What's New ✨

Security 🔒

• Advisory GHSA-qjjm-7j9w-pw72 - High - Users can create cluster scoped resources anywhere in the cluster if they are allowed to create TenantResources. To immediately mitigate this, make sure to use Impersonation for TenantResources.

• Advisory GHSA-2ww6-hf35-mfjm - Moderate - Users may hijack namespaces via namespaces/status privileges. These privileges must have been explicitly granted by Platform Administrators through RBAC rules to be affected. Requests for the namespaces/status subresource are now sent to the Capsule admission webhook as well.

• (Enterprise): Projectcapsule is now providing their releases on an immutable OCI registry, which allows users to verify the integrity of the images and provides a more secure way to distribute the images. Which is not possible on GHCR due to the fact that GHCR does not support immutability of images.

Breaking Changes ⚠️

• By default, Capsule now uses self-signed cert-manager certificates for its admission webhooks. This used to be an optional setting and has now become the default. If you don’t have cert-manager installed, you must explicitly re-enable the Capsule TLS controller as documented here.

Features ✨

• Add new Quota System with GlobalCustomQuotas and CustomQuotas. Read More.
• Complete Renovation of Replications Read More.
• Introducing new rule approach for tenant enforcement Read More.
• Added RequiredMetadata for Namespaces created in a Tenant Read More.
• Introducing new OCI Registry enforcement Read More
• Added rule-based promotions for ServiceAccounts in Tenants Read More.
• Added Implicit Assignment of TenantOwner Read More.
• Added Aggregation of TenantOwner Read More.
• Introducing data field for Tenants Read More.
• Added new label projectcapsule.dev/tenant which is added for all namespaced resources belonging to a Tenant Read More.
• Added configuration options for managed RBAC Read More
• Added configuration options for Impersonation Read More
• Added configuration options for Cache invalidation Read More
• Added configuration options for Dynamic Admission Webhooks Read More
• Added Built-In Installation for Gangplank with the Capsule Proxy Read More

Fixes 🐛

• Fixed ResourcePool resource quota calculation when multiple ResourcePoolClaims are present in a namespace but not everything is used. For details, see ResourcePools bound behavior.
• Improved matchConditions for admission webhooks that intercept all namespaced items, to avoid processing subresource requests and Events, improving performance and reducing log noise.
• Namespaces are considered active until all unmanaged namespaced resources are deleted. Read More
• PersistentVolumeClaims support now providing .spec.selector. When .spec.selector is provided we always aggregate a custom matchExpressions for the PersistentVolumeClaims to ensure that only the PersistentVolumeClaims created in the Tenant can mount PersistentVolumes provisioned from/for the same Tenant Read More

Documentation 📚

We have added new documentation for a better experience. See the following topics:

• Improved installation overview
• Capsule strict RBAC installation

Ecosystem 🌐

Newly added documentation to integrate Capsule with other applications:

• CoreDNS Plugin (Community Contribution)
• Argo CD
• Flux CD

Project Updates 💫

• Incubating Sander (ODC Noord) as Maintainer for documentation and website improvements.

Roadmap 🗺️

In the upcoming releases we are planning to work on the following features:

• Capsule: Porting more Properties to the Namespace Rule Approach.
• Capsule: Adding transformers for Global/TenantResources.
• Capsule: Adding healthChecks for Global/TenantResources.
• Capsule: Introducing Break-The-Glass to allow temporary elevation of permissions for Tenant Owners, with an approval process by Platform Administrators.
• Capsule: Adding custom health checks for ArgoCD to upstream
• Capsule: Adding Generic Implementation for Global/TenantResources.
• Website: Improving the documentation with more examples and use-cases.
• Capsule-Proxy: Bringing back RBAC reflection to Capsule-Proxy (Generic Namespaced List Permissions)
• Capsule-Proxy: Deprecating ProxySettings on Tenants in favour of GlobalProxySettings

Events 📅

• Capsule Roundtable Summer 2026 🇨🇭
  • We are planning to host a Capsule Roundtable in Summer 2026 in Switzerland (28. Mai 2026). The exact date and location will be announced soon, but we are looking forward to meeting the community in person and discussing the future of Capsule. If you are interested in attending or want to know more about the event, feel free to reach out to us. The event is intended for users to present their use-cases and share their experiences with the project, as well as for us to present the roadmap and gather feedback from the community (Not a sales event).