// the find
projectcapsule/capsule
Multi-tenancy and policy-based framework for Kubernetes.
Capsule is a Kubernetes operator that groups namespaces into a 'Tenant' abstraction, letting you run multiple teams or customers on a single cluster instead of spinning up a dedicated cluster per group. It enforces network policies, RBAC, resource quotas, and admission rules at the tenant level and propagates them automatically to member namespaces. It targets platform teams managing shared clusters who want self-service for tenants without giving them cluster-admin.
- The ResourcePool/ResourcePoolClaim model in v1beta2 is a real Kubernetes-native way to share a quota budget across namespaces — it's not just strapping ResourceQuotas to each namespace independently, which would require constant manual rebalancing.
- E2e test coverage is unusually thorough: ~70 files each testing a specific admission scenario (ingress hostname collision, cross-tenant PV mounts, namespace hijacking, privilege escalation). That breadth is meaningful for a security-sensitive project.
- Pure upstream Kubernetes — no custom binaries, no admission proxy sidecars. Everything goes through standard admission webhooks and controller-runtime. You don't need to replace your kube-apiserver or install a custom scheduler.
- Proper API versioning with v1beta1→v1beta2 conversion webhooks, SBOM in every release, OpenSSF Best Practices badge, and a published security self-assessment. For a project you're installing with cluster-wide admission webhooks, that hygiene matters.
- No v1 API despite claiming production stability. You are building on v1beta2 CRDs, which means the schema can still change in ways that require migration — the existence of tenant_conversion_hub.go shows this has already happened once.
- The isolation is only as strong as your policy configuration. Capsule doesn't enforce network isolation out of the box — it can push NetworkPolicy objects into namespaces, but if the CNI doesn't enforce them or the tenant admin deletes them, tenants can talk to each other. This is documented, but easy to miss.
- Admission webhook availability is on the critical path. If the Capsule controller is down or the webhook times out, namespace creation and resource admission fail cluster-wide. The Helm chart has HA values, but the README doesn't surface this risk at all.
- The tenant boundary stops at the namespace level. Cross-namespace service discovery within a tenant, DNS naming, and shared persistent volumes are not solved — teams with multi-namespace tenants still have to wire all of that themselves outside Capsule.