projectcapsule · oliverbaehler · Jun 8, 2026 · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025
diff --git a/api/v1beta1/tenant_types.go b/api/v1beta1/tenant_types.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/projectcapsule/capsule/pkg/api"
 	"github.com/projectcapsule/capsule/pkg/api/rbac"
+	"github.com/projectcapsule/capsule/pkg/api/rules"
 )
 
 // TenantSpec defines the desired state of Tenant.
@@ -39,7 +40,7 @@ type TenantSpec struct {
 	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
 	AdditionalRoleBindings []rbac.AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
 	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
-	ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
+	ImagePullPolicies []rules.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
 	// Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
 	PriorityClasses *api.AllowedListSpec `json:"priorityClasses,omitempty"`
 }

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/api/v1beta2/rule_status_type.go b/api/v1beta2/rule_status_type.go
@@ -6,8 +6,8 @@ package v1beta2
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/projectcapsule/capsule/pkg/api"
 	"github.com/projectcapsule/capsule/pkg/api/meta"
+	"github.com/projectcapsule/capsule/pkg/api/rules"
 )
 
 // RuleStatus contains the accumulated rules applying to namespace it's deployed in.
@@ -16,25 +16,29 @@ type RuleStatusStatus struct {
 	// ObservedGeneration is the most recent generation the controller has observed.
 	// +optional
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
-	// Managed Enforcement properties per Namespace (aggregated from rules)
-	//+optional
-	Rule api.NamespaceRuleBodyNamespace `json:"rule,omitzero"`
+	// Deprecated: use Rules.
+	// Rule contains a legacy flattened view and cannot fully represent action-aware rules.
+	// +optional
+	Rule rules.NamespaceRuleBodyNamespace `json:"rule,omitzero"`
+	// Rules contains the effective namespace rules after tenant rule selection.
+	// Order is preserved from the originating Tenant rules.
+	// +optional
+	Rules []*rules.NamespaceRuleBodyNamespace `json:"rules,omitempty"`
 	// Conditions
 	Conditions meta.ConditionList `json:"conditions"`
 }
 
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Ready Status"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description="Ready Message"
 type RuleStatus struct {
-	metav1.TypeMeta `json:",inline"`
-
-	// +optional
+	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitzero"`
 
 	// +optional
-	Spec []*api.NamespaceRuleBodyNamespace `json:"spec,omitzero"`
+	Spec []*rules.NamespaceRuleBodyNamespace `json:"spec,omitzero"`
 
 	// +optional
 	Status RuleStatusStatus `json:"status,omitzero"`

diff --git a/api/v1beta2/tenant_status.go b/api/v1beta2/tenant_status.go
@@ -6,9 +6,9 @@ package v1beta2
 import (
 	k8stypes "k8s.io/apimachinery/pkg/types"
 
-	"github.com/projectcapsule/capsule/pkg/api"
 	"github.com/projectcapsule/capsule/pkg/api/meta"
 	"github.com/projectcapsule/capsule/pkg/api/rbac"
+	"github.com/projectcapsule/capsule/pkg/api/rules"
 )
 
 // +kubebuilder:validation:Enum=Cordoned;Active;Terminating
@@ -72,7 +72,7 @@ type TenantStatusRuleStatusItem struct {
 
 type TenantStatusNamespaceEnforcement struct {
 	// Registries which are allowed within this namespace
-	Registries []api.OCIRegistry `json:"registry,omitempty"`
+	Registries []rules.OCIRegistry `json:"registry,omitempty"`
 }
 
 type TenantStatusNamespaceMetadata struct {

diff --git a/api/v1beta2/tenant_types.go b/api/v1beta2/tenant_types.go
@@ -13,6 +13,7 @@ import (
 	"github.com/projectcapsule/capsule/pkg/api"
 	"github.com/projectcapsule/capsule/pkg/api/meta"
 	"github.com/projectcapsule/capsule/pkg/api/rbac"
+	"github.com/projectcapsule/capsule/pkg/api/rules"
 	"github.com/projectcapsule/capsule/pkg/runtime/selectors"
 )
 
@@ -32,7 +33,7 @@ type TenantSpec struct {
 	//
 	// Read More: https://projectcapsule.dev/docs/tenants/rules/
 	//+optional
-	Rules []*api.NamespaceRuleBodyTenant `json:"rules,omitzero"`
+	Rules []*rules.NamespaceRuleBodyTenant `json:"rules,omitzero"`
 
 	// Specifies the owners of the Tenant.
 	// Optional
@@ -96,7 +97,7 @@ type TenantSpec struct {
 	// Deprecated: Use Enforcement.Registries instead
 	//
 	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
-	ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
+	ImagePullPolicies []rules.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
 
 	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
 	//

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go