Skip to content

feat: add action type for rules and regexp cache#1957

Merged
oliverbaehler merged 130 commits into
projectcapsule:mainfrom
oliverbaehler:feat/action-type
Jun 8, 2026
Merged

feat: add action type for rules and regexp cache#1957
oliverbaehler merged 130 commits into
projectcapsule:mainfrom
oliverbaehler:feat/action-type

Conversation

@oliverbaehler

@oliverbaehler oliverbaehler commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

Copilot AI review requested due to automatic review settings June 8, 2026 15:03
oliverbaehler and others added 28 commits June 8, 2026 17:05
@oliverbaehler
fix(controller): decode old object for delete requests
1ce892c 
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
chore: modernize golang
9bd35df 
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
chore: modernize golang
f386271 
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
chore: modernize golang
30e9808 
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update codecov/codecov-action action to v5.5.2 (projectc…
2e2e701 
…apsule#1783)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update anchore/sbom-action digest to 43a17d6 (projectcap…
b2a388a 
…sule#1781)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update module k8s.io/dynamic-resource-allocation to v0.34.3 (
c8df3d2 
projectcapsule#1786)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update module k8s.io/apiextensions-apiserver to v0.34.3 (p…
ca1e870 
…rojectcapsule#1785)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix(controller): allow no spaces in template references (projectcapsu…
c2cdc1c 
…le#1789)

* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(controller): allow no spaces in template references

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(controller): allow no spaces in template references

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update securego/gosec action to v2.22.11 (projectcapsule…
a5a2b77 
…#1788)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update all-ci-updates (projectcapsule#1791)
8744069 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update k8s.io/utils digest to 61b37f7 (projectcapsule#1801)
202308e 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix(controller): template concurrency (projectcapsule#1802)
b6442a7 
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update all-ci-updates (projectcapsule#1795)
225d215 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update dependency kubernetes-sigs/kind to v0.31.0 (proje…
8f7f815 
…ctcapsule#1796)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update kubernetes packages to v0.35.0 (projectcapsule#1797)
538b23d 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update module k8s.io/dynamic-resource-allocation to v0.35.0 (
dfb57f7 
projectcapsule#1798)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @Svarrogh1337 @oliverbaehler
chore(deps): update dependency kubernetes-sigs/controller-tools to v0…
640e5f8 
….20.0 (projectcapsule#1799)

* chore(deps): update dependency kubernetes-sigs/controller-tools to v0.20.0

* chore(deps): update dependency kubernetes-sigs/controller-tools to v0.20.0

Signed-off-by: Hristo Hristov <me@hhristov.info>

---------

Signed-off-by: Hristo Hristov <me@hhristov.info>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update k8s.io/utils digest to 98d557b (projectcapsule#1803)
620cdf3 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update all-ci-updates (projectcapsule#1793)
36764bf 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.3 (projec…
15e7c6b 
…tcapsule#1776)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update github/codeql-action digest to f67ec12 (projectca…
3f0fa4d 
…psule#1790)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update dependency google/ko to v0.18.1 (projectcapsule#1792
d3bfaa7 
)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update module github.com/onsi/gomega to v1.38.3 (projectca…
fe0f0c8 
…psule#1777)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update module sigs.k8s.io/cluster-api to v1.12.1 (projectc…
fd0fb51 
…apsule#1784)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update k8s.io/utils digest to 383b50a (projectcapsule#1804)
bb14820 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update actions/stale digest to a21a081 (projectcapsule#1808
d8e3da5 
)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@Svarrogh1337 @oliverbaehler
chore: adjust makefile and releaser for kubernetes 1.35 (projectcapsu…
9a97e95 
…le#1809)

* chore: adjust makefile and releaser for kubernetes 1.35

Signed-off-by: Hristo Hristov <me@hhristov.info>

* chore: adjust makefile and releaser for kubernetes 1.35

Signed-off-by: Hristo Hristov <me@hhristov.info>

---------

Signed-off-by: Hristo Hristov <me@hhristov.info>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
renovate Bot and others added 22 commits June 8, 2026 17:05
@renovate @oliverbaehler
fix(deps): update module go.uber.org/zap to v1.28.0 (projectcapsule#1904
069bef1 
)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix: avoid rejection when users are classified as administrators (pro…
15d7ac6 
…jectcapsule#1941)

* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix: avoid rejection when users are classified as administrators

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update capsule-proxy docker tag to v0.13.2 (projectcapsu…
3162deb 
…le#1942)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update module sigs.k8s.io/gateway-api to v1.5.1 (projectca…
33de7e4 
…psule#1878)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@sandert-k8s @oliverbaehler
chore: typo in ruleset description crd (projectcapsule#1944)
8615552 
Signed-off-by: sandert-k8s <sandert98@gmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@sandert-k8s @oliverbaehler
feat: add tenant list to status of capsuleconfiguration (projectcapsu…
6230ab4 
…le#1935)

Signed-off-by: sandert-k8s <sandert98@gmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix: correct tls reconciler and add tenantowners (projectcapsule#1946)
1a7f01e 
* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix: tls controller

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* feat: add tenantowner tenant status reference

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* fix: tlsreconciler only patches cabundles

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* chore: refactor logger usage

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix: tlsreconciler only patches cabundles

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* fix: tlsreconciler only patches cabundles

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@sandert-k8s @oliverbaehler
chore: fix typo (projectcapsule#1945)
84dcf7b 
* chore: typo in ruleset description crd

Signed-off-by: sandert-k8s <sandert98@gmail.com>

* chore: fix typo

Signed-off-by: sandert-k8s <sandert98@gmail.com>

---------

Signed-off-by: sandert-k8s <sandert98@gmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix: allow managed metadata defined per tenant (projectcapsule#1947)
85d242b 
* fix: allow managed metadata defined per tenant

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* fix: allow managed metadata defined per tenant

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

---------

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
feat: action type
89846da 
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix: preserve ca-bundles injected from external providers (projectcap…
6ee9d93 
…sule#1948)

* fix: preserve ca-bundles injected from external providers  (projectcapsule#1948)

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
fix(deps): update module sigs.k8s.io/cluster-api to v1.13.2 (projectc…
b3a7fa6 
…apsule#1874)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
feat(deps): bump golang 1.26.4 (projectcapsule#1949)
79b776b 
* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix: preserve ca-bundles injected from external providers

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* feat(deps): bump golang 1.26.4

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* feat(deps): bump golang 1.26.4

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update capsule-proxy docker tag to v0.13.3 (projectcapsu…
c7ccb5b 
…le#1950)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@renovate @oliverbaehler
chore(deps): update all-ci-updates (projectcapsule#1902)
621ad99 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix: best effort patch reconciling status (projectcapsule#1952)
1badd1a 
* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix: preserve ca-bundles injected from external providers

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* fix: best effort patch reconciling status

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix: use different match strategy for truthy and match (projectcapsul…
f04ff08 
…e#1953)

* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix: preserve ca-bundles injected from external providers

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* fix: best effort patch reconciling status

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* fix: use different match strategy for truthy and match

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
progress
3826bb7 
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
feat: add registry
4d8f50b 
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
feat: add registry
05a83c5 
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@bakito @oliverbaehler
chore: update all gihub actions, use digest versioning and remove obs…
447713e 
…olete docs-lint workflow (projectcapsule#1955)

Signed-off-by: bakito <github@bakito.ch>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
fix: translate serviceaccounts to type serviceaccount not user (proje…
e9f3170 
…ctcapsule#1956)

* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix: preserve ca-bundles injected from external providers

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

* fix: translate serviceaccounts to type serviceaccount not user

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
Copilot AI reviewed Jun 8, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

@oliverbaehler
feat: add improved registry enforcement
0cdfffa 
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler
feat: add improved registry enforcement
aefeb05 
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
Copilot AI review requested due to automatic review settings June 8, 2026 17:50
Copilot AI reviewed Jun 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 38 out of 40 changed files in this pull request and generated 4 comments.

Files not reviewed (2)
  • api/v1beta1/zz_generated.deepcopy.go: Language not supported
  • api/v1beta2/zz_generated.deepcopy.go: Language not supported

Comment thread pkg/tenant/rules.go
Comment on lines +73 to +91
normalized := rules.NamespaceRuleBodyNamespace{
Enforce: rules.NamespaceRuleEnforceBody{
Action: rule.Enforce.Action,
Registries: append(
[]rules.OCIRegistry(nil),
rule.Enforce.Registries...,
),
},
}

if normalized.Enforce.Action == "" {
normalized.Enforce.Action = rules.ActionTypeDeny
}

if len(normalized.Enforce.Registries) == 0 {
continue
}

out = append(out, &normalized)
Comment thread internal/controllers/rulestatus/manager.go
Comment on lines +151 to 165
normalized := *rule
normalized.Enforce = rule.Enforce

normalized.Enforce.Registries = append(
[]rules.OCIRegistry(nil),
rule.Enforce.Registries...,
)

// Keep status compact: skip empty enforce blocks.
if len(normalized.Enforce.Registries) == 0 {
continue
}

ruleStatus = append(ruleStatus, &normalized)
}
Comment thread internal/controllers/cfg/invalidator/regex.go
Comment on lines +71 to +78
for _, registry := range rule.Enforce.Registries {
expr := registry.RegExpression
if expr.Expression == "" {
continue
}

set[cache.HashRegex(expr)] = expr
}
Comment thread internal/webhook/pod/registry.go
Comment on lines +480 to +487
recorder.Eventf(
pod,
tnt,
corev1.EventTypeWarning,
evt.ReasonForbiddenContainerRegistry,
evt.ActionValidationDenied,
msg,
)
@oliverbaehler oliverbaehler merged commit 327296a into projectcapsule:main Jun 8, 2026
20 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@oliverbaehler @Svarrogh1337 @sandert-k8s @AkashKumar7902 @bakito @alan747271363-art