Reference

Configuration Options

Complete reference for Capsule deployment configuration.

config.yaml Structure

# Capsule operator version
versions:
  capsule: "0.7.2"  # Helm chart version

# Helm repository
helmRepo:
  url: "https://projectcapsule.github.io/charts"

# Namespace for Capsule operator
namespace: "capsule-system"

# Operator settings
operator:
  forceTenantPrefix: true
  userGroups:
    - "capsule.clastix.io"

# Resource limits for operator
resources:
  manager:
    requests:
      cpu: "100m"
      memory: "256Mi"
    limits:
      cpu: "500m"
      memory: "512Mi"

# Tenant definitions
tenants:
  - name: "bd"
    owners:
      - name: "system:serviceaccount:capsule-system:bd-sa"
        kind: "ServiceAccount"
    namespaceQuota: 20
    resourceQuotas:
      requests:
        cpu: "16"
        memory: "32Gi"
      limits:
        cpu: "32"
        memory: "64Gi"

Operator Settings

forceTenantPrefix

When true, namespace names must start with the tenant name followed by a hyphen.

Value	Behavior
true	team-alice-prod → assigned to team-alice tenant
false	Requires explicit tenant annotation on namespace

Recommended: true for simpler UX.

userGroups

List of groups that Capsule intercepts for tenant operations.

userGroups:
  - "capsule.clastix.io"  # Default group
  - "developers"           # Custom group

Users/ServiceAccounts must be in one of these groups for Capsule to apply tenant policies.

Tenant Configuration

owners

List of entities that can manage the tenant’s namespaces.

ServiceAccount (used in kup6s):

owners:
  - name: "system:serviceaccount:capsule-system:bd-sa"
    kind: "ServiceAccount"

User:

owners:
  - name: "alice@example.com"
    kind: "User"

Group:

owners:
  - name: "developers"
    kind: "Group"

namespaceQuota

Maximum number of namespaces the tenant can create.

namespaceQuota: 10  # Tenant can create up to 10 namespaces

Set to 0 or omit for unlimited.

resourceQuotas

Aggregated resource limits across all tenant namespaces.

resourceQuotas:
  requests:
    cpu: "8"         # Total CPU requests
    memory: "16Gi"   # Total memory requests
  limits:
    cpu: "16"        # Total CPU limits
    memory: "32Gi"   # Total memory limits

Note: These are aggregate limits. If a tenant has 4 namespaces, the total resources across all 4 cannot exceed these limits.

Resource Defaults

Operator Resources

Resource allocation for Capsule operator:

Resource	Request	Limit
CPU	100m	500m
Memory	256Mi	512Mi

These values were increased from defaults to prevent TLS certificate generation timeouts during operator startup.

Generated Resources

The CDK8S build generates:

1. Namespace - capsule-system

2. HelmChart - Capsule operator (K3S native Helm controller)

3. ServiceAccount - One per tenant owner (for ServiceAccount-type owners)

4. ClusterRoleBinding - Grants capsule-namespace-provisioner to each ServiceAccount

5. Tenant - One per tenant definition

Related Documentation

• Reference: Tenant CRD

• How-To: Create Tenant