Capsule community call

2023-11-10

Capsule v0.1.2 release: ready to be landed!
Capsule Proxy v0.3.0 release: ready to be landed!
PR #598 must be discussed with @viveksyngh
Capsule v0.2.0
- consolidating Tenant API under v1beta2 group
- consolidating CapsuleConfiguration API under v1beta2 group, although still in v1alpha1 (homogeneity)

Capsule v0.1.2
- capsule-proxy #207 to be documented
- #528 to be completed and documented
Capsule Proxy RC v0.30.0-rc2
- the pre-release has been cut
Status update by @maxgio92 about multi-tenancy the GitOps-way (Flux+Capsule) (#528)
- Kubernetes v1.24 SA dynamic vs static token for Tenant GitOps reconciler
Status update by (@viveksingh) on metrics exposition on Capsule Proxy (#207)
- approved and merged
Apparmor profile for Capsule (#549)

Status update by @prometherion about Capsule and GitOps operator IAM bootstrap: Support for dynamic ignored user groups (#567)
Status update by @maxgio92 about multi-tenancy the GitOps-way (Flux+Capsule) (#528)
Metrics exposition on Capsule Proxy (#207)
RC cut for Capsule Proxy (will it include @viveksingh PRs?)
- v0.30.0-rc2

Capsule and GitOps operator IAM bootstrap: Support for dynamic ignored user groups (#567)
v0.1.2 release
Capsule and GitOps flow with Flux (#528)
- What we miss:
  - controller to ensure and update Tenant Owners' kubeconfig Secrets for Capsule Proxy to be used by Tenants' Kustomize controller for reconciliation of the Tenant configs (Kustomization's' spec.kubeConfig) - @maxgio92 working on it
  - in order to use the above we need to disable enforcement of default Service Account impersonation on all Kustomizations Flux multi-tenancy lockdown feature (--default-service-account on Kustomize controller). Is required anyway to enforce the above when otherwise not reconciling Kustomizations with Capsule Proxy Kubeconfig - e.g. with Kyverno Policies
  - @oliverbaehler published PR #584 and is almost ready!
Discuss about Capsule + GCP IAM integration (#583)
- We decided to go for a strings.ReplaceAll, substituting the @ symbol with _AT_ to avoid the RFC DNS-1123 validation issue.
Capsule Proxy with kube-oidc-proxy as backend (discussion here)
- Asking for support to the reporter.
- Tremolo Security updated kube-oidc-proxy

TenantResource feature proposal
- drop ClusterRoles from CRD spec: we don't need it
Capsule CRDs deployment with Helm chart
- Go with single chart and CRD-install dedicated value knob
Capsule and GitOps operator IAM bootstrap
- WIP to v0.1.2

GitOps use case of BlackRock: GitOps operator bootstrap in the kube-system Namespace
- Adding disallowedGroupNames in CapsuleConfiguration CRD (with a default value of system:serviceaccounts:kube-system) to allow kube-system SAs as Capsule Users
- Karthi proposed to work on it
Capsule CRDs deployment with Helm chart
- rendering astemplates
- best pratices and caveats
Semantic versinoing of container images
- decided to keep the v-semantic one (according to k8s one)
introduction to the TenantResource CRD proposal