v0.1.0-rc2

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• 8d1a109 build(helm): webhook for Namespace handling when tenant is freezed
• a190454 build(kustomize): webhook for Namespace handling when tenant is freezed
• 7574335 refactor: using separated webhooks for Namespace handling
• 72e97b9 feat: providing utility for webhook auth identification
• b3c6082 feat: providing event for Tenant cordoning
• 9a94009 docs: fixing links
• f9becf3 docs: Tenant cordoning
• e1160b8 test(e2e): Tenant cordoning webhook
• 6472b22 build(helm): Tenant cordononing webhook
• a2e5bbf build(kustomize): Tenant cordoning webhook
• 8804496 feat: cordoning Tenant webhook
• 5de0a6d # This is a combination of 2 commits. # This is the 1st commit message:
• 531cc4c refactor: renaming Tenant webhook handler
• 3e33290 fix: fixed typo in script description
• 824442b feat: add exits when encounters an error
• 3458335 refactor: meaningful error for complete block of Service external IPs
• 5681228 fix: blocking non valid external IP
• 7237972 fix: using /32 in case of bare IPs
• 46fc65a fix: avoiding concurrent map write
• 44acfae feat: fix typo in event message
• 7ca087c feat: update event messages
• b2b640d test(e2e): refactoring to avoid flakiness
• 5b35e0b refactor(e2e): using non absolute version import name
• accd9ca feat: emitting events for policies violations
• e7b33bd docs: documenting ImagePullPolicy enforcement
• 08fbd26 test(e2e): bug on PodPriorityClass case
• 006b0c8 test(e2e): ImagePullPolicy for v1alpha using annotations
• b6f3fcc build(helm): webhook for ImagePullPolicy enforcement
• bf79c25 build(kustomize): webhook for image PullPolicy
• 630e802 feat: image PullPolicy webhook enforcer
• e5a1861 test: aligning to new additional RoleBinding name pattern
• 246c1a3 fix: misleading info message for additional RoleBindings sync
• a06e689 fix: avoiding Namespace's RoleBinding labels collision
• 61c9bc6 refactor: object labels must be set in the mutateFn
• 9c8b037 feat: emitting events for Tenant operations
• dfe0f5e chore: do docker(x) build/push step in gh actions
• a1a2e5e build(helm): using arm compatible kubectl image
• 20aa765 build: using targetarch for arm support
• 7c1592e chore(license): switching over SPDX license header (#280)
• f60f2b1 build: using Quay.io-hoested builder image
• 53377e9 docs: Updated Golang version
• d0893a5 docs: Fixed typo

v0.1.0-rc1

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• feat: providing log upon CapsuleConfiguration change (a7fff59)
• chore(make): reorg helm params (a4128b5)
• chore: no need of fmt or vet, already managed by golanci-lint (b349042)
• test(e2e): typo on feature documentation By group (40bdf0c)
• docs: documenting CapsuleConfiguration CRD and options (20d0ef8)
• test(e2e): modifying CapsuleConfiguration at runtime (6103494)
• build(helm): deletion of CRB using names rather than label (ca7b859)
• build(helm)!: support for CapsuleConfiguration CRD (73e6a17)
• build(kustomize)!: support for CapsuleConfiguration CRD (9103a14)
• refactor: simplifying RBAC managed with multiple user groups (d532f16)
• feat!: using CapsuleConfiguration CRD with reload at runtime (3570b02)
• chore: using last git commit as build date (994a4c2)
• chore: upgrading kubebuilder project to v3 (eff1282)
• docs: block of NodePort services using Tenant annotation (52a73e0)
• docs: Pod Priority Class enforcement using Tenant annotations (4ccef41)
• test: testing enforced Pod Priority Class using Tenant annotations (dfb0a53)
• build(helm): providing webhook for Pod Priority Class (9ef64d0)
• build(kustomize): installing Pod Priority Class webhook (5649283)
• feat: enforcing Pod Priority Class (0481822)
• build(helm): using different names for Job hooks (bcbd9c2)
• fix: the ClusterRoleBindings capsule-namespace-provisioner are not re… (229b569)
• fix: wrong order of checks in validating-external-service-ips webhook (ef6eea6)
• chore(ci): output diff files for manifests files (bb6614d)
• build(helm): use multiple groups as capsule-user-group. Remove capsul… (784f3a7)
• feat: use multiple groups as capsule-user-group (3c9895e)
• fix: generating TLS certificate matching the deployed Namespace (6dc83b1)
• feat: block use of NodePort Services (e6da507)
• chore(go): upgrading to go 1.16 (5bca3b7)
• chore(operatorsdk): upgrading to v3 format (2e188d2)
• chore(kustomize): new CRD and webhooks for admission/v1 (3afee65)
• refactor: moving to admission/v1 for Kubernetes +1.16 (c22cb6c)
• chore(mod): upgrading controller-runtime to v0.8.3 (202a18c)
• chore(make): upgrading to controller-tools v0.5.0 (8441d88)
• test: checking runtime count for pods (d5af190)
• chore(kustomize): deprecating metrics RBAC proxy (82ae78b)
• chore(helm): deprecating metrics RBAC proxy (6c44a6a)
• docs: update capsule-proxy documentation (d6e7437)
• chore: triggering Helm Charts CD upon tag release (ac7114e)
• docs: typo on README.md (2fdc08c)
• refactor: better name variables in pkg/webhook/utils (c2cede6)
• refactor: better name variables in pkg/webhook/tenantprefix (36c90d4)
• refactor: better name variables in pkg/webhook/tenant (34c9583)
• refactor: better name variables in pkg/webhook/services (e5f17d1)
• refactor: better name variables in pkg/webhook/registry (e1b2037)
• refactor: better name variables in pkg/webhook/pvc (cec8cc0)
• refactor: better name variables in pkg/webhook/ownerreference (7ca9fe0)
• refactor: better name variables in pkg/webhook/namespacequota (b87a6c0)
• refactor: better name variables in pkg/webhook/ingress (01b75a5)
• refactor: better name variables in pkg/webhook (2c6dcf0)
• refactor: better name variables in main.go (7994ae1)
• Helm and Kustomize to v0.0.5 (#239) (d8449fe)
• feat: adding name label to each Namespace (#242) (12237ae)

v0.0.5

v0.0.5 (2021-03-20)

Capsule v0.0.5 is out, grab your version as following!

docker pull quay.io/clastix/capsule:v0.0.5

Improvements

• Various typos in the docs (#198, #201, #197, #210)
• Custom image for Helm hooks (#208)
• Typo in validating webhook error message (#212)
• No more confusing .dirty information on logs (#213)
• Providing user script creation for OCP (#229)
• Capsule Helm Chart probes are configurable (#220)

Features

• Avoid Ingress resources hostname collision (#215)
• Allow multiple Tenant resources to share the same hostnames in the allowed lists (#206)

Hotfix

• Avoiding deletion of Capsule secrets on Helm upgrade (#194)
• Namespaces metadata are just handled by the Tenant manifest (#200)
• Ignoring webhooks for kube-system ServiceAccount resources (#234)

Many congrats to the community for helping to shape this new release: @ValentinoUberti, @ludusrusso, @davideimola, @frodopwns, @unai-ttxu, @donhighmsft, @onematchfox, @bsctl!

v0.0.5-rc2

v0.0.5-rc2 (2021-03-06)

Final release candidate for upcoming v0.0.5.

docker pull quay.io/clastix/capsule:v0.0.5-rc2

Improvements

• Various typos in the docs (#198, #201, #197, #210)
• Custom image for Helm hooks (#208)
• Typo in validating webhook error message (#212)
• No more confusing .dirty information on logs (#213)

Features

• Avoid Ingress resources hostname collision (#215)
• Allow multiple Tenant resources to share the same hostnames in the allowed lists (#206)

Hotfix

• Avoiding deletion of Capsule secrets on Helm upgrade (#194)
• Namespaces metadata are just handled by the Tenant manifest (#200)

v0.0.5-rc1

v0.0.5-rc1 (2021-01-21)

A small hotfix regarding a missing webhook at the Tenant level will be addressed along with other minor improvements on the v0.0.5 release.

docker pull quay.io/clastix/capsule:v0.0.5-rc1

Hotfix

• Validating Tenant also on UPDATE (#191)

v0.0.4

v0.0.4 (2021-01-13)

Happy new year from Clastix Labs!

Docker images are hosted on quay.io and can be pulled with the following command:

docker pull quay.io/clastix/capsule:v0.0.4

Enhancement

• Helm Charts are included in the Capsule repository and can be fetched using the repo https://clastix.github.io/charts (#147)
• Tenant ResourceQuota hard value is available in the Namespaced resource as an annotation (#158)
• Allowed container registries are annotated in the Tenant Namespaces (#154)
• Making Capsule more flexible with optional fields (#153)
• Documentation improved (#146)
• E2E tests are less flaky (#172, #176)
• Adding more strict linters (#169)

Features

• Mitigating Kubernetes CVE-2020-8554 enforcing Service external IPs (#161)
• Supporting Kubernetes 1.20 (#171)
• Enforcing the allowed hostnames per Tenant (#162)

Bug

• Avoiding loop with Tenant ResourceQuota dealing with multiple Namespaces (#168)
• Fixing the broken binary search for the InCapsuleGroup function (#181)

More features are on their way and planned here

Thanks

We got new entries as @gernest and @paolocarta: thanks for helping us shaping Capsule! 🎉

Last but not least, same for @bsctl and @MaxFedotov: unstoppable and awesome maintainers.

v0.0.3

v0.0.3 (2020-11-25)

Improvements and enhancements for the upcoming 0.1.0 release.

Docker images are hosted on quay.io and can be pulled with the following command:

docker pull quay.io/clastix/capsule:v0.0.3

Enhancement

• Service, Endpoint, EndpointSlice annotations, and services are controller backed (#128)
• Printing the Node Selector additional column in kubectl get tenants -o wide (#137)
• Logging to date time rather than timestamp (#139)

Features

• Enforcing registry for Pods running in Tenant (#1)
• Additional RoleBinding per Tenant (#52, #112)

More features are on their way and planned here

Thanks

Many kudos to @bsctl for his big effort doing QA and all the members that reported issues, bugs, or feature requests! 🎉

v0.0.2

v0.0.2 (2020-11-11)

Various improvements and enhancements, looking forward to the 0.1.0 release.

Docker images are hosted on quay.io and can be pulled with the following command:

docker pull quay.io/clastix/capsule:v0.0.2

Features

• Handling all the events from Storage and Ingress classes (#108)
• Supporting ingresses.networking.k8s.io/v1 (#110)
• Using matrix strategy for e2e on multiple k8s versions (#111)
• Allowing dash on Tenant namespace (#118, #129)
• Migrating Service webhooks to Controller (#130)

More features are no their way and planned here

Thanks

Many kudos to @bsctl and @MaxFedotov for their help and all the members that reported issues! 🎉

v0.0.1

v0.0.1 (2020-09-15)

First semantic versioning release, hello world!

Docker images are hosted on quay.io and can be pulled with the following command:

docker pull quay.io/clastix/capsule:v0.0.1

Features

• Enforcing LimitRange, NetworkPolicy, ResourceQuota, and Scheduler Node Selector
• Enforcing Tenant prefix at Namespace creation (#41)
• Let Capsule run on any user-defined Namespace (#83)
• Protecting allowed Namespace names via regex (#73)
• Adding Namespace and Service metadata annotations and labels (#80, #84)
• Supporting Groups as Tenant ownership (#71)
• Providing allow and deny list as well as regex for Ingress and Storage classes (#89)

Thanks

Many kudos to @bsctl, @MaxFedotov, and @ioggstream for their contributions and making this possible! 💪🏻