Capsule Multi-Tenancy

Self-Service Namespace Management for Teams

Capsule provides Kubernetes multi-tenancy with automatic RBAC inheritance, enabling teams to create and manage their own namespaces without cluster-admin access.

Overview

The Capsule deployment provides:

• Capsule Operator (v0.12.4) - Multi-tenancy namespace management

• Tenant Isolation - Automatic RBAC, quotas, and network policies

• ArgoCD GitOps Management - Deployed from dp-infra/capsule

• CDK8S Infrastructure as Code - TypeScript-based manifest generation

Key Features

Self-Service Namespace Creation

• Tenant owners create namespaces with kubectl create namespace

• Automatic tenant assignment via namespace prefix (e.g., bd-*, kup-*)

• RBAC automatically inherited from tenant definition

• No cluster-admin intervention required

Resource Management

• Aggregated resource quotas across all tenant namespaces

• Namespace count limits per tenant

• Prevents resource exhaustion by tenants

Isolation

• Tenant owners cannot see or modify other tenants’ namespaces

• Network policies isolate tenant workloads

• Cross-tenant RoleBinding references prevented

Quick Start

Check Operator Status

# Check Capsule operator pods
kubectl get pods -n capsule-system

# Check ArgoCD sync status
kubectl get application capsule-* -n argocd

List Tenants

# List all tenants
kubectl get tenants
# NAME           STATE    NAMESPACE QUOTA   NAMESPACE COUNT
# bd             Active   20                0
# kup            Active   20                0
# programmatic   Active   10                0

# Check specific tenant details
kubectl describe tenant bd

Generate Kubeconfig for Tenant Owner

# Use the convenience script
cd dp-infra/capsule
./scripts/generate-kubeconfig.sh bd

# Creates: kubeconfig-bd.yaml

Create Namespace (as Tenant Owner)

# Set kubeconfig to tenant owner credentials
export KUBECONFIG=kubeconfig-bd.yaml

# Create namespace (must match tenant prefix)
kubectl create namespace bd-projekt-alpha

# Verify access
kubectl auth can-i create pods -n bd-projekt-alpha
# → yes

Architecture

The Capsule deployment uses CDK8S (TypeScript) to generate Kubernetes manifests deployed via ArgoCD:

dp-infra/capsule/
├── charts/constructs/
│   ├── namespace.ts         # capsule-system namespace (sync-wave 0)
│   ├── operator.ts          # Capsule operator HelmChart (sync-wave 1)
│   ├── service-account.ts   # Tenant owner ServiceAccounts (sync-wave 1)
│   └── tenant.ts            # Tenant CRDs (sync-wave 2)
├── config.yaml              # Operator config and tenant definitions
├── scripts/
│   └── generate-kubeconfig.sh  # Kubeconfig generator for tenant owners
└── manifests/
    └── capsule.k8s.yaml     # Generated manifests (committed to git)

ArgoCD automatically syncs changes from the dp-infra repository to the cluster.

Tenant Workflow

1. Admin defines tenant in config.yaml with owners and quotas

2. Manifests generated via npm run compile && npx ts-node main.ts

3. ArgoCD deploys tenant definition to cluster

4. Admin generates kubeconfig via ./scripts/generate-kubeconfig.sh <tenant>

5. Tenant owner creates namespaces with prefix matching tenant name

Common Use Cases

• Team Isolation - Separate namespaces for different development teams

• Project Environments - Tenant creates prod, staging, dev namespaces

• Self-Service Development - Developers manage their own resources

• Resource Governance - Enforce quotas without manual intervention

Related Documentation

Cluster-Level Documentation

• Capsule Multi-Tenancy (Explanation) - Architecture and design decisions

• Work as Capsule Tenant (How-To) - Tenant owner guide

• CDK8S Infrastructure as Code

• ArgoCD GitOps

How-To

• Create a New Tenant
• Generate Kubeconfig for Tenant Owner
• Troubleshoot Capsule

Explanation

• Capsule Multi-Tenancy Model
• RBAC Inheritance in Capsule

Reference

• Configuration Options
• Tenant CRD Reference