Alice's organization.
* ***Bob***: is the head of engineering for the _Water_ department, the main and historical line of business at _Acme Corp_.
@@ -54,7 +54,7 @@ Alice can log in using her credentials and check if she can create a namespace
```
kubectl auth can-i create namespaces
yes
-```
+```
or even delete the namespace
@@ -186,7 +186,7 @@ kubectl patch capsuleconfigurations default \
--type=merge
```
-> Please, pay attention when setting a service account acting as tenant owner. Make sure you're not using the group `system:serviceaccounts` or the group `system:serviceaccounts:{capsule-namespace}` as Capsule group, otherwise you'll create a short-circuit in the Capsule controller, being Capsule itself controlled by a serviceaccount.
+> Please, pay attention when setting a service account acting as tenant owner. Make sure you're not using the group `system:serviceaccounts` or the group `system:serviceaccounts:{capsule-namespace}` as Capsule group, otherwise you'll create a short-circuit in the Capsule controller, being Capsule itself controlled by a serviceaccount.
### Roles assigned to Tenant Owners
@@ -324,7 +324,7 @@ capsule-oil-3-prometheus-servicemonitors-viewer ClusterRole/prometheus-service
```
### Assign additional Role Bindings
-The tenant owner acts as admin of tenant namespaces. Other users can operate inside the tenant namespaces with different levels of permissions and authorizations.
+The tenant owner acts as admin of tenant namespaces. Other users can operate inside the tenant namespaces with different levels of permissions and authorizations.
Assuming the cluster admin creates:
@@ -378,7 +378,7 @@ The enforcement of this naming convention is optional and can be controlled by t
Alice can deploy any resource in any of the namespaces
```
-kubectl -n oil-development run nginx --image=docker.io/nginx
+kubectl -n oil-development run nginx --image=docker.io/nginx
kubectl -n oil-development get pods
```
@@ -643,7 +643,7 @@ metadata:
...
```
-When the aggregate usage for all namespaces crosses the hard quota, then the native `ResourceQuota` Admission Controller in Kubernetes denies Alice's request to create resources exceeding the quota:
+When the aggregate usage for all namespaces crosses the hard quota, then the native `ResourceQuota` Admission Controller in Kubernetes denies Alice's request to create resources exceeding the quota:
```
kubectl -n oil-development create deployment nginx --image nginx:latest --replicas 10
@@ -662,7 +662,7 @@ nginx-55649fd747-mlhlq 1/1 Running 0 12s
nginx-55649fd747-t48s5 1/1 Running 0 7s
```
-and
+and
```
kubectl -n oil-production get pods
@@ -721,7 +721,7 @@ spec:
```
Limits will be inherited by all the namespaces created by Alice. In our case, when Alice creates the namespace `oil-production`, Capsule creates the following:
-
+
```yaml
apiVersion: v1
kind: LimitRange
@@ -791,7 +791,7 @@ no
## Assign Pod Priority Classes
-Pods can have priority. Priority indicates the importance of a Pod relative to other Pods. If a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower priority Pods to make scheduling of the pending Pod possible. See [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/).
+Pods can have priority. Priority indicates the importance of a Pod relative to other Pods. If a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower priority Pods to make scheduling of the pending Pod possible. See [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/).
In a multi-tenant cluster, not all users can be trusted, as a tenant owner could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled.
@@ -819,7 +819,7 @@ EOF
With the said Tenant specification, Alice can create a Pod resource if `spec.priorityClassName` equals to:
- `custom`
-- `tier-gold`, `tier-silver`, or `tier-bronze`, since these compile the allowed regex.
+- `tier-gold`, `tier-silver`, or `tier-bronze`, since these compile the allowed regex.
- Any PriorityClass which has the label `env` with the value `production`
If a Pod is going to use a non-allowed _Priority Class_, it will be rejected by the Validation Webhook enforcing it.
@@ -872,7 +872,7 @@ If a Pod has no value for `spec.priorityClassName`, the default value for Priori
## Assign Pod Runtime Classes
Pods can be assigned different runtime classes. With the assigned runtime you can control Container Runtime Interface (CRI) is used for each pod.
-See [Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/runtime-class/) for more information.
+See [Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/runtime-class/) for more information.
To prevent misuses of Pod Runtime Classes, Bill, the cluster admin, can enforce the allowed Pod Runtime Class at tenant level:
@@ -968,7 +968,7 @@ no
## Assign Ingress Classes
An Ingress Controller is used in Kubernetes to publish services and applications outside of the cluster. An Ingress Controller can be provisioned to accept only Ingresses with a given Ingress Class.
-Bill can assign a set of dedicated Ingress Classes to the `oil` tenant to force the applications in the `oil` tenant to be published only by the assigned Ingress Controller:
+Bill can assign a set of dedicated Ingress Classes to the `oil` tenant to force the applications in the `oil` tenant to be published only by the assigned Ingress Controller:
```yaml
kubectl apply -f - << EOF
@@ -1071,14 +1071,14 @@ EOF
If an Ingress has no value for `spec.ingressClassName` or `metadata.annotations."kubernetes.io/ingress.class"`, the `tenant-default` IngressClass is automatically applied to the Ingress resource.
> This feature allows specifying a custom default value on a Tenant basis, bypassing the global cluster default (with the annotation `metadata.annotations.ingressclass.kubernetes.io/is-default-class=true`) that acts only at the cluster level.
->
+>
> More information: [Default IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class)
**Note**: This feature is offered only by API type `IngressClass` in group `networking.k8s.io` version `v1`.
However, resource `Ingress` is supported in `networking.k8s.io/v1` and `networking.k8s.io/v1beta1`
## Assign Ingress Hostnames
-Bill can control ingress hostnames in the `oil` tenant to force the applications to be published only using the given hostname or set of hostnames:
+Bill can control ingress hostnames in the `oil` tenant to force the applications to be published only using the given hostname or set of hostnames:
```yaml
kubectl apply -f - << EOF
@@ -1316,7 +1316,7 @@ To meet this requirement, Bill needs to define network policies that deny pods b
> 1. providing a restricted role rather than the default `admin` one
> 2. using Calico's `GlobalNetworkPolicy`, or Cilium's `CiliumClusterwideNetworkPolicy` which are defined at the cluster-level, thus creating an order of packet filtering.
-Also, Bill can make sure pods belonging to a tenant namespace cannot access other network infrastructures like cluster nodes, load balancers, and virtual machines running other services.
+Also, Bill can make sure pods belonging to a tenant namespace cannot access other network infrastructures like cluster nodes, load balancers, and virtual machines running other services.
Bill can set network policies in the tenant manifest, according to the requirements:
@@ -1340,7 +1340,7 @@ spec:
- ipBlock:
cidr: 0.0.0.0/0
except:
- - 192.168.0.0/16
+ - 192.168.0.0/16
ingress:
- from:
- namespaceSelector:
@@ -1417,7 +1417,7 @@ Bill is a cluster admin providing a Container as a Service platform using shared
Alice, a Tenant Owner, can start container images using private images: according to the Kubernetes architecture, the `kubelet` will download the layers on its cache.
-Bob, an attacker, could try to schedule a Pod on the same node where Alice is running her Pods backed by private images: they could start new Pods using `ImagePullPolicy=IfNotPresent` and be able to start them, even without required authentication since the image is cached on the node.
+Bob, an attacker, could try to schedule a Pod on the same node where Alice is running her Pods backed by private images: they could start new Pods using `ImagePullPolicy=IfNotPresent` and be able to start them, even without required authentication since the image is cached on the node.
To avoid this kind of attack, Bill, the cluster admin, can force Alice, the tenant owner, to start her Pods using only the allowed values for `ImagePullPolicy`, enforcing the `kubelet` to check the authorization first.
@@ -1605,7 +1605,7 @@ spec:
## Assign Additional Metadata
The cluster admin can _"taint"_ the namespaces created by tenant owners with additional metadata as labels and annotations. There is no specific semantic assigned to these labels and annotations: they will be assigned to the namespaces in the tenant as they are created. This can help the cluster admin to implement specific use cases as, for example, leave only a given tenant to be backed up by a backup service.
-Assigns additional labels and annotations to all namespaces created in the `oil` tenant:
+Assigns additional labels and annotations to all namespaces created in the `oil` tenant:
```yaml
kubectl apply -f - << EOF
@@ -1655,7 +1655,7 @@ status:
Additionally, the cluster admin can _"taint"_ the services created by the tenant owners with additional metadata as labels and annotations.
-Assigns additional labels and annotations to all services created in the `oil` tenant:
+Assigns additional labels and annotations to all services created in the `oil` tenant:
```yaml
kubectl apply -f - << EOF
@@ -1687,11 +1687,11 @@ metadata:
spec:
ports:
- protocol: TCP
- port: 80
- targetPort: 8080
+ port: 80
+ targetPort: 8080
selector:
run: nginx
- type: ClusterIP
+ type: ClusterIP
```
## Cordon a Tenant
@@ -1849,7 +1849,7 @@ Doing this, Alice will not be able to use `water.acme.com`, being the tenant own
## Deny labels and annotations on Namespaces
-By default, capsule allows tenant owners to add and modify any label or annotation on their namespaces.
+By default, capsule allows tenant owners to add and modify any label or annotation on their namespaces.
But there are some scenarios, when tenant owners should not have an ability to add or modify specific labels or annotations (for example, this can be labels used in [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) which are added by cluster administrator).
@@ -1867,7 +1867,7 @@ spec:
denied:
- foo.acme.net
- bar.acme.net
- deniedRegex: .*.acme.net
+ deniedRegex: .*.acme.net
forbiddenLabels:
denied:
- foo.acme.net
@@ -1883,7 +1883,7 @@ EOF
When using `capsule` together with [capsule-proxy](https://github.com/clastix/capsule-proxy), Bill can allow Tenant Owners to [modify Nodes](/docs/proxy/overview).
-By default, it will allow tenant owners to add and modify any label or annotation on their nodes.
+By default, it will allow tenant owners to add and modify any label or annotation on their nodes.
But there are some scenarios, when tenant owners should not have an ability to add or modify specific labels or annotations (there are some types of labels or annotations, which must be protected from modifications - for example, which are set by `cloud-providers` or `autoscalers`).
@@ -1894,7 +1894,7 @@ kubectl apply -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: CapsuleConfiguration
metadata:
- name: default
+ name: default
spec:
nodeMetadata:
forbiddenAnnotations:
@@ -1923,7 +1923,7 @@ EOF
## Protecting tenants from deletion
-Sometimes it is important to protect business critical tenants from accidental deletion.
+Sometimes it is important to protect business critical tenants from accidental deletion.
This can be achieved by toggling `preventDeletion` specification key on the tenant:
```yaml
diff --git a/docs/content/guides/flux2-capsule.md b/docs/content/guides/flux2-capsule.md
index 19b7279e1..d3d1a378f 100644
--- a/docs/content/guides/flux2-capsule.md
+++ b/docs/content/guides/flux2-capsule.md
@@ -258,7 +258,7 @@ patches:
name: "(kustomize-controller|helm-controller)"
```
-This way tenants can't make Flux apply their Reconciliation resources with Flux's privileged Service Accounts, by not specifying a `spec.ServiceAccountName` on them.
+This way tenants can't make Flux apply their Reconciliation resources with Flux's privileged Service Accounts, by not specifying a `spec.ServiceAccountName` on them.
At the same time at resource-level in privileged space we still can specify a privileged ServiceAccount, and its reconciliation requests won't pass through Capsule validation:
@@ -279,7 +279,7 @@ spec:
#### Kubeconfig
We also need to specify on Tenant's Reconciliation resources, the `Secret` with **`kubeconfig`** configured to use the **Capsule Proxy** as the API server in order to provide the Tenant GitOps Reconciler the ability to list cluster-level resources.
-The `kubeconfig` would specify also as the token the Tenant GitOps Reconciler SA token,
+The `kubeconfig` would specify also as the token the Tenant GitOps Reconciler SA token,
For example:
@@ -293,7 +293,7 @@ spec:
kubeConfig:
secretRef:
name: gitops-reconciler-kubeconfig
- key: kubeconfig
+ key: kubeconfig
sourceRef:
kind: GitRepository
name: my-tenant
@@ -320,14 +320,14 @@ patches:
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
- value: --no-cross-namespace-refs=true
+ value: --no-cross-namespace-refs=true
target:
kind: Deployment
name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)"
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
- value: --no-remote-bases=true
+ value: --no-remote-bases=true
target:
kind: Deployment
name: "kustomize-controller"
@@ -341,7 +341,7 @@ patches:
- patch: |
- op: add
path: /spec/serviceAccountName
- value: kustomize-controller
+ value: kustomize-controller
target:
kind: Kustomization
name: "flux-system"
@@ -435,7 +435,7 @@ this is the required set of resources to setup a Tenant:
```
- `Secret` with `kubeconfig` for the Tenant GitOps Reconciler with Capsule Proxy as `kubeconfig.server` and the SA token as `kubeconfig.token`.
> This is supported only with Service Account static tokens.
-- Flux Source and Reconciliation resources that refer to Tenant desired state. This typically points to a specific path inside a dedicated Git repository, where tenant's root configuration reside:
+- Flux Source and Reconciliation resources that refer to Tenant desired state. This typically points to a specific path inside a dedicated Git repository, where tenant's root configuration reside:
```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
@@ -497,7 +497,7 @@ spec:
kubeConfig:
secretRef:
name: gitops-reconciler-kubeconfig
- key: kubeconfig
+ key: kubeconfig
sourceRef:
kind: GitRepository
name: my-tenant
@@ -539,7 +539,7 @@ Furthermore, let's see if there are other vulnerabilities we are able to protect
##### Impersonate privileged SA
-Then, what if a tenant tries to escalate by using one of the Flux controllers privileged `ServiceAccount`s?
+Then, what if a tenant tries to escalate by using one of the Flux controllers privileged `ServiceAccount`s?
As `spec.ServiceAccountName` for Reconciliation resource cannot cross-namespace reference Service Accounts, tenants are able to let Flux apply his own resources only with ServiceAccounts that reside in his own Namespaces. Which is, Namespace of the ServiceAccount and Namespace of the Reconciliation resource must match.
@@ -558,13 +558,13 @@ Now let's go on with the practical part.
He could try to use privileged `ServiceAccount` by changing ownership of a privileged Namespace so that he could create Reconciliation resource there and using the privileged SA.
This is not permitted as he can't patch Namespaces which have not been created by him. Capsule request validation would not pass.
-For other protections against threats in this multi-tenancy scenario please see the Capsule [Multi-Tenancy Benchmark](/docs/general/mtb).
+For other protections against threats in this multi-tenancy scenario please see the Capsule [Multi-Tenancy Benchmark](/docs/general/mtb).
## References
- https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
- https://fluxcd.io/blog/2022/05/may-2022-security-announcement/
- https://github.com/clastix/capsule-proxy/issues/218
-- https://github.com/projectcapsule/capsule/issues/528
+- https://github.com/projectcapsule/capsule/issues/528
- https://github.com/clastix/flux2-capsule-multi-tenancy
- https://github.com/fluxcd/flux2-multi-tenancy
- https://fluxcd.io/docs/guides/repository-structure/
diff --git a/docs/content/guides/index.md b/docs/content/guides/index.md
index f8e43a980..e8673f74e 100644
--- a/docs/content/guides/index.md
+++ b/docs/content/guides/index.md
@@ -1,2 +1,2 @@
# Guides
-Guides and tutorials on how to integrate Capsule in your Kubernetes environment.
\ No newline at end of file
+Guides and tutorials on how to integrate Capsule in your Kubernetes environment.
diff --git a/docs/content/guides/kubernetes-dashboard.md b/docs/content/guides/kubernetes-dashboard.md
index 0f26c6f77..177848ba3 100644
--- a/docs/content/guides/kubernetes-dashboard.md
+++ b/docs/content/guides/kubernetes-dashboard.md
@@ -39,7 +39,7 @@ EOF
```
> Values used for the config:
->
+>
> - **OIDC_CLIENT_ID**: the keycloak client ID (name) which user in Kubernetes API Server for authorization
> - **OIDC_CLIENT_SECRET**: secret for the client (`OIDC_CLIENT_ID`). You can see it from the Keycloak UI -> Clients -> `OIDC_CLIENT_ID` -> Credentials
> - **DASHBOARD_URL**: the Kubernetes Dashboard URL
diff --git a/docs/content/guides/managed-kubernetes/aws-eks.md b/docs/content/guides/managed-kubernetes/aws-eks.md
index e443dd6da..31704006e 100644
--- a/docs/content/guides/managed-kubernetes/aws-eks.md
+++ b/docs/content/guides/managed-kubernetes/aws-eks.md
@@ -137,4 +137,4 @@ to create namespace. Switch to a new terminal and try to create a namespace as u
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
kubectl create namespace test --kubeconfig="kubeconfig-alice.conf"
-```
\ No newline at end of file
+```
diff --git a/docs/content/guides/managed-kubernetes/coaks.md b/docs/content/guides/managed-kubernetes/coaks.md
index 0c5435665..1984d8d63 100644
--- a/docs/content/guides/managed-kubernetes/coaks.md
+++ b/docs/content/guides/managed-kubernetes/coaks.md
@@ -1,3 +1,3 @@
# Capsule on Azure Kubernetes Service
-This reference implementation introduces the recommended starting (baseline) infrastructure architecture for implementing a multi-tenancy Azure AKS cluster using Capsule. See [CoAKS](https://github.com/clastix/coaks-baseline-architecture).
\ No newline at end of file
+This reference implementation introduces the recommended starting (baseline) infrastructure architecture for implementing a multi-tenancy Azure AKS cluster using Capsule. See [CoAKS](https://github.com/clastix/coaks-baseline-architecture).
diff --git a/docs/content/guides/managed-kubernetes/overview.md b/docs/content/guides/managed-kubernetes/overview.md
index e5d10f58c..838f0dd7b 100644
--- a/docs/content/guides/managed-kubernetes/overview.md
+++ b/docs/content/guides/managed-kubernetes/overview.md
@@ -1,7 +1,7 @@
# Capsule on Managed Kubernetes
Capsule Operator can be easily installed on a Managed Kubernetes Service. Since you do not have access to the Kubernetes APIs Server, you should check with the provider of the service:
-- the default `cluster-admin` ClusterRole is accessible
+- the default `cluster-admin` ClusterRole is accessible
- the following Admission Webhooks are enabled on the APIs Server:
- PodNodeSelector
- LimitRanger
diff --git a/docs/content/guides/oidc-auth.md b/docs/content/guides/oidc-auth.md
index c59041e8d..3b70a5035 100644
--- a/docs/content/guides/oidc-auth.md
+++ b/docs/content/guides/oidc-auth.md
@@ -32,7 +32,7 @@ $ curl -k -s https://${OIDC_ISSUER}/protocol/openid-connect/token \
The result will include an `ACCESS_TOKEN`, a `REFRESH_TOKEN`, and an `ID_TOKEN`. The access-token can generally be disregarded for Kubernetes. It would be used if the identity provider was managing roles and permissions for the users but that is done in Kubernetes itself with RBAC. The id-token is short lived while the refresh-token has longer expiration. The refresh-token is used to fetch a new id-token when the id-token expires.
```json
-{
+{
"access_token":"ACCESS_TOKEN",
"refresh_token":"REFRESH_TOKEN",
"id_token": "ID_TOKEN",
@@ -133,4 +133,4 @@ $ kubectl --context alice-oidc@mycluster create namespace oil-development
$ kubectl --context alice-oidc@mycluster create namespace gas-marketing
```
-> _Warning_: once your `ID_TOKEN` expires, the `kubectl` OIDC Authenticator will attempt to refresh automatically your `ID_TOKEN` using the `REFRESH_TOKEN`. In case the OIDC uses a self signed CA certificate, make sure to specify it with the `idp-certificate-authority` option in your `kubeconfig` file, otherwise you'll not able to refresh the tokens.
\ No newline at end of file
+> _Warning_: once your `ID_TOKEN` expires, the `kubectl` OIDC Authenticator will attempt to refresh automatically your `ID_TOKEN` using the `REFRESH_TOKEN`. In case the OIDC uses a self signed CA certificate, make sure to specify it with the `idp-certificate-authority` option in your `kubeconfig` file, otherwise you'll not able to refresh the tokens.
diff --git a/docs/content/guides/pod-security.md b/docs/content/guides/pod-security.md
index f6a6ac0c9..cd4ae7447 100644
--- a/docs/content/guides/pod-security.md
+++ b/docs/content/guides/pod-security.md
@@ -188,7 +188,7 @@ spec:
EOF
```
-All namespaces created by the tenant owner, will inherit the Pod Security labels:
+All namespaces created by the tenant owner, will inherit the Pod Security labels:
```yaml
apiVersion: v1
@@ -255,4 +255,4 @@ kubectl --kubeconfig alice-oil.kubeconfig label ns oil-production \
--overwrite
Error from server (Label pod-security.kubernetes.io/audit is forbidden for namespaces in the current Tenant ...
-```
\ No newline at end of file
+```
diff --git a/docs/content/guides/rancher-projects/capsule-rancher.md b/docs/content/guides/rancher-projects/capsule-rancher.md
index 5fd34d377..3c8d08872 100644
--- a/docs/content/guides/rancher-projects/capsule-rancher.md
+++ b/docs/content/guides/rancher-projects/capsule-rancher.md
@@ -203,5 +203,3 @@ spec:
## Cluster-wide resources and Rancher Shell interface
For using the Rancher Shell and cluster-wide resources as tenant user, please follow [this guide](./capsule-proxy-rancher.md).
-
-
diff --git a/docs/content/guides/rancher-projects/introduction.md b/docs/content/guides/rancher-projects/introduction.md
index f8de4ef91..7633ae59a 100644
--- a/docs/content/guides/rancher-projects/introduction.md
+++ b/docs/content/guides/rancher-projects/introduction.md
@@ -24,4 +24,3 @@ With Capsule Proxy users can also access cluster-wide resources, as configured b
You can read in detail how the integration works and how to configure it, in the following guides.
- [How to integrate Rancher Projects with Capsule Tenants](./capsule-proxy-rancher.md)
- [How to enable cluster-wide resources and Rancher shell access](./capsule-proxy-rancher.md).
-
diff --git a/docs/content/guides/rancher-projects/oidc-keycloak.md b/docs/content/guides/rancher-projects/oidc-keycloak.md
index 29c6c5d99..29f37108a 100644
--- a/docs/content/guides/rancher-projects/oidc-keycloak.md
+++ b/docs/content/guides/rancher-projects/oidc-keycloak.md
@@ -37,4 +37,3 @@ Configure an OIDC authentication provider, with Client with issuer, return URLs
1. In Rancher as an administrator, set the user custom role with `get` of Cluster.
1. In Rancher as an administrator, add the Rancher user ID of the just-logged in user as Owner of a `Tenant`.
1. (optional) configure `proxySettings` for the `Tenant` to enable tenant users to access cluster-wide resources.
-
diff --git a/docs/content/guides/upgrading.md b/docs/content/guides/upgrading.md
index f68d4dc0f..49bceaaa6 100644
--- a/docs/content/guides/upgrading.md
+++ b/docs/content/guides/upgrading.md
@@ -24,7 +24,7 @@ A minor bump has been requested due to some missing enums in the Tenant resource
Using the `kubectl` or Helm, scale down the Capsule controller manager: this is required to avoid the old Capsule version from processing objects that aren't yet installed as a CRD.
```
-helm upgrade -n capsule-system capsule --set "replicaCount=0"
+helm upgrade -n capsule-system capsule --set "replicaCount=0"
```
## Patch the Tenant custom resource definition
@@ -71,7 +71,7 @@ This will start the Operator with the latest changes, and perform the required s
Using the `kubectl` or Helm, scale down the Capsule controller manager: this is required to avoid the old Capsule version from processing objects that aren't yet installed as a CRD.
```
-helm upgrade -n capsule-system capsule --set "replicaCount=0"
+helm upgrade -n capsule-system capsule --set "replicaCount=0"
```
> Ensure that all the Pods have been removed correctly.
@@ -112,7 +112,7 @@ kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.1/charts
>
> ```bash
> CUSTOM_NS="tenancy-operations"
->
+>
> for CR in capsuleconfigurations.capsule.clastix.io globaltenantresources.capsule.clastix.io tenantresources.capsule.clastix.io tenants.capsule.clastix.io; do
> kubectl patch crd capsuleconfigurations.capsule.clastix.io --type='json' -p=" [{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig/service/namespace', 'value': "${CUSTOM_NS}"}]"
> done
@@ -162,7 +162,7 @@ oil 3 0 alice User {"kubernete
You should see all the previous Tenant resources converted in the new format and structure.
```
-$: kubectl get tenants.v1beta2.capsule.clastix.io
+$: kubectl get tenants.v1beta2.capsule.clastix.io
NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE
oil Active 3 0 {"kubernetes.io/os":"linux"} 3m38s
```
@@ -180,7 +180,7 @@ oil Active 3 0 {"kubernetes.io/os":"linux"}
If you're using Helm as package manager, all the Operator resources such as Deployment, Service, Role Binding, etc. must be deleted.
```
-helm uninstall -n capsule-system capsule
+helm uninstall -n capsule-system capsule
```
Ensure that everything has been removed correctly, especially the Secret resources.
@@ -233,7 +233,7 @@ oil 3 0 alice User {"kubernete
You should see all the previous Tenant resources converted into the new format and structure.
```
-$: kubectl get tenants.v1beta1.capsule.clastix.io
+$: kubectl get tenants.v1beta1.capsule.clastix.io
NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE
oil Active 3 0 {"kubernetes.io/os":"linux"} 3m38s
```
diff --git a/docs/content/index.md b/docs/content/index.md
index 32c7dee79..4c9ff2702 100644
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -9,9 +9,9 @@ Kubernetes introduces the _Namespace_ object type to create logical partitions o
## Entering Capsule
-Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources.
+Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources.
-On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
+On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
diff --git a/docs/src/assets/icon/arrow.svg b/docs/src/assets/icon/arrow.svg
index 5573597c0..3ed925496 100644
--- a/docs/src/assets/icon/arrow.svg
+++ b/docs/src/assets/icon/arrow.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/assets/icon/cncf.svg b/docs/src/assets/icon/cncf.svg
index 6b0319cad..428c1a8f1 100644
--- a/docs/src/assets/icon/cncf.svg
+++ b/docs/src/assets/icon/cncf.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/assets/icon/github.svg b/docs/src/assets/icon/github.svg
index 0c7c3bad6..7f59b518b 100644
--- a/docs/src/assets/icon/github.svg
+++ b/docs/src/assets/icon/github.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/assets/icon/linkedin.svg b/docs/src/assets/icon/linkedin.svg
index 0c05f46e5..6e095a107 100644
--- a/docs/src/assets/icon/linkedin.svg
+++ b/docs/src/assets/icon/linkedin.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/assets/icon/search.svg b/docs/src/assets/icon/search.svg
index 8710306dd..c2a69eb3d 100644
--- a/docs/src/assets/icon/search.svg
+++ b/docs/src/assets/icon/search.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/assets/icon/slack.svg b/docs/src/assets/icon/slack.svg
index ef60af72c..446dcb3dc 100644
--- a/docs/src/assets/icon/slack.svg
+++ b/docs/src/assets/icon/slack.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/assets/icon/twitter.svg b/docs/src/assets/icon/twitter.svg
index dc9a3e3ed..6a2e683b4 100644
--- a/docs/src/assets/icon/twitter.svg
+++ b/docs/src/assets/icon/twitter.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/assets/logo-full.svg b/docs/src/assets/logo-full.svg
index fde5ab9c4..ac9260332 100644
--- a/docs/src/assets/logo-full.svg
+++ b/docs/src/assets/logo-full.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/assets/logo.svg b/docs/src/assets/logo.svg
index a56e75f2c..060617e8a 100644
--- a/docs/src/assets/logo.svg
+++ b/docs/src/assets/logo.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
diff --git a/docs/src/components/AppAccordion.vue b/docs/src/components/AppAccordion.vue
index 60fa874ba..520f40c11 100644
--- a/docs/src/components/AppAccordion.vue
+++ b/docs/src/components/AppAccordion.vue
@@ -46,4 +46,4 @@ export default {
.max-h-99 {
max-height: 99rem;
}
-
\ No newline at end of file
+
diff --git a/docs/src/components/AppButton.vue b/docs/src/components/AppButton.vue
index 4d5a89b09..5561836a6 100644
--- a/docs/src/components/AppButton.vue
+++ b/docs/src/components/AppButton.vue
@@ -29,4 +29,4 @@ export default {
\ No newline at end of file
+
diff --git a/docs/src/components/AppFooter.vue b/docs/src/components/AppFooter.vue
index f10f67e61..409df883d 100644
--- a/docs/src/components/AppFooter.vue
+++ b/docs/src/components/AppFooter.vue
@@ -68,4 +68,4 @@ export default {
\ No newline at end of file
+
diff --git a/docs/src/components/AppNavbar.vue b/docs/src/components/AppNavbar.vue
index eaacc4f22..dbdb2c09d 100644
--- a/docs/src/components/AppNavbar.vue
+++ b/docs/src/components/AppNavbar.vue
@@ -404,4 +404,4 @@ export default {
},
},
};
-
\ No newline at end of file
+
diff --git a/docs/src/components/AppSidebar.vue b/docs/src/components/AppSidebar.vue
index 2f2ea2518..8fe3dc884 100644
--- a/docs/src/components/AppSidebar.vue
+++ b/docs/src/components/AppSidebar.vue
@@ -132,4 +132,4 @@ export default {
.active {
@apply text-blue-400 font-semibold;
}
-
\ No newline at end of file
+
diff --git a/docs/src/components/OnThisPage.vue b/docs/src/components/OnThisPage.vue
index 494f857fd..1298da02c 100644
--- a/docs/src/components/OnThisPage.vue
+++ b/docs/src/components/OnThisPage.vue
@@ -105,4 +105,4 @@ export default {
\ No newline at end of file
+
diff --git a/docs/src/pages/404.vue b/docs/src/pages/404.vue
index a779359fe..4e664db0f 100644
--- a/docs/src/pages/404.vue
+++ b/docs/src/pages/404.vue
@@ -21,4 +21,4 @@ export default {
AppButton,
},
};
-
\ No newline at end of file
+
diff --git a/docs/src/pages/Index.vue b/docs/src/pages/Index.vue
index 4eea9aa22..2357bbbe4 100644
--- a/docs/src/pages/Index.vue
+++ b/docs/src/pages/Index.vue
@@ -166,4 +166,4 @@ export default {
// background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' version='1.1' xmlns:xlink='http://www.w3.org/1999/xlink' xmlns:svgjs='http://svgjs.com/svgjs' width='1440' height='250' preserveAspectRatio='none' viewBox='0 0 1440 250'%3e%3cg mask='url(%26quot%3b%23SvgjsMask1012%26quot%3b)' fill='none'%3e%3crect width='1440' height='250' x='0' y='0' fill='rgba(31%2c 41%2c 55%2c 1)'%3e%3c/rect%3e%3cpath d='M36 250L286 0L571 0L321 250z' fill='url(%23SvgjsLinearGradient1013)'%3e%3c/path%3e%3cpath d='M264.6 250L514.6 0L678.1 0L428.1 250z' fill='url(%23SvgjsLinearGradient1013)'%3e%3c/path%3e%3cpath d='M507.20000000000005 250L757.2 0L1073.7 0L823.7 250z' fill='url(%23SvgjsLinearGradient1013)'%3e%3c/path%3e%3cpath d='M725.8000000000001 250L975.8000000000001 0L1302.8000000000002 0L1052.8000000000002 250z' fill='url(%23SvgjsLinearGradient1013)'%3e%3c/path%3e%3cpath d='M1439 250L1189 0L995.5 0L1245.5 250z' fill='url(%23SvgjsLinearGradient1014)'%3e%3c/path%3e%3cpath d='M1157.4 250L907.4000000000001 0L817.4000000000001 0L1067.4 250z' fill='url(%23SvgjsLinearGradient1014)'%3e%3c/path%3e%3cpath d='M961.8 250L711.8 0L383.29999999999995 0L633.3 250z' fill='url(%23SvgjsLinearGradient1014)'%3e%3c/path%3e%3cpath d='M688.1999999999999 250L438.19999999999993 0L208.69999999999993 0L458.69999999999993 250z' fill='url(%23SvgjsLinearGradient1014)'%3e%3c/path%3e%3cpath d='M1247.2258701549645 250L1440 57.225870154964355L1440 250z' fill='url(%23SvgjsLinearGradient1013)'%3e%3c/path%3e%3cpath d='M0 250L192.77412984503565 250L 0 57.225870154964355z' fill='url(%23SvgjsLinearGradient1014)'%3e%3c/path%3e%3c/g%3e%3cdefs%3e%3cmask id='SvgjsMask1012'%3e%3crect width='1440' height='250' fill='white'%3e%3c/rect%3e%3c/mask%3e%3clinearGradient x1='0%25' y1='100%25' x2='100%25' y2='0%25' id='SvgjsLinearGradient1013'%3e%3cstop stop-color='rgba(87%2c 131%2c 171%2c 0.14)' offset='0'%3e%3c/stop%3e%3cstop stop-opacity='0' stop-color='rgba(87%2c 131%2c 171%2c 0.14)' offset='0.66'%3e%3c/stop%3e%3c/linearGradient%3e%3clinearGradient x1='100%25' y1='100%25' x2='0%25' y2='0%25' id='SvgjsLinearGradient1014'%3e%3cstop stop-color='rgba(87%2c 131%2c 171%2c 0.14)' offset='0'%3e%3c/stop%3e%3cstop stop-opacity='0' stop-color='rgba(87%2c 131%2c 171%2c 0.14)' offset='0.66'%3e%3c/stop%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e");
background-size: cover;
}
-
\ No newline at end of file
+
diff --git a/docs/src/templates/MarkdownPage.vue b/docs/src/templates/MarkdownPage.vue
index 5987c65da..4ba04c337 100644
--- a/docs/src/templates/MarkdownPage.vue
+++ b/docs/src/templates/MarkdownPage.vue
@@ -138,4 +138,4 @@ export default {
}
}
}
-
\ No newline at end of file
+
diff --git a/docs/static/README.md b/docs/static/README.md
index 1dd0aae42..db048ce98 100644
--- a/docs/static/README.md
+++ b/docs/static/README.md
@@ -1,3 +1,3 @@
Add static files here. Files in this directory will be copied directly to `dist` folder during build. For example, /static/robots.txt will be located at https://yoursite.com/robots.txt.
-This file should be deleted.
\ No newline at end of file
+This file should be deleted.
diff --git a/docs/template/reference-cr.tmpl b/docs/template/reference-cr.tmpl
index 8e26fa687..1d3c86961 100644
--- a/docs/template/reference-cr.tmpl
+++ b/docs/template/reference-cr.tmpl
@@ -108,4 +108,4 @@ Resource Types:
{{- end}}{{/* range .Types */}}
{{- end}}{{/* range .Kinds */}}
-{{- end}}{{/* range .Groups */}}
\ No newline at end of file
+{{- end}}{{/* range .Groups */}}
diff --git a/hack/local-test-with-kind.sh b/hack/local-test-with-kind.sh
index 30d6f2fb7..4c53babcd 100755
--- a/hack/local-test-with-kind.sh
+++ b/hack/local-test-with-kind.sh
@@ -46,13 +46,13 @@ echo `date`": INFO: Wait then Kind cluster be ready. Wait only 30 seconds"
counter=0
while true
do
- if [ $counter == 30 ]; then
+ if [ $counter == 30 ]; then
echo `date`": ERROR: Kind cluster not ready for too long"
error_action
fi
kubectl get nodes | grep " Ready " &>/dev/null
- if [ $? == 0 ]; then
+ if [ $? == 0 ]; then
break
fi
@@ -75,13 +75,13 @@ echo `date`": INFO: Wait then capsule POD be ready. Wait only 30 seconds"
counter=0
while true
do
- if [ $counter == 30 ]; then
+ if [ $counter == 30 ]; then
echo `date`": ERROR: Kind cluster not ready for too long"
error_action
fi
kubectl get pod -n capsule-system | grep " Running " &>/dev/null
- if [ $? == 0 ]; then
+ if [ $? == 0 ]; then
break
fi
@@ -142,4 +142,4 @@ fi
echo `date`": INFO: All ok"
-cleanup_action
\ No newline at end of file
+cleanup_action
diff --git a/hack/velero-restore.sh b/hack/velero-restore.sh
index d46a20ae2..fe7c75a88 100755
--- a/hack/velero-restore.sh
+++ b/hack/velero-restore.sh
@@ -21,12 +21,12 @@ TENANTS=""
# Outputs:
# print usage with examples.
usage () {
- printf "Usage: $0 [flags] commands\n"
- printf "Flags:\n"
- printf "\t-c, --kubeconfig /path/to/config\tPath to the kubeconfig file to use for CLI requests.\n"
- printf "\t-t, --tenant \"gas oil\"\t\tSpecify one or more tenants to be restored.\n"
- printf "Commands:\n"
- printf "\trestore\t\t\tPerform the restore on the cluster, patching the right object fields.\n"
+ printf "Usage: $0 [flags] commands\n"
+ printf "Flags:\n"
+ printf "\t-c, --kubeconfig /path/to/config\tPath to the kubeconfig file to use for CLI requests.\n"
+ printf "\t-t, --tenant \"gas oil\"\t\tSpecify one or more tenants to be restored.\n"
+ printf "Commands:\n"
+ printf "\trestore\t\t\tPerform the restore on the cluster, patching the right object fields.\n"
printf "\n"
printf "E.g. [restore]:\t$0 -c /path/to/kubeconfig restore\n"
printf "E.g. [restore]:\t$0 -t \"oil\" restore\n"
@@ -197,4 +197,3 @@ case "${@: -1}" in
*)
break
esac
-