projectcapsule · oliverbaehler · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025
diff --git a/content/en/docs/proxy/reference.md b/content/en/docs/proxy/reference.md
@@ -28,12 +28,14 @@ Resource Types:
 
 GlobalProxySettings is the Schema for the globalproxysettings API.
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
 | **apiVersion** | string | capsule.clastix.io/v1beta1 | true |
 | **kind** | string | GlobalProxySettings | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#globalproxysettingsspec)** | object | GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. | false |
+| **[spec](#globalproxysettingsspec)** | object |GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. 
+| false |
 
 
 ### GlobalProxySettings.spec
@@ -42,9 +44,11 @@ GlobalProxySettings is the Schema for the globalproxysettings API.
 
 GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[rules](#globalproxysettingsspecrulesindex)** | []object | Subjects that should receive additional permissions.<br>The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.<br>However they must be part of the capsule-user groups. | true |
+| **[rules](#globalproxysettingsspecrulesindex)** | []object |Subjects that should receive additional permissions.<br>The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.<br>However they must be part of the capsule-user groups. 
+| true |
 
 
 ### GlobalProxySettings.spec.rules[index]
@@ -53,10 +57,13 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 
 
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[subjects](#globalproxysettingsspecrulesindexsubjectsindex)** | []object | Subjects that should receive additional permissions.<br>The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.<br>However they must be part of the capsule-user groups. | true |
-| **[clusterResources](#globalproxysettingsspecrulesindexclusterresourcesindex)** | []object | Cluster Resources for tenant Owner. | false |
+| **[subjects](#globalproxysettingsspecrulesindexsubjectsindex)** | []object |Subjects that should receive additional permissions.<br>The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.<br>However they must be part of the capsule-user groups. 
+| true |
+| **[clusterResources](#globalproxysettingsspecrulesindexclusterresourcesindex)** | []object |Cluster Resources for tenant Owner. 
+| false |
 
 
 ### GlobalProxySettings.spec.rules[index].subjects[index]
@@ -65,10 +72,13 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 
 
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum | Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
-| **name** | string | Name of tenant owner. | true |
+| **kind** | enum |Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".<br/>*Enum*: User, Group, ServiceAccount<br/> 
+| true |
+| **name** | string |Name of tenant owner. 
+| true |
 
 
 ### GlobalProxySettings.spec.rules[index].clusterResources[index]
@@ -77,12 +87,17 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 
 
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **apiGroups** | []string | APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. | true |
-| **resources** | []string | Resources is a list of resources this rule applies to. '*' represents all resources. | true |
-| **[selector](#globalproxysettingsspecrulesindexclusterresourcesindexselector)** | object | Select all cluster scoped resources with the given label selector.<br>Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). | true |
-| **operations** | []enum | Operations which can be executed on the selected resources.<br>Deprecated: For all registered Routes only LIST ang GET requests will intercepted<br>Other permissions must be implemented via kubernetes native RBAC<br/>*Enum*: List, Update, Delete<br/> | false |
+| **apiGroups** | []string |APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. 
+| true |
+| **resources** | []string |Resources is a list of resources this rule applies to. '*' represents all resources. 
+| true |
+| **[selector](#globalproxysettingsspecrulesindexclusterresourcesindexselector)** | object |Select all cluster scoped resources with the given label selector.<br>Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). 
+| true |
+| **operations** | []enum |<span style="color:red;font-weight:bold">Operations which can be executed on the selected resources.<br>Deprecated: For all registered Routes only LIST ang GET requests will intercepted<br>Other permissions must be implemented via kubernetes native RBAC</span><br/>*Enum*: List, Update, Delete<br/> 
+| false |
 
 
 ### GlobalProxySettings.spec.rules[index].clusterResources[index].selector
@@ -92,10 +107,13 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 Select all cluster scoped resources with the given label selector.
 Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globalproxysettingsspecrulesindexclusterresourcesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
-| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+| **[matchExpressions](#globalproxysettingsspecrulesindexclusterresourcesindexselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
+| false |
+| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
+| false |
 
 
 ### GlobalProxySettings.spec.rules[index].clusterResources[index].selector.matchExpressions[index]
@@ -105,11 +123,15 @@ Defining a selector which does not match any resources is considered not selecta
 A label selector requirement is a selector that contains values, a key, and an operator that
 relates the key and values.
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string | key is the label key that the selector applies to. | true |
-| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
-| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
+| **key** | string |key is the label key that the selector applies to. 
+| true |
+| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
+| true |
+| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
+| false |
 
 ## ProxySetting
 
@@ -120,12 +142,14 @@ relates the key and values.
 
 ProxySetting is the Schema for the proxysettings API.
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
 | **apiVersion** | string | capsule.clastix.io/v1beta1 | true |
 | **kind** | string | ProxySetting | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#proxysettingspec)** | object | ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.<br>Resource is Namespace-scoped and applies the settings to the belonged Tenant. | false |
+| **[spec](#proxysettingspec)** | object |ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.<br>Resource is Namespace-scoped and applies the settings to the belonged Tenant. 
+| false |
 
 
 ### ProxySetting.spec
@@ -135,9 +159,11 @@ ProxySetting is the Schema for the proxysettings API.
 ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.
 Resource is Namespace-scoped and applies the settings to the belonged Tenant.
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[subjects](#proxysettingspecsubjectsindex)** | []object | Subjects that should receive additional permissions. | true |
+| **[subjects](#proxysettingspecsubjectsindex)** | []object |Subjects that should receive additional permissions. 
+| true |
 
 
 ### ProxySetting.spec.subjects[index]
@@ -146,12 +172,17 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
 
 
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum | Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
-| **name** | string | Name of tenant owner. | true |
-| **[clusterResources](#proxysettingspecsubjectsindexclusterresourcesindex)** | []object | Cluster Resources for tenant Owner. | false |
-| **[proxySettings](#proxysettingspecsubjectsindexproxysettingsindex)** | []object | Proxy settings for tenant owner. | false |
+| **kind** | enum |Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> 
+| true |
+| **name** | string |Name of tenant owner. 
+| true |
+| **[clusterResources](#proxysettingspecsubjectsindexclusterresourcesindex)** | []object |Cluster Resources for tenant Owner. 
+| false |
+| **[proxySettings](#proxysettingspecsubjectsindexproxysettingsindex)** | []object |Proxy settings for tenant owner. 
+| false |
 
 
 ### ProxySetting.spec.subjects[index].clusterResources[index]
@@ -160,12 +191,17 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
 
 
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **apiGroups** | []string | APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. | true |
-| **resources** | []string | Resources is a list of resources this rule applies to. '*' represents all resources. | true |
-| **[selector](#proxysettingspecsubjectsindexclusterresourcesindexselector)** | object | Select all cluster scoped resources with the given label selector.<br>Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). | true |
-| **operations** | []enum | Operations which can be executed on the selected resources.<br>Deprecated: For all registered Routes only LIST ang GET requests will intercepted<br>Other permissions must be implemented via kubernetes native RBAC<br/>*Enum*: List, Update, Delete<br/> | false |
+| **apiGroups** | []string |APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. 
+| true |
+| **resources** | []string |Resources is a list of resources this rule applies to. '*' represents all resources. 
+| true |
+| **[selector](#proxysettingspecsubjectsindexclusterresourcesindexselector)** | object |Select all cluster scoped resources with the given label selector.<br>Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). 
+| true |
+| **operations** | []enum |<span style="color:red;font-weight:bold">Operations which can be executed on the selected resources.<br>Deprecated: For all registered Routes only LIST ang GET requests will intercepted<br>Other permissions must be implemented via kubernetes native RBAC</span><br/>*Enum*: List, Update, Delete<br/> 
+| false |
 
 
 ### ProxySetting.spec.subjects[index].clusterResources[index].selector
@@ -175,10 +211,13 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
 Select all cluster scoped resources with the given label selector.
 Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#proxysettingspecsubjectsindexclusterresourcesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
-| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+| **[matchExpressions](#proxysettingspecsubjectsindexclusterresourcesindexselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
+| false |
+| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
+| false |
 
 
 ### ProxySetting.spec.subjects[index].clusterResources[index].selector.matchExpressions[index]
@@ -188,11 +227,15 @@ Defining a selector which does not match any resources is considered not selecta
 A label selector requirement is a selector that contains values, a key, and an operator that
 relates the key and values.
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string | key is the label key that the selector applies to. | true |
-| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
-| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
+| **key** | string |key is the label key that the selector applies to. 
+| true |
+| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
+| true |
+| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
+| false |
 
 
 ### ProxySetting.spec.subjects[index].proxySettings[index]
@@ -201,8 +244,11 @@ relates the key and values.
 
 
 
+
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum | <br/>*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes<br/> | true |
-| **operations** | []enum | <br/>*Enum*: List, Update, Delete<br/> | true |
+| **kind** | enum |<br/>*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes<br/> 
+| true |
+| **operations** | []enum |<br/>*Enum*: List, Update, Delete<br/> 
+| true |
 
diff --git a/content/en/docs/tenants/enforcement.md b/content/en/docs/tenants/enforcement.md
@@ -350,7 +350,59 @@ Any attempt of Alice to change the selector on the `Pods` will result in an erro
 kubectl auth can-i edit ns -n solar-production
 no
 ```
+### Dynamic resource allocation (DRA)
+Dynamic Resource Allocation (DRA) is a Kubernetes capability that allows Pods to request and use shared resources, typically external devices such as hardware accelerators.
+See [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/dynamic-resource-allocation/) for more information.
 
+Bill can assign a set of dedicated `DeviceClasses` to tell the `solar` `Tenant` what devices they can request.
+```yaml
+apiVersion: resource.k8s.io/v1
+kind: DeviceClass
+metadata:
+  name: gpu.example.com
+  labels:
+    env: "production"
+spec:
+  selectors:
+    - cel:
+        expression: device.driver == 'gpu.example.com' && device.attributes['gpu.example.com'].type
+          == 'gpu'
+  extendedResourceName: example.com/gpu
+```
+
+```yaml
+apiVersion: capsule.clastix.io/v1beta2
+kind: Tenant
+metadata:
+  name: solar
+spec:
+  owners:
+    - name: alice
+      kind: User
+  deviceClasses:
+    matchLabels:
+      env: "production"
+```
+With the said Tenant specification, Alice can create a ResourceClaim or ResourceClaimTemplate resource if spec.devices.requests[].deviceClassName ( ResourceClaim) or spec.spec.devices.requests[].deviceClassName ( ResourceClaimTemplate) equals to:
+
+* Any DeviceClass, which has the label env with the value production
+
+If any of the devices in the ResourceClaim or ResourceClaimTemplate spec is going to use a non-allowed DeviceClass, the entire request will be rejected by the Validation Webhook enforcing it.
+
+Alice now can create a ResourceClaim using only an allowed DeviceClass:
+```yaml
+apiVersion: resource.k8s.io/v1
+kind: ResourceClaim
+metadata:
+  name: example-resource-claim
+  namespace: solar-production
+spec:
+  devices:
+    requests:
+      - name: gpu-request
+        exactly:
+          deviceClassName: 'gpu.example.com'
+```
 ## Connectivity
 
 ### Services