diff --git a/docs/operator/use-cases/namespace-labels-and-annotations.md b/docs/operator/use-cases/namespace-labels-and-annotations.md new file mode 100644 index 00000000..36a6434b --- /dev/null +++ b/docs/operator/use-cases/namespace-labels-and-annotations.md @@ -0,0 +1,30 @@ +# Denying user-defined labels or annotations + +By default, capsule allows tenant owners to add and modify any label or annotation on their namespaces. + +But there are some scenarios, when tenant owners should not have an ability to add or modify specific labels or annotations (for example, this can be labels used in [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) which are added by cluster administrator). + +Bill, the cluster admin, can deny Alice to add specific labels and annotations on namespaces: + +```yaml +kubectl apply -f - << EOF +apiVersion: capsule.clastix.io/v1beta1 +kind: Tenant +metadata: + name: oil + annotations: + capsule.clastix.io/forbidden-namespace-labels: foo.acme.net, bar.acme.net + capsule.clastix.io/forbidden-namespace-labels-regexp: .*.acme.net + capsule.clastix.io/forbidden-namespace-annotations: foo.acme.net, bar.acme.net + capsule.clastix.io/forbidden-namespace-annotations-regexp: .*.acme.net +spec: + owners: + - name: alice + kind: User +EOF +``` + +# What’s next +This ends our tour in Capsule use cases. As we improve Capsule, more use cases about multi-tenancy, policy admission control, and cluster governance will be covered in the future. + +Stay tuned! \ No newline at end of file diff --git a/docs/operator/use-cases/overview.md b/docs/operator/use-cases/overview.md index e87dc527..32a2c94a 100644 --- a/docs/operator/use-cases/overview.md +++ b/docs/operator/use-cases/overview.md @@ -40,6 +40,7 @@ Use Capsule to address any of the following scenarios: * [Cordon Tenants](./cordoning-tenant.md) * [Disable Service Types](./service-type.md) * [Taint Services](./taint-services.md) +* [Allow adding labels and annotations on namespaces](./namespace-labels-and-annotations.md) * [Velero Backup Restoration](./velero-backup-restoration.md) > NB: as we improve Capsule, more use cases about multi-tenancy and cluster governance will be covered. diff --git a/docs/operator/use-cases/taint-services.md b/docs/operator/use-cases/taint-services.md index e6936f05..fd427984 100644 --- a/docs/operator/use-cases/taint-services.md +++ b/docs/operator/use-cases/taint-services.md @@ -25,6 +25,4 @@ EOF When Alice creates a service in a namespace, this will inherit the given label and/or annotation. # What’s next -This ends our tour in Capsule use cases. As we improve Capsule, more use cases about multi-tenancy, policy admission control, and cluster governance will be covered in the future. - -Stay tuned! \ No newline at end of file +See how Bill, the cluster admin, can allow Alice to use specific labels or annotations. [Allow adding labels and annotations on namespaces](./namespace-labels-and-annotations.md).