Changelog

✨ Breaking Changes

• 0515880: feat: use cert-manager certificates by default. By default, Capsule now uses self-signed cert-manager certificates for its admission webhooks. This used to be an optional setting and has now become the default. If you don’t have cert-manager installed, you must explicitly re-enable the Capsule TLS controller as documented here. (#1818) (@oliverbaehler)

Security 🔒

• Advisory GHSA-qjjm-7j9w-pw72 - High - Users can create cluster scoped resources anywhere in the cluster if they are allowed to create TenantResources. To immediately mitigate this, make sure to use Impersonation for TenantResources.
• Advisory GHSA-2ww6-hf35-mfjm - Moderate - Users may hijack namespaces via namespaces/status privileges. These privileges must have been explicitly granted by Platform Administrators through RBAC rules to be affected. Requests for the namespaces/status subresource are now sent to the Capsule admission webhook as well.

✨ New Features

• cc4fb45: feat: add new Quota System with GlobalCustomQuotas and CustomQuotas(#1841) (@oliverbaehler)
• cc4fb45: feat: refactor of GlobalTenantResources and TenantResources (#1841) (@oliverbaehler)
• cc4fb45: feat: added new label projectcapsule.dev/tenant which is added for all namespaced resources belonging to a Tenant (#1841) (@oliverbaehler)
• cc4fb45: feat: Resources labeled with projectcapsule.dev/managed-by=controller can only be created, updated or deleted by the Capsule controller and administrators, and are rejected for all other operations. This prevents deletion of managed resources by users, which are not identified as capsule users (current behavior) (#1841) (@oliverbaehler)
• cc4fb45: feat: migrated event emissions to events.k8s.io/v1 from legacy core/v1 (#1841) (@oliverbaehler)
• cc4fb45: feat: tenant scoped additional metadata is validated via admission (#1841) (@oliverbaehler)
• cc4fb45: feat: adding .spec.data for Tenant to allow providing custom data for templating purposes (#1841) (@oliverbaehler)
• cc4fb45: feat: Added configuration options for managed RBAC (#1841) (@oliverbaehler)
• cc4fb45: feat: Added configuration options for Impersonation (#1841) (@oliverbaehler)
• cc4fb45: feat: Added configuration options for Cache invalidation (#1841) (@oliverbaehler)
• cc4fb45: feat: Added configuration options for Dynamic Admission Webhooks (#1841) (@oliverbaehler)
• 730151c: feat: add dynamic capsule user evaluation (#1811) (@oliverbaehler)
• 0744924: feat: add e2e openshift support (#1894) (@Svarrogh1337)
• a6b830b: feat: add ruleset api(#1844) (@oliverbaehler)
• 0abc77b: feat: diverse performance improvements (#1861) (@oliverbaehler)
• cc4fb45: feat: upstream enterprise preview (#1841) (@oliverbaehler)

🐛 Bug fixes

• cc4fb45: fix: Improved matchConditions for admission webhooks that intercept all namespaced items, to avoid processing subresource requests and Events, improving performance and reducing log noise. (#1841) (@oliverbaehler)
• cc4fb45: fix: PersistentVolumeClaims support now providing .spec.selector. When .spec.selector is provided we always aggregate a custom matchExpressions for the PersistentVolumeClaims to ensure that only the PersistentVolumeClaims created in the Tenant can mount PersistentVolumes provisioned from/for the same Tenant (#1841) (@oliverbaehler)
• cc4fb45: fix: Regex-Selectors were not considered on classes driven Tenant status reconciles (#1841) (@oliverbaehler)
• cc4fb45: fix: A single Unready namespace could cause the entire Tenant reconcilation to be incomplete. Now unready or terminating namespaces are ignored for further processing ensuring that ready/new namespaces get their required contents (#1841) (@oliverbaehler)
• cc4fb45: fix: When a Tenant is cordoned, namespaces can no longer be deleted. (#1841) (@oliverbaehler)
• cc4fb45: fix: TLS controller correctly patches all the webhooks with the same CA Bundle, to avoid issues with multiple webhooks and ensure that all webhooks are correctly secured, if enabled (#1841) (@oliverbaehler)
• 61429d1: fix(docs): update home in chart.yaml (#1864) (@sandert-k8s)
• 58b25e3: fix(webhook): adapt to controller-runtime breaking change in newwebhookmanagedby (#1898) (@Svarrogh1337)
• c6e109c: fix: release workflows (#1919) (@oliverbaehler)

🛠 Dependency updates

• 9c02af5: fix(deps): update k8s.io/utils digest to 383b50a (#1804) (@renovate[bot])
• aaa3ec4: fix(deps): update k8s.io/utils digest to 718f0e5 (#1806) (@renovate[bot])
• e8bb238: fix(deps): update k8s.io/utils digest to 914a6e7 (#1822) (@renovate[bot])
• 53a4f5d: fix(deps): update k8s.io/utils digest to 98d557b (#1803) (@renovate[bot])
• 7efaa9e: fix(deps): update kubernetes packages to v0.35.0 (#1797) (@renovate[bot])
• 7e2dc68: fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.3 (#1776) (@renovate[bot])
• 45e3a5d: fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.4 (#1825) (@renovate[bot])
• 768b334: fix(deps): update module github.com/onsi/gomega to v1.38.3 (#1777) (@renovate[bot])
• 1f91adc: fix(deps): update module github.com/onsi/gomega to v1.39.0 (#1826) (@renovate[bot])
• b8d3852: fix(deps): update module k8s.io/dynamic-resource-allocation to v0.35.0 (#1798) (@renovate[bot])
• abc03ad: fix(deps): update module sigs.k8s.io/cluster-api to v1.12.1 (#1784) (@renovate[bot])

🚀 Build process updates

• 77e7532: ci: pin slsa provenance workflow (#1903) (@AkashKumar7902)

Full Changelog: v0.12.4...v0.13.0

Check out what's new in this release

Docker Images

• ghcr.io/projectcapsule/capsule:0.13.0
• ghcr.io/projectcapsule/capsule:latest

Helm Chart
View this release on Artifact Hub or use the OCI helm chart:

• ghcr.io/projectcapsule/charts/capsule:0.13.0

Review the Major Changes section first before upgrading to a new version

Thanks to all the contributors! 🚀 🦄