Explanation

RBAC Inheritance in Capsule

Understanding how Capsule manages Role-Based Access Control across tenant namespaces.

Overview

Capsule automatically manages RBAC for tenant owners, granting them administrative permissions within their tenant’s namespaces without requiring cluster-admin intervention.

How It Works

When a tenant owner creates a namespace:

  1. Capsule intercepts the namespace creation request

  2. Validates the owner is authorized (tenant membership)

  3. Creates the namespace with tenant labels

  4. Creates RoleBindings granting the owner admin access

  5. Applies tenant policies (quotas, network policies, etc.)

Default Permissions

Tenant owners receive the Kubernetes built-in admin ClusterRole in their namespaces:

# Automatically created by Capsule
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: capsule-owner-admin
  namespace: bd-prod
subjects:
  - kind: ServiceAccount
    name: bd-sa
    namespace: capsule-system
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

The admin role includes:

  • Full access to all namespaced resources (pods, services, deployments, etc.)

  • Ability to create and manage RBAC within the namespace

  • Cannot modify namespace-level quotas or limit ranges (those are tenant-managed)

Namespace Deletion Permission

Additionally, Capsule grants capsule-namespace-deleter ClusterRole:

# Allows tenant owners to delete namespaces they created
roleRef:
  kind: ClusterRole
  name: capsule-namespace-deleter

This enables tenant owners to clean up namespaces they no longer need.

Cross-Tenant Isolation

Capsule enforces strict isolation:

  • No cross-tenant RoleBinding references: A RoleBinding in tenant A cannot reference a subject from tenant B

  • Namespace visibility: Tenant owners only see their own namespaces (via Capsule Proxy)

  • Resource access: No access to namespaces outside the tenant

The Capsule Proxy (Optional)

Standard Kubernetes RBAC has a limitation: listing namespaces requires cluster-level permissions. Without special handling:

kubectl get namespaces
# → "Error: forbidden" (even though owner has access to specific namespaces)

Capsule Proxy solves this by filtering namespace lists:

# Configure kubectl to use Capsule Proxy
export KUBECONFIG=kubeconfig-bd-with-proxy.yaml

kubectl get namespaces
# → Only shows namespaces belonging to tenant