From 30d91d93c8b677fad0055f4be4623e6381eb4ad3 Mon Sep 17 00:00:00 2001
From: sandert-k8s <sandert98@gmail.com>
Date: Wed, 14 Jan 2026 19:31:36 +0100
Subject: [PATCH 1/3] fix(makefile): fix crd reference table formatting and
 regenerate docs

Signed-off-by: sandert-k8s <sandert98@gmail.com>
---
 content/en/docs/proxy/reference.md |   96 +-
 content/en/docs/reference.md       | 1578 ++++++++++------------------
 templates/crds.tmpl                |   16 +-
 3 files changed, 584 insertions(+), 1106 deletions(-)

diff --git a/content/en/docs/proxy/reference.md b/content/en/docs/proxy/reference.md
index 7b813d0..3e95d45 100644
--- a/content/en/docs/proxy/reference.md
+++ b/content/en/docs/proxy/reference.md
@@ -34,8 +34,7 @@ GlobalProxySettings is the Schema for the globalproxysettings API.
 | **apiVersion** | string | capsule.clastix.io/v1beta1 | true |
 | **kind** | string | GlobalProxySettings | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#globalproxysettingsspec)** | object |GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. 
-| false |
+| **[spec](#globalproxysettingsspec)** | object | GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. | false |
 
 
 ### GlobalProxySettings.spec
@@ -47,8 +46,7 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[rules](#globalproxysettingsspecrulesindex)** | []object |Subjects that should receive additional permissions.<br>The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.<br>However they must be part of the capsule-user groups. 
-| true |
+| **[rules](#globalproxysettingsspecrulesindex)** | []object | Subjects that should receive additional permissions.<br>The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.<br>However they must be part of the capsule-user groups. | true |
 
 
 ### GlobalProxySettings.spec.rules[index]
@@ -60,10 +58,8 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[subjects](#globalproxysettingsspecrulesindexsubjectsindex)** | []object |Subjects that should receive additional permissions.<br>The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.<br>However they must be part of the capsule-user groups. 
-| true |
-| **[clusterResources](#globalproxysettingsspecrulesindexclusterresourcesindex)** | []object |Cluster Resources for tenant Owner. 
-| false |
+| **[subjects](#globalproxysettingsspecrulesindexsubjectsindex)** | []object | Subjects that should receive additional permissions.<br>The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.<br>However they must be part of the capsule-user groups. | true |
+| **[clusterResources](#globalproxysettingsspecrulesindexclusterresourcesindex)** | []object | Cluster Resources for tenant Owner. | false |
 
 
 ### GlobalProxySettings.spec.rules[index].subjects[index]
@@ -75,10 +71,8 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".<br/>*Enum*: User, Group, ServiceAccount<br/> 
-| true |
-| **name** | string |Name of tenant owner. 
-| true |
+| **kind** | enum | Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of tenant owner. | true |
 
 
 ### GlobalProxySettings.spec.rules[index].clusterResources[index]
@@ -90,14 +84,10 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **apiGroups** | []string |APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. 
-| true |
-| **resources** | []string |Resources is a list of resources this rule applies to. '*' represents all resources. 
-| true |
-| **[selector](#globalproxysettingsspecrulesindexclusterresourcesindexselector)** | object |Select all cluster scoped resources with the given label selector.<br>Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). 
-| true |
-| **operations** | []enum |<span style="color:red;font-weight:bold">Operations which can be executed on the selected resources.<br>Deprecated: For all registered Routes only LIST ang GET requests will intercepted<br>Other permissions must be implemented via kubernetes native RBAC</span><br/>*Enum*: List, Update, Delete<br/> 
-| false |
+| **apiGroups** | []string | APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. | true |
+| **resources** | []string | Resources is a list of resources this rule applies to. '*' represents all resources. | true |
+| **[selector](#globalproxysettingsspecrulesindexclusterresourcesindexselector)** | object | Select all cluster scoped resources with the given label selector.<br>Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). | true |
+| **operations** | []enum | <span style="color:red;font-weight:bold">Operations which can be executed on the selected resources.<br>Deprecated: For all registered Routes only LIST ang GET requests will intercepted<br>Other permissions must be implemented via kubernetes native RBAC</span><br/>*Enum*: List, Update, Delete<br/> | false |
 
 
 ### GlobalProxySettings.spec.rules[index].clusterResources[index].selector
@@ -110,10 +100,8 @@ Defining a selector which does not match any resources is considered not selecta
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globalproxysettingsspecrulesindexclusterresourcesindexselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#globalproxysettingsspecrulesindexclusterresourcesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### GlobalProxySettings.spec.rules[index].clusterResources[index].selector.matchExpressions[index]
@@ -126,12 +114,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 ## ProxySetting
 
@@ -148,8 +133,7 @@ ProxySetting is the Schema for the proxysettings API.
 | **apiVersion** | string | capsule.clastix.io/v1beta1 | true |
 | **kind** | string | ProxySetting | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#proxysettingspec)** | object |ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.<br>Resource is Namespace-scoped and applies the settings to the belonged Tenant. 
-| false |
+| **[spec](#proxysettingspec)** | object | ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.<br>Resource is Namespace-scoped and applies the settings to the belonged Tenant. | false |
 
 
 ### ProxySetting.spec
@@ -162,8 +146,7 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[subjects](#proxysettingspecsubjectsindex)** | []object |Subjects that should receive additional permissions. 
-| true |
+| **[subjects](#proxysettingspecsubjectsindex)** | []object | Subjects that should receive additional permissions. | true |
 
 
 ### ProxySetting.spec.subjects[index]
@@ -175,14 +158,10 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> 
-| true |
-| **name** | string |Name of tenant owner. 
-| true |
-| **[clusterResources](#proxysettingspecsubjectsindexclusterresourcesindex)** | []object |Cluster Resources for tenant Owner. 
-| false |
-| **[proxySettings](#proxysettingspecsubjectsindexproxysettingsindex)** | []object |Proxy settings for tenant owner. 
-| false |
+| **kind** | enum | Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of tenant owner. | true |
+| **[clusterResources](#proxysettingspecsubjectsindexclusterresourcesindex)** | []object | Cluster Resources for tenant Owner. | false |
+| **[proxySettings](#proxysettingspecsubjectsindexproxysettingsindex)** | []object | Proxy settings for tenant owner. | false |
 
 
 ### ProxySetting.spec.subjects[index].clusterResources[index]
@@ -194,14 +173,10 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **apiGroups** | []string |APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. 
-| true |
-| **resources** | []string |Resources is a list of resources this rule applies to. '*' represents all resources. 
-| true |
-| **[selector](#proxysettingspecsubjectsindexclusterresourcesindexselector)** | object |Select all cluster scoped resources with the given label selector.<br>Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). 
-| true |
-| **operations** | []enum |<span style="color:red;font-weight:bold">Operations which can be executed on the selected resources.<br>Deprecated: For all registered Routes only LIST ang GET requests will intercepted<br>Other permissions must be implemented via kubernetes native RBAC</span><br/>*Enum*: List, Update, Delete<br/> 
-| false |
+| **apiGroups** | []string | APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. | true |
+| **resources** | []string | Resources is a list of resources this rule applies to. '*' represents all resources. | true |
+| **[selector](#proxysettingspecsubjectsindexclusterresourcesindexselector)** | object | Select all cluster scoped resources with the given label selector.<br>Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). | true |
+| **operations** | []enum | <span style="color:red;font-weight:bold">Operations which can be executed on the selected resources.<br>Deprecated: For all registered Routes only LIST ang GET requests will intercepted<br>Other permissions must be implemented via kubernetes native RBAC</span><br/>*Enum*: List, Update, Delete<br/> | false |
 
 
 ### ProxySetting.spec.subjects[index].clusterResources[index].selector
@@ -214,10 +189,8 @@ Defining a selector which does not match any resources is considered not selecta
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#proxysettingspecsubjectsindexclusterresourcesindexselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#proxysettingspecsubjectsindexclusterresourcesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### ProxySetting.spec.subjects[index].clusterResources[index].selector.matchExpressions[index]
@@ -230,12 +203,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### ProxySetting.spec.subjects[index].proxySettings[index]
@@ -247,8 +217,6 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |<br/>*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes<br/> 
-| true |
-| **operations** | []enum |<br/>*Enum*: List, Update, Delete<br/> 
-| true |
+| **kind** | enum | <br/>*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes<br/> | true |
+| **operations** | []enum | <br/>*Enum*: List, Update, Delete<br/> | true |
 
diff --git a/content/en/docs/reference.md b/content/en/docs/reference.md
index 718d832..3ec858f 100644
--- a/content/en/docs/reference.md
+++ b/content/en/docs/reference.md
@@ -45,8 +45,8 @@ CapsuleConfiguration is the Schema for the Capsule configuration API.
 | **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
 | **kind** | string | CapsuleConfiguration | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#capsuleconfigurationspec)** | object |CapsuleConfigurationSpec defines the Capsule configuration. 
-| false |
+| **[spec](#capsuleconfigurationspec)** | object | CapsuleConfigurationSpec defines the Capsule configuration. | true |
+| **[status](#capsuleconfigurationstatus)** | object | CapsuleConfigurationStatus defines the Capsule configuration status. | false |
 
 
 ### CapsuleConfiguration.spec
@@ -58,28 +58,17 @@ CapsuleConfigurationSpec defines the Capsule configuration.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **enableTLSReconciler** | boolean |Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks<br>when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.<br/>*Default*: true<br/> 
-| true |
-| **[administrators](#capsuleconfigurationspecadministratorsindex)** | []object |Define entities which can act as Administrators in the capsule construct<br>These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label<br>for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor<br>be ignored by capsule. 
-| false |
-| **allowServiceAccountPromotion** | boolean |ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant<br>this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.<br>However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.<br/>*Default*: false<br/> 
-| false |
-| **forceTenantPrefix** | boolean |Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,<br>separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.<br/>*Default*: false<br/> 
-| false |
-| **ignoreUserWithGroups** | []string |Define groups which when found in the request of a user will be ignored by the Capsule<br>this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups. 
-| false |
-| **[nodeMetadata](#capsuleconfigurationspecnodemetadata)** | object |Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.<br>This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes. 
-| false |
-| **[overrides](#capsuleconfigurationspecoverrides)** | object |Allows to set different name rather than the canonical one for the Capsule configuration objects,<br>such as webhook secret or configurations.<br/>*Default*: map[TLSSecretName:capsule-tls mutatingWebhookConfigurationName:capsule-mutating-webhook-configuration validatingWebhookConfigurationName:capsule-validating-webhook-configuration]<br/> 
-| false |
-| **protectedNamespaceRegex** | string |Disallow creation of namespaces, whose name matches this regexp 
-| false |
-| **userGroups** | []string |<span style="color:red;font-weight:bold">Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)<br><br>Names of the groups considered as Capsule users.</span><br/>*Default*: [capsule.clastix.io]<br/> 
-| false |
-| **userNames** | []string |<span style="color:red;font-weight:bold">Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)<br><br>Names of the users considered as Capsule users.</span> 
-| false |
-| **[users](#capsuleconfigurationspecusersindex)** | []object |Define entities which are considered part of the Capsule construct<br>Users not mentioned here will be ignored by Capsule 
-| false |
+| **enableTLSReconciler** | boolean | Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks<br>when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.<br/>*Default*: false<br/> | true |
+| **[administrators](#capsuleconfigurationspecadministratorsindex)** | []object | Define entities which can act as Administrators in the capsule construct<br>These entities are automatically owners for all existing tenants. Meaning they can add namespaces to any tenant. However they must be specific by using the capsule label<br>for interacting with namespaces. Because if that label is not defined, it's assumed that namespace interaction was not targeted towards a tenant and will therefor<br>be ignored by capsule. | false |
+| **allowServiceAccountPromotion** | boolean | ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant<br>this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.<br>However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.<br/>*Default*: false<br/> | false |
+| **forceTenantPrefix** | boolean | Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,<br>separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.<br/>*Default*: false<br/> | false |
+| **ignoreUserWithGroups** | []string | Define groups which when found in the request of a user will be ignored by the Capsule<br>this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups. | false |
+| **[nodeMetadata](#capsuleconfigurationspecnodemetadata)** | object | Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.<br>This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes. | false |
+| **[overrides](#capsuleconfigurationspecoverrides)** | object | Allows to set different name rather than the canonical one for the Capsule configuration objects,<br>such as webhook secret or configurations.<br/>*Default*: map[TLSSecretName:capsule-tls mutatingWebhookConfigurationName:capsule-mutating-webhook-configuration validatingWebhookConfigurationName:capsule-validating-webhook-configuration]<br/> | false |
+| **protectedNamespaceRegex** | string | Disallow creation of namespaces, whose name matches this regexp | false |
+| **userGroups** | []string | <span style="color:red;font-weight:bold">Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)<br><br>Names of the groups considered as Capsule users.</span> | false |
+| **userNames** | []string | <span style="color:red;font-weight:bold">Deprecated: use users property instead (https://projectcapsule.dev/docs/operating/setup/configuration/#users)<br><br>Names of the users considered as Capsule users.</span> | false |
+| **[users](#capsuleconfigurationspecusersindex)** | []object | Define entities which are considered part of the Capsule construct<br>Users not mentioned here will be ignored by Capsule | false |
 
 
 ### CapsuleConfiguration.spec.administrators[index]
@@ -91,10 +80,8 @@ CapsuleConfigurationSpec defines the Capsule configuration.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> 
-| true |
-| **name** | string |Name of the entity. 
-| true |
+| **kind** | enum | Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of the entity. | true |
 
 
 ### CapsuleConfiguration.spec.nodeMetadata
@@ -107,10 +94,8 @@ This applies only if the Tenant has an active NodeSelector, and the Owner have r
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[forbiddenAnnotations](#capsuleconfigurationspecnodemetadataforbiddenannotations)** | object |Define the annotations that a Tenant Owner cannot set for their nodes. 
-| true |
-| **[forbiddenLabels](#capsuleconfigurationspecnodemetadataforbiddenlabels)** | object |Define the labels that a Tenant Owner cannot set for their nodes. 
-| true |
+| **[forbiddenAnnotations](#capsuleconfigurationspecnodemetadataforbiddenannotations)** | object | Define the annotations that a Tenant Owner cannot set for their nodes. | false |
+| **[forbiddenLabels](#capsuleconfigurationspecnodemetadataforbiddenlabels)** | object | Define the labels that a Tenant Owner cannot set for their nodes. | false |
 
 
 ### CapsuleConfiguration.spec.nodeMetadata.forbiddenAnnotations
@@ -122,10 +107,8 @@ Define the annotations that a Tenant Owner cannot set for their nodes.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **denied** | []string | 
-| false |
-| **deniedRegex** | string | 
-| false |
+| **denied** | []string |  | false |
+| **deniedRegex** | string |  | false |
 
 
 ### CapsuleConfiguration.spec.nodeMetadata.forbiddenLabels
@@ -137,10 +120,8 @@ Define the labels that a Tenant Owner cannot set for their nodes.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **denied** | []string | 
-| false |
-| **deniedRegex** | string | 
-| false |
+| **denied** | []string |  | false |
+| **deniedRegex** | string |  | false |
 
 
 ### CapsuleConfiguration.spec.overrides
@@ -153,12 +134,9 @@ such as webhook secret or configurations.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **TLSSecretName** | string |Defines the Secret name used for the webhook server.<br>Must be in the same Namespace where the Capsule Deployment is deployed.<br/>*Default*: capsule-tls<br/> 
-| true |
-| **mutatingWebhookConfigurationName** | string |Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.<br/>*Default*: capsule-mutating-webhook-configuration<br/> 
-| true |
-| **validatingWebhookConfigurationName** | string |Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.<br/>*Default*: capsule-validating-webhook-configuration<br/> 
-| true |
+| **TLSSecretName** | string | Defines the Secret name used for the webhook server.<br>Must be in the same Namespace where the Capsule Deployment is deployed.<br/>*Default*: capsule-tls<br/> | true |
+| **mutatingWebhookConfigurationName** | string | Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.<br/>*Default*: capsule-mutating-webhook-configuration<br/> | true |
+| **validatingWebhookConfigurationName** | string | Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.<br/>*Default*: capsule-validating-webhook-configuration<br/> | true |
 
 
 ### CapsuleConfiguration.spec.users[index]
@@ -170,10 +148,33 @@ such as webhook secret or configurations.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> 
-| true |
-| **name** | string |Name of the entity. 
-| true |
+| **kind** | enum | Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of the entity. | true |
+
+
+### CapsuleConfiguration.status
+
+
+
+CapsuleConfigurationStatus defines the Capsule configuration status.
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **[users](#capsuleconfigurationstatususersindex)** | []object | Users which are considered Capsule Users and are bound to the Capsule Tenant construct. | false |
+
+
+### CapsuleConfiguration.status.users[index]
+
+
+
+
+
+
+| **Name** | **Type** | **Description** | **Required** |
+| :---- | :---- | :----------- | :-------- |
+| **kind** | enum | Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of the entity. | true |
 
 ## GlobalTenantResource
 
@@ -190,10 +191,8 @@ GlobalTenantResource allows to propagate resource replications to a specific sub
 | **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
 | **kind** | string | GlobalTenantResource | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#globaltenantresourcespec)** | object |GlobalTenantResourceSpec defines the desired state of GlobalTenantResource. 
-| false |
-| **[status](#globaltenantresourcestatus)** | object |GlobalTenantResourceStatus defines the observed state of GlobalTenantResource. 
-| false |
+| **[spec](#globaltenantresourcespec)** | object | GlobalTenantResourceSpec defines the desired state of GlobalTenantResource. | true |
+| **[status](#globaltenantresourcestatus)** | object | GlobalTenantResourceStatus defines the observed state of GlobalTenantResource. | false |
 
 
 ### GlobalTenantResource.spec
@@ -205,14 +204,10 @@ GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[resources](#globaltenantresourcespecresourcesindex)** | []object |Defines the rules to select targeting Namespace, along with the objects that must be replicated. 
-| true |
-| **resyncPeriod** | string |Define the period of time upon a second reconciliation must be invoked.<br>Keep in mind that any change to the manifests will trigger a new reconciliation.<br/>*Default*: 60s<br/> 
-| true |
-| **pruningOnDelete** | boolean |When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.<br>Disable this to keep replicated resources although the deletion of the replication manifest.<br/>*Default*: true<br/> 
-| false |
-| **[tenantSelector](#globaltenantresourcespectenantselector)** | object |Defines the Tenant selector used target the tenants on which resources must be propagated. 
-| false |
+| **[resources](#globaltenantresourcespecresourcesindex)** | []object | Defines the rules to select targeting Namespace, along with the objects that must be replicated. | true |
+| **resyncPeriod** | string | Define the period of time upon a second reconciliation must be invoked.<br>Keep in mind that any change to the manifests will trigger a new reconciliation.<br/>*Default*: 60s<br/> | true |
+| **pruningOnDelete** | boolean | When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.<br>Disable this to keep replicated resources although the deletion of the replication manifest.<br/>*Default*: true<br/> | false |
+| **[tenantSelector](#globaltenantresourcespectenantselector)** | object | Defines the Tenant selector used target the tenants on which resources must be propagated. | false |
 
 
 ### GlobalTenantResource.spec.resources[index]
@@ -224,14 +219,10 @@ GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[additionalMetadata](#globaltenantresourcespecresourcesindexadditionalmetadata)** | object |Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be<br>added to the replicated resources. 
-| false |
-| **[namespaceSelector](#globaltenantresourcespecresourcesindexnamespaceselector)** | object |Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.<br>In case of nil value, all the Tenant Namespaces are targeted. 
-| false |
-| **[namespacedItems](#globaltenantresourcespecresourcesindexnamespaceditemsindex)** | []object |List of the resources already existing in other Namespaces that must be replicated. 
-| false |
-| **rawItems** | []RawExtension |List of raw resources that must be replicated. 
-| false |
+| **[additionalMetadata](#globaltenantresourcespecresourcesindexadditionalmetadata)** | object | Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be<br>added to the replicated resources. | false |
+| **[namespaceSelector](#globaltenantresourcespecresourcesindexnamespaceselector)** | object | Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.<br>In case of nil value, all the Tenant Namespaces are targeted. | false |
+| **[namespacedItems](#globaltenantresourcespecresourcesindexnamespaceditemsindex)** | []object | List of the resources already existing in other Namespaces that must be replicated. | false |
+| **rawItems** | []RawExtension | List of raw resources that must be replicated. | false |
 
 
 ### GlobalTenantResource.spec.resources[index].additionalMetadata
@@ -244,10 +235,8 @@ added to the replicated resources.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | 
-| false |
-| **labels** | map[string]string | 
-| false |
+| **annotations** | map[string]string |  | false |
+| **labels** | map[string]string |  | false |
 
 
 ### GlobalTenantResource.spec.resources[index].namespaceSelector
@@ -260,10 +249,8 @@ In case of nil value, all the Tenant Namespaces are targeted.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globaltenantresourcespecresourcesindexnamespaceselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#globaltenantresourcespecresourcesindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### GlobalTenantResource.spec.resources[index].namespaceSelector.matchExpressions[index]
@@ -276,12 +263,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### GlobalTenantResource.spec.resources[index].namespacedItems[index]
@@ -293,14 +277,10 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | string |Kind of the referent.<br>More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 
-| true |
-| **namespace** | string |Namespace of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ 
-| true |
-| **[selector](#globaltenantresourcespecresourcesindexnamespaceditemsindexselector)** | object |Label selector used to select the given resources in the given Namespace. 
-| true |
-| **apiVersion** | string |API version of the referent. 
-| false |
+| **kind** | string | Kind of the referent.<br>More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **namespace** | string | Namespace of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | true |
+| **[selector](#globaltenantresourcespecresourcesindexnamespaceditemsindexselector)** | object | Label selector used to select the given resources in the given Namespace. | true |
+| **apiVersion** | string | API version of the referent. | false |
 
 
 ### GlobalTenantResource.spec.resources[index].namespacedItems[index].selector
@@ -312,10 +292,8 @@ Label selector used to select the given resources in the given Namespace.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globaltenantresourcespecresourcesindexnamespaceditemsindexselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#globaltenantresourcespecresourcesindexnamespaceditemsindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### GlobalTenantResource.spec.resources[index].namespacedItems[index].selector.matchExpressions[index]
@@ -328,12 +306,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### GlobalTenantResource.spec.tenantSelector
@@ -345,10 +320,8 @@ Defines the Tenant selector used target the tenants on which resources must be p
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globaltenantresourcespectenantselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#globaltenantresourcespectenantselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### GlobalTenantResource.spec.tenantSelector.matchExpressions[index]
@@ -361,12 +334,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### GlobalTenantResource.status
@@ -378,10 +348,8 @@ GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[processedItems](#globaltenantresourcestatusprocesseditemsindex)** | []object |List of the replicated resources for the given TenantResource. 
-| true |
-| **selectedTenants** | []string |List of Tenants addressed by the GlobalTenantResource. 
-| true |
+| **[processedItems](#globaltenantresourcestatusprocesseditemsindex)** | []object | List of the replicated resources for the given TenantResource. | true |
+| **selectedTenants** | []string | List of Tenants addressed by the GlobalTenantResource. | true |
 
 
 ### GlobalTenantResource.status.processedItems[index]
@@ -393,14 +361,10 @@ GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | string |Kind of the referent.<br>More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 
-| true |
-| **name** | string |Name of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 
-| true |
-| **namespace** | string |Namespace of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ 
-| true |
-| **apiVersion** | string |API version of the referent. 
-| false |
+| **kind** | string | Kind of the referent.<br>More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **name** | string | Name of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names | true |
+| **namespace** | string | Namespace of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | true |
+| **apiVersion** | string | API version of the referent. | false |
 
 ## ResourcePoolClaim
 
@@ -417,10 +381,8 @@ ResourcePoolClaim is the Schema for the resourcepoolclaims API.
 | **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
 | **kind** | string | ResourcePoolClaim | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#resourcepoolclaimspec)** | object | 
-| false |
-| **[status](#resourcepoolclaimstatus)** | object |ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim. 
-| false |
+| **[spec](#resourcepoolclaimspec)** | object |  | true |
+| **[status](#resourcepoolclaimstatus)** | object | ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim. | false |
 
 
 ### ResourcePoolClaim.spec
@@ -432,10 +394,8 @@ ResourcePoolClaim is the Schema for the resourcepoolclaims API.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **claim** | map[string]int or string |Amount which should be claimed for the resourcequota 
-| true |
-| **pool** | string |If there's the possability to claim from multiple global Quotas<br>You must be specific about which one you want to claim resources from<br>Once bound to a ResourcePool, this field is immutable 
-| true |
+| **claim** | map[string]int or string | Amount which should be claimed for the resourcequota | true |
+| **pool** | string | If there's the possability to claim from multiple global Quotas<br>You must be specific about which one you want to claim resources from<br>Once bound to a ResourcePool, this field is immutable | true |
 
 
 ### ResourcePoolClaim.status
@@ -447,10 +407,8 @@ ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[condition](#resourcepoolclaimstatuscondition)** | object |Condtion for this resource claim 
-| false |
-| **[pool](#resourcepoolclaimstatuspool)** | object |Reference to the GlobalQuota being claimed from 
-| false |
+| **[condition](#resourcepoolclaimstatuscondition)** | object | Condtion for this resource claim | false |
+| **[pool](#resourcepoolclaimstatuspool)** | object | Reference to the GlobalQuota being claimed from | false |
 
 
 ### ResourcePoolClaim.status.condition
@@ -462,18 +420,12 @@ Condtion for this resource claim
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **lastTransitionTime** | string |lastTransitionTime is the last time the condition transitioned from one status to another.<br>This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.<br/>*Format*: date-time<br/> 
-| true |
-| **message** | string |message is a human readable message indicating details about the transition.<br>This may be an empty string. 
-| true |
-| **reason** | string |reason contains a programmatic identifier indicating the reason for the condition's last transition.<br>Producers of specific condition types may define expected values and meanings for this field,<br>and whether the values are considered a guaranteed API.<br>The value should be a CamelCase string.<br>This field may not be empty. 
-| true |
-| **status** | enum |status of the condition, one of True, False, Unknown.<br/>*Enum*: True, False, Unknown<br/> 
-| true |
-| **type** | string |type of condition in CamelCase or in foo.example.com/CamelCase. 
-| true |
-| **observedGeneration** | integer |observedGeneration represents the .metadata.generation that the condition was set based upon.<br>For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date<br>with respect to the current state of the instance.<br/>*Format*: int64<br/>*Minimum*: 0<br/> 
-| false |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.<br>This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.<br/>*Format*: date-time<br/> | true |
+| **message** | string | message is a human readable message indicating details about the transition.<br>This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.<br>Producers of specific condition types may define expected values and meanings for this field,<br>and whether the values are considered a guaranteed API.<br>The value should be a CamelCase string.<br>This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.<br/>*Enum*: True, False, Unknown<br/> | true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.<br>For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date<br>with respect to the current state of the instance.<br/>*Format*: int64<br/>*Minimum*: 0<br/> | false |
 
 
 ### ResourcePoolClaim.status.pool
@@ -485,12 +437,9 @@ Reference to the GlobalQuota being claimed from
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **name** | string |Name 
-| false |
-| **namespace** | string |Namespace 
-| false |
-| **uid** | string |UID of the tracked Tenant to pin point tracking 
-| false |
+| **name** | string | Name | false |
+| **namespace** | string | Namespace | false |
+| **uid** | string | UID of the tracked Tenant to pin point tracking | false |
 
 ## ResourcePool
 
@@ -511,10 +460,8 @@ ResourceQuota based on the namspace, where the ResourcePoolClaim was made from.
 | **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
 | **kind** | string | ResourcePool | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#resourcepoolspec)** | object |ResourcePoolSpec. 
-| false |
-| **[status](#resourcepoolstatus)** | object |GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota. 
-| false |
+| **[spec](#resourcepoolspec)** | object | ResourcePoolSpec. | true |
+| **[status](#resourcepoolstatus)** | object | GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota. | false |
 
 
 ### ResourcePool.spec
@@ -526,14 +473,10 @@ ResourcePoolSpec.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[quota](#resourcepoolspecquota)** | object |Define the resourcequota served by this resourcepool. 
-| true |
-| **[config](#resourcepoolspecconfig)** | object |Additional Configuration<br/>*Default*: map[]<br/> 
-| false |
-| **defaults** | map[string]int or string |The Defaults given for each namespace, the default is not counted towards the total allocation<br>When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources 
-| false |
-| **[selectors](#resourcepoolspecselectorsindex)** | []object |Selector to match the namespaces that should be managed by the GlobalResourceQuota 
-| false |
+| **[quota](#resourcepoolspecquota)** | object | Define the resourcequota served by this resourcepool. | true |
+| **[config](#resourcepoolspecconfig)** | object | Additional Configuration<br/>*Default*: map[]<br/> | false |
+| **defaults** | map[string]int or string | The Defaults given for each namespace, the default is not counted towards the total allocation<br>When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources | false |
+| **[selectors](#resourcepoolspecselectorsindex)** | []object | Selector to match the namespaces that should be managed by the GlobalResourceQuota | false |
 
 
 ### ResourcePool.spec.quota
@@ -545,12 +488,9 @@ Define the resourcequota served by this resourcepool.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **hard** | map[string]int or string |hard is the set of desired hard limits for each named resource.<br>More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ 
-| false |
-| **[scopeSelector](#resourcepoolspecquotascopeselector)** | object |scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota<br>but expressed using ScopeSelectorOperator in combination with possible values.<br>For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. 
-| false |
-| **scopes** | []string |A collection of filters that must match each object tracked by a quota.<br>If not specified, the quota matches all objects. 
-| false |
+| **hard** | map[string]int or string | hard is the set of desired hard limits for each named resource.<br>More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ | false |
+| **[scopeSelector](#resourcepoolspecquotascopeselector)** | object | scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota<br>but expressed using ScopeSelectorOperator in combination with possible values.<br>For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. | false |
+| **scopes** | []string | A collection of filters that must match each object tracked by a quota.<br>If not specified, the quota matches all objects. | false |
 
 
 ### ResourcePool.spec.quota.scopeSelector
@@ -564,8 +504,7 @@ For a resource to match, both scopes AND scopeSelector (if specified in spec), m
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#resourcepoolspecquotascopeselectormatchexpressionsindex)** | []object |A list of scope selector requirements by scope of the resources. 
-| false |
+| **[matchExpressions](#resourcepoolspecquotascopeselectormatchexpressionsindex)** | []object | A list of scope selector requirements by scope of the resources. | false |
 
 
 ### ResourcePool.spec.quota.scopeSelector.matchExpressions[index]
@@ -578,12 +517,9 @@ that relates the scope name and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **operator** | string |Represents a scope's relationship to a set of values.<br>Valid operators are In, NotIn, Exists, DoesNotExist. 
-| true |
-| **scopeName** | string |The name of the scope that the selector applies to. 
-| true |
-| **values** | []string |An array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty.<br>This array is replaced during a strategic merge patch. 
-| false |
+| **operator** | string | Represents a scope's relationship to a set of values.<br>Valid operators are In, NotIn, Exists, DoesNotExist. | true |
+| **scopeName** | string | The name of the scope that the selector applies to. | true |
+| **values** | []string | An array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty.<br>This array is replaced during a strategic merge patch. | false |
 
 
 ### ResourcePool.spec.config
@@ -595,12 +531,9 @@ Additional Configuration
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **defaultsZero** | boolean |With this option all resources which can be allocated are set to 0 for the resourcequota defaults.<br/>*Default*: false<br/> 
-| false |
-| **deleteBoundResources** | boolean |When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.<br>By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.<br/>*Default*: false<br/> 
-| false |
-| **orderedQueue** | boolean |Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their<br>creation date. But no matter their creation time, if a claim is requesting too much resources it's put into the queue<br>but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough<br>it's priority was lower<br>Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no<br>other claim can claim the same resources with lower priority.<br/>*Default*: false<br/> 
-| false |
+| **defaultsZero** | boolean | With this option all resources which can be allocated are set to 0 for the resourcequota defaults.<br/>*Default*: false<br/> | false |
+| **deleteBoundResources** | boolean | When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.<br>By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.<br/>*Default*: false<br/> | false |
+| **orderedQueue** | boolean | Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their<br>creation date. But no matter their creation time, if a claim is requesting too much resources it's put into the queue<br>but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough<br>it's priority was lower<br>Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no<br>other claim can claim the same resources with lower priority.<br/>*Default*: false<br/> | false |
 
 
 ### ResourcePool.spec.selectors[index]
@@ -612,10 +545,8 @@ Selector for resources and their labels or selecting origin namespaces
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#resourcepoolspecselectorsindexmatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#resourcepoolspecselectorsindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### ResourcePool.spec.selectors[index].matchExpressions[index]
@@ -628,12 +559,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### ResourcePool.status
@@ -645,18 +573,12 @@ GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[allocation](#resourcepoolstatusallocation)** | object |Tracks the Usage from Claimed against what has been granted from the pool 
-| false |
-| **claimCount** | integer |Amount of claims<br/>*Default*: 0<br/> 
-| false |
-| **[claims](#resourcepoolstatusclaimskeyindex)** | map[string][]object |Tracks the quotas for the Resource. 
-| false |
-| **[exhaustions](#resourcepoolstatusexhaustionskey)** | map[string]object |Exhaustions from claims associated with the pool 
-| false |
-| **namespaceCount** | integer |How many namespaces are considered<br/>*Default*: 0<br/> 
-| false |
-| **namespaces** | []string |Namespaces which are considered for claims 
-| false |
+| **[allocation](#resourcepoolstatusallocation)** | object | Tracks the Usage from Claimed against what has been granted from the pool | false |
+| **claimCount** | integer | Amount of claims<br/>*Default*: 0<br/> | false |
+| **[claims](#resourcepoolstatusclaimskeyindex)** | map[string][]object | Tracks the quotas for the Resource. | false |
+| **[exhaustions](#resourcepoolstatusexhaustionskey)** | map[string]object | Exhaustions from claims associated with the pool | false |
+| **namespaceCount** | integer | How many namespaces are considered<br/>*Default*: 0<br/> | false |
+| **namespaces** | []string | Namespaces which are considered for claims | false |
 
 
 ### ResourcePool.status.allocation
@@ -668,12 +590,9 @@ Tracks the Usage from Claimed against what has been granted from the pool
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **available** | map[string]int or string |Used to track the usage of the resource in the pool (diff hard - claimed). May be used for further automation 
-| false |
-| **hard** | map[string]int or string |Hard is the set of enforced hard limits for each named resource.<br>More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ 
-| false |
-| **used** | map[string]int or string |Used is the current observed total usage of the resource in the namespace. 
-| false |
+| **available** | map[string]int or string | Used to track the usage of the resource in the pool (diff hard - claimed). May be used for further automation | false |
+| **hard** | map[string]int or string | Hard is the set of enforced hard limits for each named resource.<br>More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ | false |
+| **used** | map[string]int or string | Used is the current observed total usage of the resource in the namespace. | false |
 
 
 ### ResourcePool.status.claims[key][index]
@@ -685,14 +604,10 @@ ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **claims** | map[string]int or string |Claimed resources 
-| false |
-| **name** | string |Name 
-| false |
-| **namespace** | string |Namespace 
-| false |
-| **uid** | string |UID of the tracked Tenant to pin point tracking 
-| false |
+| **claims** | map[string]int or string | Claimed resources | false |
+| **name** | string | Name | false |
+| **namespace** | string | Namespace | false |
+| **uid** | string | UID of the tracked Tenant to pin point tracking | false |
 
 
 ### ResourcePool.status.exhaustions[key]
@@ -704,10 +619,8 @@ ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **available** | int or string |Available Resources to be claimed 
-| false |
-| **requesting** | int or string |Requesting Resources 
-| false |
+| **available** | int or string | Available Resources to be claimed | false |
+| **requesting** | int or string | Requesting Resources | false |
 
 ## TenantOwner
 
@@ -724,10 +637,8 @@ TenantOwner is the Schema for the tenantowners API.
 | **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
 | **kind** | string | TenantOwner | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#tenantownerspec)** | object |spec defines the desired state of TenantOwner. 
-| true |
-| **status** | object |status defines the observed state of TenantOwner. 
-| false |
+| **[spec](#tenantownerspec)** | object | spec defines the desired state of TenantOwner. | true |
+| **status** | object | status defines the observed state of TenantOwner. | false |
 
 
 ### TenantOwner.spec
@@ -739,12 +650,10 @@ spec defines the desired state of TenantOwner.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> 
-| true |
-| **name** | string |Name of the entity. 
-| true |
-| **clusterRoles** | []string |Defines additional cluster-roles for the specific Owner.<br/>*Default*: [admin capsule-namespace-deleter]<br/> 
-| false |
+| **aggregate** | boolean | Adds the given subject as capsule user. When enabled this subject does not have to be<br>mentioned in the CapsuleConfiguration as Capsule User. In almost all scenarios Tenant Owners<br>must be Capsule Users.<br/>*Default*: true<br/> | true |
+| **kind** | enum | Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of the entity. | true |
+| **clusterRoles** | []string | Defines additional cluster-roles for the specific Owner.<br/>*Default*: [admin capsule-namespace-deleter]<br/> | false |
 
 ## TenantResource
 
@@ -763,10 +672,8 @@ For such cases, the GlobalTenantResource must be used.
 | **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
 | **kind** | string | TenantResource | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#tenantresourcespec)** | object |TenantResourceSpec defines the desired state of TenantResource. 
-| false |
-| **[status](#tenantresourcestatus)** | object |TenantResourceStatus defines the observed state of TenantResource. 
-| false |
+| **[spec](#tenantresourcespec)** | object | TenantResourceSpec defines the desired state of TenantResource. | true |
+| **[status](#tenantresourcestatus)** | object | TenantResourceStatus defines the observed state of TenantResource. | false |
 
 
 ### TenantResource.spec
@@ -778,12 +685,9 @@ TenantResourceSpec defines the desired state of TenantResource.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[resources](#tenantresourcespecresourcesindex)** | []object |Defines the rules to select targeting Namespace, along with the objects that must be replicated. 
-| true |
-| **resyncPeriod** | string |Define the period of time upon a second reconciliation must be invoked.<br>Keep in mind that any change to the manifests will trigger a new reconciliation.<br/>*Default*: 60s<br/> 
-| true |
-| **pruningOnDelete** | boolean |When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.<br>Disable this to keep replicated resources although the deletion of the replication manifest.<br/>*Default*: true<br/> 
-| false |
+| **[resources](#tenantresourcespecresourcesindex)** | []object | Defines the rules to select targeting Namespace, along with the objects that must be replicated. | true |
+| **resyncPeriod** | string | Define the period of time upon a second reconciliation must be invoked.<br>Keep in mind that any change to the manifests will trigger a new reconciliation.<br/>*Default*: 60s<br/> | true |
+| **pruningOnDelete** | boolean | When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.<br>Disable this to keep replicated resources although the deletion of the replication manifest.<br/>*Default*: true<br/> | false |
 
 
 ### TenantResource.spec.resources[index]
@@ -795,14 +699,10 @@ TenantResourceSpec defines the desired state of TenantResource.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[additionalMetadata](#tenantresourcespecresourcesindexadditionalmetadata)** | object |Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be<br>added to the replicated resources. 
-| false |
-| **[namespaceSelector](#tenantresourcespecresourcesindexnamespaceselector)** | object |Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.<br>In case of nil value, all the Tenant Namespaces are targeted. 
-| false |
-| **[namespacedItems](#tenantresourcespecresourcesindexnamespaceditemsindex)** | []object |List of the resources already existing in other Namespaces that must be replicated. 
-| false |
-| **rawItems** | []RawExtension |List of raw resources that must be replicated. 
-| false |
+| **[additionalMetadata](#tenantresourcespecresourcesindexadditionalmetadata)** | object | Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be<br>added to the replicated resources. | false |
+| **[namespaceSelector](#tenantresourcespecresourcesindexnamespaceselector)** | object | Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.<br>In case of nil value, all the Tenant Namespaces are targeted. | false |
+| **[namespacedItems](#tenantresourcespecresourcesindexnamespaceditemsindex)** | []object | List of the resources already existing in other Namespaces that must be replicated. | false |
+| **rawItems** | []RawExtension | List of raw resources that must be replicated. | false |
 
 
 ### TenantResource.spec.resources[index].additionalMetadata
@@ -815,10 +715,8 @@ added to the replicated resources.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | 
-| false |
-| **labels** | map[string]string | 
-| false |
+| **annotations** | map[string]string |  | false |
+| **labels** | map[string]string |  | false |
 
 
 ### TenantResource.spec.resources[index].namespaceSelector
@@ -831,10 +729,8 @@ In case of nil value, all the Tenant Namespaces are targeted.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantresourcespecresourcesindexnamespaceselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantresourcespecresourcesindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### TenantResource.spec.resources[index].namespaceSelector.matchExpressions[index]
@@ -847,12 +743,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### TenantResource.spec.resources[index].namespacedItems[index]
@@ -864,14 +757,10 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | string |Kind of the referent.<br>More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 
-| true |
-| **namespace** | string |Namespace of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ 
-| true |
-| **[selector](#tenantresourcespecresourcesindexnamespaceditemsindexselector)** | object |Label selector used to select the given resources in the given Namespace. 
-| true |
-| **apiVersion** | string |API version of the referent. 
-| false |
+| **kind** | string | Kind of the referent.<br>More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **namespace** | string | Namespace of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | true |
+| **[selector](#tenantresourcespecresourcesindexnamespaceditemsindexselector)** | object | Label selector used to select the given resources in the given Namespace. | true |
+| **apiVersion** | string | API version of the referent. | false |
 
 
 ### TenantResource.spec.resources[index].namespacedItems[index].selector
@@ -883,10 +772,8 @@ Label selector used to select the given resources in the given Namespace.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantresourcespecresourcesindexnamespaceditemsindexselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantresourcespecresourcesindexnamespaceditemsindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### TenantResource.spec.resources[index].namespacedItems[index].selector.matchExpressions[index]
@@ -899,12 +786,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### TenantResource.status
@@ -916,8 +800,7 @@ TenantResourceStatus defines the observed state of TenantResource.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[processedItems](#tenantresourcestatusprocesseditemsindex)** | []object |List of the replicated resources for the given TenantResource. 
-| true |
+| **[processedItems](#tenantresourcestatusprocesseditemsindex)** | []object | List of the replicated resources for the given TenantResource. | true |
 
 
 ### TenantResource.status.processedItems[index]
@@ -929,14 +812,10 @@ TenantResourceStatus defines the observed state of TenantResource.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | string |Kind of the referent.<br>More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 
-| true |
-| **name** | string |Name of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 
-| true |
-| **namespace** | string |Namespace of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ 
-| true |
-| **apiVersion** | string |API version of the referent. 
-| false |
+| **kind** | string | Kind of the referent.<br>More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | true |
+| **name** | string | Name of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names | true |
+| **namespace** | string | Namespace of the referent.<br>More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | true |
+| **apiVersion** | string | API version of the referent. | false |
 
 ## Tenant
 
@@ -953,10 +832,8 @@ Tenant is the Schema for the tenants API.
 | **apiVersion** | string | capsule.clastix.io/v1beta2 | true |
 | **kind** | string | Tenant | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#tenantspec-1)** | object |TenantSpec defines the desired state of Tenant. 
-| false |
-| **[status](#tenantstatus-1)** | object |Returns the observed state of the Tenant. 
-| false |
+| **[spec](#tenantspec-1)** | object | TenantSpec defines the desired state of Tenant. | true |
+| **[status](#tenantstatus-1)** | object | Returns the observed state of the Tenant. | false |
 
 
 ### Tenant.spec
@@ -968,48 +845,27 @@ TenantSpec defines the desired state of Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[additionalRoleBindings](#tenantspecadditionalrolebindingsindex-1)** | []object |Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional. 
-| false |
-| **[containerRegistries](#tenantspeccontainerregistries-1)** | object |Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional. 
-| false |
-| **cordoned** | boolean |Toggling the Tenant resources cordoning, when enable resources cannot be deleted.<br/>*Default*: false<br/> 
-| false |
-| **[deviceClasses](#tenantspecdeviceclasses)** | object |Specifies options for the DeviceClass resources. 
-| false |
-| **forceTenantPrefix** | boolean |Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.<br>When set to 'true', it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,<br>separated by a dash (i.e. for Tenant 'foo', namespace names must be prefixed with 'foo-'),<br>this is useful to avoid Namespace name collision.<br>When set to 'false', it allows Namespaces created for this Tenant to be named anything.<br>Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.<br>If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix<br>Optional 
-| false |
-| **[gatewayOptions](#tenantspecgatewayoptions)** | object |Specifies options for the GatewayClass resources. 
-| false |
-| **imagePullPolicies** | []enum |Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.<br/>*Enum*: Always, Never, IfNotPresent<br/> 
-| false |
-| **[ingressOptions](#tenantspecingressoptions-1)** | object |Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional. 
-| false |
-| **[limitRanges](#tenantspeclimitranges-1)** | object |<span style="color:red;font-weight:bold">Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)<br><br>Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.</span> 
-| false |
-| **[namespaceOptions](#tenantspecnamespaceoptions-1)** | object |Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional. 
-| false |
-| **[networkPolicies](#tenantspecnetworkpolicies-1)** | object |<span style="color:red;font-weight:bold">Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)<br><br>Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.</span> 
-| false |
-| **nodeSelector** | map[string]string |Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional. 
-| false |
-| **[owners](#tenantspecownersindex-1)** | []object |Specifies the owners of the Tenant.<br>Optional 
-| false |
-| **[permissions](#tenantspecpermissions)** | object |Specify Permissions for the Tenant. 
-| false |
-| **[podOptions](#tenantspecpodoptions)** | object |Specifies options for the Pods deployed in the Tenant namespaces, such as additional metadata. 
-| false |
-| **preventDeletion** | boolean |Prevent accidental deletion of the Tenant.<br>When enabled, the deletion request will be declined.<br/>*Default*: false<br/> 
-| false |
-| **[priorityClasses](#tenantspecpriorityclasses-1)** | object |Specifies the allowed priorityClasses assigned to the Tenant.<br>Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses.<br>A default value can be specified, and all the Pod resources created will inherit the declared class.<br>Optional. 
-| false |
-| **[resourceQuotas](#tenantspecresourcequotas-1)** | object |Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional. 
-| false |
-| **[runtimeClasses](#tenantspecruntimeclasses)** | object |Specifies the allowed RuntimeClasses assigned to the Tenant.<br>Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.<br>Optional. 
-| false |
-| **[serviceOptions](#tenantspecserviceoptions-1)** | object |Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional. 
-| false |
-| **[storageClasses](#tenantspecstorageclasses-1)** | object |Specifies the allowed StorageClasses assigned to the Tenant.<br>Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses.<br>A default value can be specified, and all the PersistentVolumeClaim resources created will inherit the declared class.<br>Optional. 
-| false |
+| **[additionalRoleBindings](#tenantspecadditionalrolebindingsindex-1)** | []object | Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional. | false |
+| **[containerRegistries](#tenantspeccontainerregistries-1)** | object | Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional. | false |
+| **cordoned** | boolean | Toggling the Tenant resources cordoning, when enable resources cannot be deleted.<br/>*Default*: false<br/> | false |
+| **[deviceClasses](#tenantspecdeviceclasses)** | object | Specifies options for the DeviceClass resources. | false |
+| **forceTenantPrefix** | boolean | Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.<br>When set to 'true', it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,<br>separated by a dash (i.e. for Tenant 'foo', namespace names must be prefixed with 'foo-'),<br>this is useful to avoid Namespace name collision.<br>When set to 'false', it allows Namespaces created for this Tenant to be named anything.<br>Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.<br>If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix<br>Optional | false |
+| **[gatewayOptions](#tenantspecgatewayoptions)** | object | Specifies options for the GatewayClass resources. | false |
+| **imagePullPolicies** | []enum | Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.<br/>*Enum*: Always, Never, IfNotPresent<br/> | false |
+| **[ingressOptions](#tenantspecingressoptions-1)** | object | Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional. | false |
+| **[limitRanges](#tenantspeclimitranges-1)** | object | <span style="color:red;font-weight:bold">Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)<br><br>Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.</span> | false |
+| **[namespaceOptions](#tenantspecnamespaceoptions-1)** | object | Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional. | false |
+| **[networkPolicies](#tenantspecnetworkpolicies-1)** | object | <span style="color:red;font-weight:bold">Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)<br><br>Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.</span> | false |
+| **nodeSelector** | map[string]string | Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional. | false |
+| **[owners](#tenantspecownersindex-1)** | []object | Specifies the owners of the Tenant.<br>Optional | false |
+| **[permissions](#tenantspecpermissions)** | object | Specify Permissions for the Tenant. | false |
+| **[podOptions](#tenantspecpodoptions)** | object | Specifies options for the Pods deployed in the Tenant namespaces, such as additional metadata. | false |
+| **preventDeletion** | boolean | Prevent accidental deletion of the Tenant.<br>When enabled, the deletion request will be declined.<br/>*Default*: false<br/> | false |
+| **[priorityClasses](#tenantspecpriorityclasses-1)** | object | Specifies the allowed priorityClasses assigned to the Tenant.<br>Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses.<br>A default value can be specified, and all the Pod resources created will inherit the declared class.<br>Optional. | false |
+| **[resourceQuotas](#tenantspecresourcequotas-1)** | object | Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional. | false |
+| **[runtimeClasses](#tenantspecruntimeclasses)** | object | Specifies the allowed RuntimeClasses assigned to the Tenant.<br>Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.<br>Optional. | false |
+| **[serviceOptions](#tenantspecserviceoptions-1)** | object | Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional. | false |
+| **[storageClasses](#tenantspecstorageclasses-1)** | object | Specifies the allowed StorageClasses assigned to the Tenant.<br>Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses.<br>A default value can be specified, and all the PersistentVolumeClaim resources created will inherit the declared class.<br>Optional. | false |
 
 
 ### Tenant.spec.additionalRoleBindings[index]
@@ -1021,14 +877,10 @@ TenantSpec defines the desired state of Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **clusterRoleName** | string | 
-| true |
-| **[subjects](#tenantspecadditionalrolebindingsindexsubjectsindex-1)** | []object |kubebuilder:validation:Minimum=1 
-| true |
-| **annotations** | map[string]string |Additional Annotations for the synchronized rolebindings 
-| false |
-| **labels** | map[string]string |Additional Labels for the synchronized rolebindings 
-| false |
+| **clusterRoleName** | string |  | true |
+| **[subjects](#tenantspecadditionalrolebindingsindexsubjectsindex-1)** | []object | kubebuilder:validation:Minimum=1 | true |
+| **annotations** | map[string]string | Additional Annotations for the synchronized rolebindings | false |
+| **labels** | map[string]string | Additional Labels for the synchronized rolebindings | false |
 
 
 ### Tenant.spec.additionalRoleBindings[index].subjects[index]
@@ -1041,14 +893,10 @@ or a value for non-objects such as user and group names.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | string |Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".<br>If the Authorizer does not recognized the kind value, the Authorizer should report an error. 
-| true |
-| **name** | string |Name of the object being referenced. 
-| true |
-| **apiGroup** | string |APIGroup holds the API group of the referenced subject.<br>Defaults to "" for ServiceAccount subjects.<br>Defaults to "rbac.authorization.k8s.io" for User and Group subjects. 
-| false |
-| **namespace** | string |Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty<br>the Authorizer should report an error. 
-| false |
+| **kind** | string | Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".<br>If the Authorizer does not recognized the kind value, the Authorizer should report an error. | true |
+| **name** | string | Name of the object being referenced. | true |
+| **apiGroup** | string | APIGroup holds the API group of the referenced subject.<br>Defaults to "" for ServiceAccount subjects.<br>Defaults to "rbac.authorization.k8s.io" for User and Group subjects. | false |
+| **namespace** | string | Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty<br>the Authorizer should report an error. | false |
 
 
 ### Tenant.spec.containerRegistries
@@ -1060,10 +908,8 @@ Specifies the trusted Image Registries assigned to the Tenant. Capsule assures t
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
 
 
 ### Tenant.spec.deviceClasses
@@ -1075,14 +921,10 @@ Specifies options for the DeviceClass resources.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
-| **[matchExpressions](#tenantspecdeviceclassesmatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
+| **[matchExpressions](#tenantspecdeviceclassesmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.deviceClasses.matchExpressions[index]
@@ -1095,12 +937,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.gatewayOptions
@@ -1112,8 +951,7 @@ Specifies options for the GatewayClass resources.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[allowedClasses](#tenantspecgatewayoptionsallowedclasses)** | object | 
-| false |
+| **[allowedClasses](#tenantspecgatewayoptionsallowedclasses)** | object |  | false |
 
 
 ### Tenant.spec.gatewayOptions.allowedClasses
@@ -1125,16 +963,11 @@ Specifies options for the GatewayClass resources.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
-| **default** | string | 
-| false |
-| **[matchExpressions](#tenantspecgatewayoptionsallowedclassesmatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
+| **default** | string |  | false |
+| **[matchExpressions](#tenantspecgatewayoptionsallowedclassesmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.gatewayOptions.allowedClasses.matchExpressions[index]
@@ -1147,12 +980,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.ingressOptions
@@ -1164,14 +994,10 @@ Specifies options for the Ingress resources, such as allowed hostnames and Ingre
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowWildcardHostnames** | boolean |Toggles the ability for Ingress resources created in a Tenant to have a hostname wildcard. 
-| false |
-| **[allowedClasses](#tenantspecingressoptionsallowedclasses-1)** | object |Specifies the allowed IngressClasses assigned to the Tenant.<br>Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses.<br>A default value can be specified, and all the Ingress resources created will inherit the declared class.<br>Optional. 
-| false |
-| **[allowedHostnames](#tenantspecingressoptionsallowedhostnames-1)** | object |Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional. 
-| false |
-| **hostnameCollisionScope** | enum |Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.<br><br>- Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.<br><br>- Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.<br><br>- Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.<br><br>Optional.<br/>*Enum*: Cluster, Tenant, Namespace, Disabled<br/>*Default*: Disabled<br/> 
-| false |
+| **allowWildcardHostnames** | boolean | Toggles the ability for Ingress resources created in a Tenant to have a hostname wildcard. | false |
+| **[allowedClasses](#tenantspecingressoptionsallowedclasses-1)** | object | Specifies the allowed IngressClasses assigned to the Tenant.<br>Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses.<br>A default value can be specified, and all the Ingress resources created will inherit the declared class.<br>Optional. | false |
+| **[allowedHostnames](#tenantspecingressoptionsallowedhostnames-1)** | object | Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional. | false |
+| **hostnameCollisionScope** | enum | Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.<br><br>- Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.<br><br>- Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.<br><br>- Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.<br><br>Optional.<br/>*Enum*: Cluster, Tenant, Namespace, Disabled<br/>*Default*: Disabled<br/> | false |
 
 
 ### Tenant.spec.ingressOptions.allowedClasses
@@ -1186,16 +1012,11 @@ Optional.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
-| **default** | string | 
-| false |
-| **[matchExpressions](#tenantspecingressoptionsallowedclassesmatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
+| **default** | string |  | false |
+| **[matchExpressions](#tenantspecingressoptionsallowedclassesmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.ingressOptions.allowedClasses.matchExpressions[index]
@@ -1208,12 +1029,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.ingressOptions.allowedHostnames
@@ -1225,10 +1043,8 @@ Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assur
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
 
 
 ### Tenant.spec.limitRanges
@@ -1242,8 +1058,7 @@ Specifies the resource min/max usage restrictions to the Tenant. The assigned va
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[items](#tenantspeclimitrangesitemsindex-1)** | []object | 
-| false |
+| **[items](#tenantspeclimitrangesitemsindex-1)** | []object |  | false |
 
 
 ### Tenant.spec.limitRanges.items[index]
@@ -1255,8 +1070,7 @@ LimitRangeSpec defines a min/max usage limit for resources that match on kind.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[limits](#tenantspeclimitrangesitemsindexlimitsindex-1)** | []object |Limits is the list of LimitRangeItem objects that are enforced. 
-| true |
+| **[limits](#tenantspeclimitrangesitemsindexlimitsindex-1)** | []object | Limits is the list of LimitRangeItem objects that are enforced. | true |
 
 
 ### Tenant.spec.limitRanges.items[index].limits[index]
@@ -1268,18 +1082,12 @@ LimitRangeItem defines a min/max usage limit for any resource that matches on ki
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **type** | string |Type of resource that this limit applies to. 
-| true |
-| **default** | map[string]int or string |Default resource requirement limit value by resource name if resource limit is omitted. 
-| false |
-| **defaultRequest** | map[string]int or string |DefaultRequest is the default resource requirement request value by resource name if resource request is omitted. 
-| false |
-| **max** | map[string]int or string |Max usage constraints on this kind by resource name. 
-| false |
-| **maxLimitRequestRatio** | map[string]int or string |MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource. 
-| false |
-| **min** | map[string]int or string |Min usage constraints on this kind by resource name. 
-| false |
+| **type** | string | Type of resource that this limit applies to. | true |
+| **default** | map[string]int or string | Default resource requirement limit value by resource name if resource limit is omitted. | false |
+| **defaultRequest** | map[string]int or string | DefaultRequest is the default resource requirement request value by resource name if resource request is omitted. | false |
+| **max** | map[string]int or string | Max usage constraints on this kind by resource name. | false |
+| **maxLimitRequestRatio** | map[string]int or string | MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource. | false |
+| **min** | map[string]int or string | Min usage constraints on this kind by resource name. | false |
 
 
 ### Tenant.spec.namespaceOptions
@@ -1291,18 +1099,12 @@ Specifies options for the Namespaces, such as additional metadata or maximum num
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[additionalMetadata](#tenantspecnamespaceoptionsadditionalmetadata-1)** | object |<span style="color:red;font-weight:bold">Deprecated: Use additionalMetadataList instead (https://projectcapsule.dev/docs/tenants/metadata/#additionalmetadatalist)<br><br>Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.</span> 
-| false |
-| **[additionalMetadataList](#tenantspecnamespaceoptionsadditionalmetadatalistindex)** | []object |Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional. 
-| false |
-| **[forbiddenAnnotations](#tenantspecnamespaceoptionsforbiddenannotations)** | object |Define the annotations that a Tenant Owner cannot set for their Namespace resources. 
-| false |
-| **[forbiddenLabels](#tenantspecnamespaceoptionsforbiddenlabels)** | object |Define the labels that a Tenant Owner cannot set for their Namespace resources. 
-| false |
-| **managedMetadataOnly** | boolean |If enabled only metadata from additionalMetadata is reconciled to the namespaces.<br/>*Default*: false<br/> 
-| false |
-| **quota** | integer |Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.<br/>*Format*: int32<br/>*Minimum*: 1<br/> 
-| false |
+| **[additionalMetadata](#tenantspecnamespaceoptionsadditionalmetadata-1)** | object | <span style="color:red;font-weight:bold">Deprecated: Use additionalMetadataList instead (https://projectcapsule.dev/docs/tenants/metadata/#additionalmetadatalist)<br><br>Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.</span> | false |
+| **[additionalMetadataList](#tenantspecnamespaceoptionsadditionalmetadatalistindex)** | []object | Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional. | false |
+| **[forbiddenAnnotations](#tenantspecnamespaceoptionsforbiddenannotations)** | object | Define the annotations that a Tenant Owner cannot set for their Namespace resources. | false |
+| **[forbiddenLabels](#tenantspecnamespaceoptionsforbiddenlabels)** | object | Define the labels that a Tenant Owner cannot set for their Namespace resources. | false |
+| **managedMetadataOnly** | boolean | If enabled only metadata from additionalMetadata is reconciled to the namespaces.<br/>*Default*: false<br/> | false |
+| **quota** | integer | Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.<br/>*Format*: int32<br/>*Minimum*: 1<br/> | false |
 
 
 ### Tenant.spec.namespaceOptions.additionalMetadata
@@ -1316,10 +1118,8 @@ Specifies additional labels and annotations the Capsule operator places on any N
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | 
-| false |
-| **labels** | map[string]string | 
-| false |
+| **annotations** | map[string]string |  | false |
+| **labels** | map[string]string |  | false |
 
 
 ### Tenant.spec.namespaceOptions.additionalMetadataList[index]
@@ -1331,12 +1131,9 @@ Specifies additional labels and annotations the Capsule operator places on any N
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | 
-| false |
-| **labels** | map[string]string | 
-| false |
-| **[namespaceSelector](#tenantspecnamespaceoptionsadditionalmetadatalistindexnamespaceselector)** | object |A label selector is a label query over a set of resources. The result of matchLabels and<br>matchExpressions are ANDed. An empty label selector matches all objects. A null<br>label selector matches no objects. 
-| false |
+| **annotations** | map[string]string |  | false |
+| **labels** | map[string]string |  | false |
+| **[namespaceSelector](#tenantspecnamespaceoptionsadditionalmetadatalistindexnamespaceselector)** | object | A label selector is a label query over a set of resources. The result of matchLabels and<br>matchExpressions are ANDed. An empty label selector matches all objects. A null<br>label selector matches no objects. | false |
 
 
 ### Tenant.spec.namespaceOptions.additionalMetadataList[index].namespaceSelector
@@ -1350,10 +1147,8 @@ label selector matches no objects.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnamespaceoptionsadditionalmetadatalistindexnamespaceselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnamespaceoptionsadditionalmetadatalistindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.namespaceOptions.additionalMetadataList[index].namespaceSelector.matchExpressions[index]
@@ -1366,12 +1161,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.namespaceOptions.forbiddenAnnotations
@@ -1383,10 +1175,8 @@ Define the annotations that a Tenant Owner cannot set for their Namespace resour
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **denied** | []string | 
-| false |
-| **deniedRegex** | string | 
-| false |
+| **denied** | []string |  | false |
+| **deniedRegex** | string |  | false |
 
 
 ### Tenant.spec.namespaceOptions.forbiddenLabels
@@ -1398,10 +1188,8 @@ Define the labels that a Tenant Owner cannot set for their Namespace resources.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **denied** | []string | 
-| false |
-| **deniedRegex** | string | 
-| false |
+| **denied** | []string |  | false |
+| **deniedRegex** | string |  | false |
 
 
 ### Tenant.spec.networkPolicies
@@ -1415,8 +1203,7 @@ Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolici
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[items](#tenantspecnetworkpoliciesitemsindex-1)** | []object | 
-| false |
+| **[items](#tenantspecnetworkpoliciesitemsindex-1)** | []object |  | false |
 
 
 ### Tenant.spec.networkPolicies.items[index]
@@ -1428,14 +1215,10 @@ NetworkPolicySpec provides the specification of a NetworkPolicy
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[egress](#tenantspecnetworkpoliciesitemsindexegressindex-1)** | []object |egress is a list of egress rules to be applied to the selected pods. Outgoing traffic<br>is allowed if there are no NetworkPolicies selecting the pod (and cluster policy<br>otherwise allows the traffic), OR if the traffic matches at least one egress rule<br>across all of the NetworkPolicy objects whose podSelector matches the pod. If<br>this field is empty then this NetworkPolicy limits all outgoing traffic (and serves<br>solely to ensure that the pods it selects are isolated by default).<br>This field is beta-level in 1.8 
-| false |
-| **[ingress](#tenantspecnetworkpoliciesitemsindexingressindex-1)** | []object |ingress is a list of ingress rules to be applied to the selected pods.<br>Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod<br>(and cluster policy otherwise allows the traffic), OR if the traffic source is<br>the pod's local node, OR if the traffic matches at least one ingress rule<br>across all of the NetworkPolicy objects whose podSelector matches the pod. If<br>this field is empty then this NetworkPolicy does not allow any traffic (and serves<br>solely to ensure that the pods it selects are isolated by default) 
-| false |
-| **[podSelector](#tenantspecnetworkpoliciesitemsindexpodselector-1)** | object |podSelector selects the pods to which this NetworkPolicy object applies.<br>The array of rules is applied to any pods selected by this field. An empty<br>selector matches all pods in the policy's namespace.<br>Multiple network policies can select the same set of pods. In this case,<br>the ingress rules for each are combined additively.<br>This field is optional. If it is not specified, it defaults to an empty selector. 
-| false |
-| **policyTypes** | []string |policyTypes is a list of rule types that the NetworkPolicy relates to.<br>Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].<br>If this field is not specified, it will default based on the existence of ingress or egress rules;<br>policies that contain an egress section are assumed to affect egress, and all policies<br>(whether or not they contain an ingress section) are assumed to affect ingress.<br>If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].<br>Likewise, if you want to write a policy that specifies that no egress is allowed,<br>you must specify a policyTypes value that include "Egress" (since such a policy would not include<br>an egress section and would otherwise default to just [ "Ingress" ]).<br>This field is beta-level in 1.8 
-| false |
+| **[egress](#tenantspecnetworkpoliciesitemsindexegressindex-1)** | []object | egress is a list of egress rules to be applied to the selected pods. Outgoing traffic<br>is allowed if there are no NetworkPolicies selecting the pod (and cluster policy<br>otherwise allows the traffic), OR if the traffic matches at least one egress rule<br>across all of the NetworkPolicy objects whose podSelector matches the pod. If<br>this field is empty then this NetworkPolicy limits all outgoing traffic (and serves<br>solely to ensure that the pods it selects are isolated by default).<br>This field is beta-level in 1.8 | false |
+| **[ingress](#tenantspecnetworkpoliciesitemsindexingressindex-1)** | []object | ingress is a list of ingress rules to be applied to the selected pods.<br>Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod<br>(and cluster policy otherwise allows the traffic), OR if the traffic source is<br>the pod's local node, OR if the traffic matches at least one ingress rule<br>across all of the NetworkPolicy objects whose podSelector matches the pod. If<br>this field is empty then this NetworkPolicy does not allow any traffic (and serves<br>solely to ensure that the pods it selects are isolated by default) | false |
+| **[podSelector](#tenantspecnetworkpoliciesitemsindexpodselector-1)** | object | podSelector selects the pods to which this NetworkPolicy object applies.<br>The array of rules is applied to any pods selected by this field. An empty<br>selector matches all pods in the policy's namespace.<br>Multiple network policies can select the same set of pods. In this case,<br>the ingress rules for each are combined additively.<br>This field is optional. If it is not specified, it defaults to an empty selector. | false |
+| **policyTypes** | []string | policyTypes is a list of rule types that the NetworkPolicy relates to.<br>Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].<br>If this field is not specified, it will default based on the existence of ingress or egress rules;<br>policies that contain an egress section are assumed to affect egress, and all policies<br>(whether or not they contain an ingress section) are assumed to affect ingress.<br>If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].<br>Likewise, if you want to write a policy that specifies that no egress is allowed,<br>you must specify a policyTypes value that include "Egress" (since such a policy would not include<br>an egress section and would otherwise default to just [ "Ingress" ]).<br>This field is beta-level in 1.8 | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index]
@@ -1449,10 +1232,8 @@ This type is beta-level in 1.8
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[ports](#tenantspecnetworkpoliciesitemsindexegressindexportsindex-1)** | []object |ports is a list of destination ports for outgoing traffic.<br>Each item in this list is combined using a logical OR. If this field is<br>empty or missing, this rule matches all ports (traffic not restricted by port).<br>If this field is present and contains at least one item, then this rule allows<br>traffic only if the traffic matches at least one port in the list. 
-| false |
-| **[to](#tenantspecnetworkpoliciesitemsindexegressindextoindex-1)** | []object |to is a list of destinations for outgoing traffic of pods selected for this rule.<br>Items in this list are combined using a logical OR operation. If this field is<br>empty or missing, this rule matches all destinations (traffic not restricted by<br>destination). If this field is present and contains at least one item, this rule<br>allows traffic only if the traffic matches at least one item in the to list. 
-| false |
+| **[ports](#tenantspecnetworkpoliciesitemsindexegressindexportsindex-1)** | []object | ports is a list of destination ports for outgoing traffic.<br>Each item in this list is combined using a logical OR. If this field is<br>empty or missing, this rule matches all ports (traffic not restricted by port).<br>If this field is present and contains at least one item, then this rule allows<br>traffic only if the traffic matches at least one port in the list. | false |
+| **[to](#tenantspecnetworkpoliciesitemsindexegressindextoindex-1)** | []object | to is a list of destinations for outgoing traffic of pods selected for this rule.<br>Items in this list are combined using a logical OR operation. If this field is<br>empty or missing, this rule matches all destinations (traffic not restricted by<br>destination). If this field is present and contains at least one item, this rule<br>allows traffic only if the traffic matches at least one item in the to list. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].ports[index]
@@ -1464,12 +1245,9 @@ NetworkPolicyPort describes a port to allow traffic on
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **endPort** | integer |endPort indicates that the range of ports from port to endPort if set, inclusive,<br>should be allowed by the policy. This field cannot be defined if the port field<br>is not defined or if the port field is defined as a named (string) port.<br>The endPort must be equal or greater than port.<br/>*Format*: int32<br/> 
-| false |
-| **port** | int or string |port represents the port on the given protocol. This can either be a numerical or named<br>port on a pod. If this field is not provided, this matches all port names and<br>numbers.<br>If present, only traffic on the specified protocol AND port will be matched. 
-| false |
-| **protocol** | string |protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br>If not specified, this field defaults to TCP. 
-| false |
+| **endPort** | integer | endPort indicates that the range of ports from port to endPort if set, inclusive,<br>should be allowed by the policy. This field cannot be defined if the port field<br>is not defined or if the port field is defined as a named (string) port.<br>The endPort must be equal or greater than port.<br/>*Format*: int32<br/> | false |
+| **port** | int or string | port represents the port on the given protocol. This can either be a numerical or named<br>port on a pod. If this field is not provided, this matches all port names and<br>numbers.<br>If present, only traffic on the specified protocol AND port will be matched. | false |
+| **protocol** | string | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br>If not specified, this field defaults to TCP. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index]
@@ -1482,12 +1260,9 @@ fields are allowed
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[ipBlock](#tenantspecnetworkpoliciesitemsindexegressindextoindexipblock-1)** | object |ipBlock defines policy on a particular IPBlock. If this field is set then<br>neither of the other fields can be. 
-| false |
-| **[namespaceSelector](#tenantspecnetworkpoliciesitemsindexegressindextoindexnamespaceselector-1)** | object |namespaceSelector selects namespaces using cluster-scoped labels. This field follows<br>standard label selector semantics; if present but empty, it selects all namespaces.<br><br>If podSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the namespaces selected by namespaceSelector.<br>Otherwise it selects all pods in the namespaces selected by namespaceSelector. 
-| false |
-| **[podSelector](#tenantspecnetworkpoliciesitemsindexegressindextoindexpodselector-1)** | object |podSelector is a label selector which selects pods. This field follows standard label<br>selector semantics; if present but empty, it selects all pods.<br><br>If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the Namespaces selected by NamespaceSelector.<br>Otherwise it selects the pods matching podSelector in the policy's own namespace. 
-| false |
+| **[ipBlock](#tenantspecnetworkpoliciesitemsindexegressindextoindexipblock-1)** | object | ipBlock defines policy on a particular IPBlock. If this field is set then<br>neither of the other fields can be. | false |
+| **[namespaceSelector](#tenantspecnetworkpoliciesitemsindexegressindextoindexnamespaceselector-1)** | object | namespaceSelector selects namespaces using cluster-scoped labels. This field follows<br>standard label selector semantics; if present but empty, it selects all namespaces.<br><br>If podSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the namespaces selected by namespaceSelector.<br>Otherwise it selects all pods in the namespaces selected by namespaceSelector. | false |
+| **[podSelector](#tenantspecnetworkpoliciesitemsindexegressindextoindexpodselector-1)** | object | podSelector is a label selector which selects pods. This field follows standard label<br>selector semantics; if present but empty, it selects all pods.<br><br>If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the Namespaces selected by NamespaceSelector.<br>Otherwise it selects the pods matching podSelector in the policy's own namespace. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].ipBlock
@@ -1500,10 +1275,8 @@ neither of the other fields can be.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **cidr** | string |cidr is a string representing the IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64" 
-| true |
-| **except** | []string |except is a slice of CIDRs that should not be included within an IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br>Except values will be rejected if they are outside the cidr range 
-| false |
+| **cidr** | string | cidr is a string representing the IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64" | true |
+| **except** | []string | except is a slice of CIDRs that should not be included within an IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br>Except values will be rejected if they are outside the cidr range | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].namespaceSelector
@@ -1520,10 +1293,8 @@ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexegressindextoindexnamespaceselectormatchexpressionsindex-1)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexegressindextoindexnamespaceselectormatchexpressionsindex-1)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].namespaceSelector.matchExpressions[index]
@@ -1536,12 +1307,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].podSelector
@@ -1558,10 +1326,8 @@ Otherwise it selects the pods matching podSelector in the policy's own namespace
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexegressindextoindexpodselectormatchexpressionsindex-1)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexegressindextoindexpodselectormatchexpressionsindex-1)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].podSelector.matchExpressions[index]
@@ -1574,12 +1340,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index]
@@ -1592,10 +1355,8 @@ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[from](#tenantspecnetworkpoliciesitemsindexingressindexfromindex-1)** | []object |from is a list of sources which should be able to access the pods selected for this rule.<br>Items in this list are combined using a logical OR operation. If this field is<br>empty or missing, this rule matches all sources (traffic not restricted by<br>source). If this field is present and contains at least one item, this rule<br>allows traffic only if the traffic matches at least one item in the from list. 
-| false |
-| **[ports](#tenantspecnetworkpoliciesitemsindexingressindexportsindex-1)** | []object |ports is a list of ports which should be made accessible on the pods selected for<br>this rule. Each item in this list is combined using a logical OR. If this field is<br>empty or missing, this rule matches all ports (traffic not restricted by port).<br>If this field is present and contains at least one item, then this rule allows<br>traffic only if the traffic matches at least one port in the list. 
-| false |
+| **[from](#tenantspecnetworkpoliciesitemsindexingressindexfromindex-1)** | []object | from is a list of sources which should be able to access the pods selected for this rule.<br>Items in this list are combined using a logical OR operation. If this field is<br>empty or missing, this rule matches all sources (traffic not restricted by<br>source). If this field is present and contains at least one item, this rule<br>allows traffic only if the traffic matches at least one item in the from list. | false |
+| **[ports](#tenantspecnetworkpoliciesitemsindexingressindexportsindex-1)** | []object | ports is a list of ports which should be made accessible on the pods selected for<br>this rule. Each item in this list is combined using a logical OR. If this field is<br>empty or missing, this rule matches all ports (traffic not restricted by port).<br>If this field is present and contains at least one item, then this rule allows<br>traffic only if the traffic matches at least one port in the list. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index]
@@ -1608,12 +1369,9 @@ fields are allowed
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[ipBlock](#tenantspecnetworkpoliciesitemsindexingressindexfromindexipblock-1)** | object |ipBlock defines policy on a particular IPBlock. If this field is set then<br>neither of the other fields can be. 
-| false |
-| **[namespaceSelector](#tenantspecnetworkpoliciesitemsindexingressindexfromindexnamespaceselector-1)** | object |namespaceSelector selects namespaces using cluster-scoped labels. This field follows<br>standard label selector semantics; if present but empty, it selects all namespaces.<br><br>If podSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the namespaces selected by namespaceSelector.<br>Otherwise it selects all pods in the namespaces selected by namespaceSelector. 
-| false |
-| **[podSelector](#tenantspecnetworkpoliciesitemsindexingressindexfromindexpodselector-1)** | object |podSelector is a label selector which selects pods. This field follows standard label<br>selector semantics; if present but empty, it selects all pods.<br><br>If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the Namespaces selected by NamespaceSelector.<br>Otherwise it selects the pods matching podSelector in the policy's own namespace. 
-| false |
+| **[ipBlock](#tenantspecnetworkpoliciesitemsindexingressindexfromindexipblock-1)** | object | ipBlock defines policy on a particular IPBlock. If this field is set then<br>neither of the other fields can be. | false |
+| **[namespaceSelector](#tenantspecnetworkpoliciesitemsindexingressindexfromindexnamespaceselector-1)** | object | namespaceSelector selects namespaces using cluster-scoped labels. This field follows<br>standard label selector semantics; if present but empty, it selects all namespaces.<br><br>If podSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the namespaces selected by namespaceSelector.<br>Otherwise it selects all pods in the namespaces selected by namespaceSelector. | false |
+| **[podSelector](#tenantspecnetworkpoliciesitemsindexingressindexfromindexpodselector-1)** | object | podSelector is a label selector which selects pods. This field follows standard label<br>selector semantics; if present but empty, it selects all pods.<br><br>If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the Namespaces selected by NamespaceSelector.<br>Otherwise it selects the pods matching podSelector in the policy's own namespace. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].ipBlock
@@ -1626,10 +1384,8 @@ neither of the other fields can be.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **cidr** | string |cidr is a string representing the IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64" 
-| true |
-| **except** | []string |except is a slice of CIDRs that should not be included within an IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br>Except values will be rejected if they are outside the cidr range 
-| false |
+| **cidr** | string | cidr is a string representing the IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64" | true |
+| **except** | []string | except is a slice of CIDRs that should not be included within an IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br>Except values will be rejected if they are outside the cidr range | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].namespaceSelector
@@ -1646,10 +1402,8 @@ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexingressindexfromindexnamespaceselectormatchexpressionsindex-1)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexingressindexfromindexnamespaceselectormatchexpressionsindex-1)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].namespaceSelector.matchExpressions[index]
@@ -1662,12 +1416,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].podSelector
@@ -1684,10 +1435,8 @@ Otherwise it selects the pods matching podSelector in the policy's own namespace
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexingressindexfromindexpodselectormatchexpressionsindex-1)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexingressindexfromindexpodselectormatchexpressionsindex-1)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].podSelector.matchExpressions[index]
@@ -1700,12 +1449,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].ports[index]
@@ -1717,12 +1463,9 @@ NetworkPolicyPort describes a port to allow traffic on
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **endPort** | integer |endPort indicates that the range of ports from port to endPort if set, inclusive,<br>should be allowed by the policy. This field cannot be defined if the port field<br>is not defined or if the port field is defined as a named (string) port.<br>The endPort must be equal or greater than port.<br/>*Format*: int32<br/> 
-| false |
-| **port** | int or string |port represents the port on the given protocol. This can either be a numerical or named<br>port on a pod. If this field is not provided, this matches all port names and<br>numbers.<br>If present, only traffic on the specified protocol AND port will be matched. 
-| false |
-| **protocol** | string |protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br>If not specified, this field defaults to TCP. 
-| false |
+| **endPort** | integer | endPort indicates that the range of ports from port to endPort if set, inclusive,<br>should be allowed by the policy. This field cannot be defined if the port field<br>is not defined or if the port field is defined as a named (string) port.<br>The endPort must be equal or greater than port.<br/>*Format*: int32<br/> | false |
+| **port** | int or string | port represents the port on the given protocol. This can either be a numerical or named<br>port on a pod. If this field is not provided, this matches all port names and<br>numbers.<br>If present, only traffic on the specified protocol AND port will be matched. | false |
+| **protocol** | string | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br>If not specified, this field defaults to TCP. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].podSelector
@@ -1739,10 +1482,8 @@ This field is optional. If it is not specified, it defaults to an empty selector
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexpodselectormatchexpressionsindex-1)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexpodselectormatchexpressionsindex-1)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].podSelector.matchExpressions[index]
@@ -1755,12 +1496,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.owners[index]
@@ -1772,18 +1510,12 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> 
-| true |
-| **name** | string |Name of the entity. 
-| true |
-| **annotations** | map[string]string |Additional Annotations for the synchronized rolebindings 
-| false |
-| **clusterRoles** | []string |Defines additional cluster-roles for the specific Owner.<br/>*Default*: [admin capsule-namespace-deleter]<br/> 
-| false |
-| **labels** | map[string]string |Additional Labels for the synchronized rolebindings 
-| false |
-| **[proxySettings](#tenantspecownersindexproxysettingsindex-1)** | []object |Proxy settings for tenant owner. 
-| false |
+| **kind** | enum | Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of the entity. | true |
+| **annotations** | map[string]string | Additional Annotations for the synchronized rolebindings | false |
+| **clusterRoles** | []string | Defines additional cluster-roles for the specific Owner.<br/>*Default*: [admin capsule-namespace-deleter]<br/> | false |
+| **labels** | map[string]string | Additional Labels for the synchronized rolebindings | false |
+| **[proxySettings](#tenantspecownersindexproxysettingsindex-1)** | []object | Proxy settings for tenant owner. | false |
 
 
 ### Tenant.spec.owners[index].proxySettings[index]
@@ -1795,10 +1527,8 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |<br/>*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes<br/> 
-| true |
-| **operations** | []enum |<br/>*Enum*: List, Update, Delete<br/> 
-| true |
+| **kind** | enum | <br/>*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes<br/> | true |
+| **operations** | []enum | <br/>*Enum*: List, Update, Delete<br/> | true |
 
 
 ### Tenant.spec.permissions
@@ -1810,8 +1540,7 @@ Specify Permissions for the Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchOwners](#tenantspecpermissionsmatchownersindex)** | []object |Matches TenantOwner objects which are promoted to owners of this tenant<br>The elements are OR operations and independent. You can see the resulting Tenant Owners<br>in the Status.Owners specification of the Tenant. 
-| false |
+| **[matchOwners](#tenantspecpermissionsmatchownersindex)** | []object | Matches TenantOwner objects which are promoted to owners of this tenant<br>The elements are OR operations and independent. You can see the resulting Tenant Owners<br>in the Status.Owners specification of the Tenant. | false |
 
 
 ### Tenant.spec.permissions.matchOwners[index]
@@ -1825,10 +1554,8 @@ label selector matches no objects.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecpermissionsmatchownersindexmatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecpermissionsmatchownersindexmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.permissions.matchOwners[index].matchExpressions[index]
@@ -1841,12 +1568,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.podOptions
@@ -1858,8 +1582,7 @@ Specifies options for the Pods deployed in the Tenant namespaces, such as additi
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[additionalMetadata](#tenantspecpodoptionsadditionalmetadata)** | object |Specifies additional labels and annotations the Capsule operator places on any Pod resource in the Tenant. Optional. 
-| false |
+| **[additionalMetadata](#tenantspecpodoptionsadditionalmetadata)** | object | Specifies additional labels and annotations the Capsule operator places on any Pod resource in the Tenant. Optional. | false |
 
 
 ### Tenant.spec.podOptions.additionalMetadata
@@ -1871,10 +1594,8 @@ Specifies additional labels and annotations the Capsule operator places on any P
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | 
-| false |
-| **labels** | map[string]string | 
-| false |
+| **annotations** | map[string]string |  | false |
+| **labels** | map[string]string |  | false |
 
 
 ### Tenant.spec.priorityClasses
@@ -1889,16 +1610,11 @@ Optional.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
-| **default** | string | 
-| false |
-| **[matchExpressions](#tenantspecpriorityclassesmatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
+| **default** | string |  | false |
+| **[matchExpressions](#tenantspecpriorityclassesmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.priorityClasses.matchExpressions[index]
@@ -1911,12 +1627,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.resourceQuotas
@@ -1928,10 +1641,8 @@ Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[items](#tenantspecresourcequotasitemsindex-1)** | []object | 
-| false |
-| **scope** | enum |Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant<br/>*Enum*: Tenant, Namespace<br/>*Default*: Tenant<br/> 
-| false |
+| **[items](#tenantspecresourcequotasitemsindex-1)** | []object |  | false |
+| **scope** | enum | Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant<br/>*Enum*: Tenant, Namespace<br/>*Default*: Tenant<br/> | false |
 
 
 ### Tenant.spec.resourceQuotas.items[index]
@@ -1943,12 +1654,9 @@ ResourceQuotaSpec defines the desired hard limits to enforce for Quota.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **hard** | map[string]int or string |hard is the set of desired hard limits for each named resource.<br>More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ 
-| false |
-| **[scopeSelector](#tenantspecresourcequotasitemsindexscopeselector-1)** | object |scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota<br>but expressed using ScopeSelectorOperator in combination with possible values.<br>For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. 
-| false |
-| **scopes** | []string |A collection of filters that must match each object tracked by a quota.<br>If not specified, the quota matches all objects. 
-| false |
+| **hard** | map[string]int or string | hard is the set of desired hard limits for each named resource.<br>More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ | false |
+| **[scopeSelector](#tenantspecresourcequotasitemsindexscopeselector-1)** | object | scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota<br>but expressed using ScopeSelectorOperator in combination with possible values.<br>For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. | false |
+| **scopes** | []string | A collection of filters that must match each object tracked by a quota.<br>If not specified, the quota matches all objects. | false |
 
 
 ### Tenant.spec.resourceQuotas.items[index].scopeSelector
@@ -1962,8 +1670,7 @@ For a resource to match, both scopes AND scopeSelector (if specified in spec), m
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecresourcequotasitemsindexscopeselectormatchexpressionsindex-1)** | []object |A list of scope selector requirements by scope of the resources. 
-| false |
+| **[matchExpressions](#tenantspecresourcequotasitemsindexscopeselectormatchexpressionsindex-1)** | []object | A list of scope selector requirements by scope of the resources. | false |
 
 
 ### Tenant.spec.resourceQuotas.items[index].scopeSelector.matchExpressions[index]
@@ -1976,12 +1683,9 @@ that relates the scope name and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **operator** | string |Represents a scope's relationship to a set of values.<br>Valid operators are In, NotIn, Exists, DoesNotExist. 
-| true |
-| **scopeName** | string |The name of the scope that the selector applies to. 
-| true |
-| **values** | []string |An array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty.<br>This array is replaced during a strategic merge patch. 
-| false |
+| **operator** | string | Represents a scope's relationship to a set of values.<br>Valid operators are In, NotIn, Exists, DoesNotExist. | true |
+| **scopeName** | string | The name of the scope that the selector applies to. | true |
+| **values** | []string | An array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty.<br>This array is replaced during a strategic merge patch. | false |
 
 
 ### Tenant.spec.runtimeClasses
@@ -1995,16 +1699,11 @@ Optional.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
-| **default** | string | 
-| false |
-| **[matchExpressions](#tenantspecruntimeclassesmatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
+| **default** | string |  | false |
+| **[matchExpressions](#tenantspecruntimeclassesmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.runtimeClasses.matchExpressions[index]
@@ -2017,12 +1716,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.serviceOptions
@@ -2034,16 +1730,11 @@ Specifies options for the Service, such as additional metadata or block of certa
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[additionalMetadata](#tenantspecserviceoptionsadditionalmetadata-1)** | object |Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional. 
-| false |
-| **[allowedServices](#tenantspecserviceoptionsallowedservices-1)** | object |Block or deny certain type of Services. Optional. 
-| false |
-| **[externalIPs](#tenantspecserviceoptionsexternalips-1)** | object |Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional. 
-| false |
-| **[forbiddenAnnotations](#tenantspecserviceoptionsforbiddenannotations-1)** | object |Define the annotations that a Tenant Owner cannot set for their Service resources. 
-| false |
-| **[forbiddenLabels](#tenantspecserviceoptionsforbiddenlabels-1)** | object |Define the labels that a Tenant Owner cannot set for their Service resources. 
-| false |
+| **[additionalMetadata](#tenantspecserviceoptionsadditionalmetadata-1)** | object | Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional. | false |
+| **[allowedServices](#tenantspecserviceoptionsallowedservices-1)** | object | Block or deny certain type of Services. Optional. | false |
+| **[externalIPs](#tenantspecserviceoptionsexternalips-1)** | object | Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional. | false |
+| **[forbiddenAnnotations](#tenantspecserviceoptionsforbiddenannotations-1)** | object | Define the annotations that a Tenant Owner cannot set for their Service resources. | false |
+| **[forbiddenLabels](#tenantspecserviceoptionsforbiddenlabels-1)** | object | Define the labels that a Tenant Owner cannot set for their Service resources. | false |
 
 
 ### Tenant.spec.serviceOptions.additionalMetadata
@@ -2055,10 +1746,8 @@ Specifies additional labels and annotations the Capsule operator places on any S
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | 
-| false |
-| **labels** | map[string]string | 
-| false |
+| **annotations** | map[string]string |  | false |
+| **labels** | map[string]string |  | false |
 
 
 ### Tenant.spec.serviceOptions.allowedServices
@@ -2070,12 +1759,9 @@ Block or deny certain type of Services. Optional.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **externalName** | boolean |Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> 
-| false |
-| **loadBalancer** | boolean |Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> 
-| false |
-| **nodePort** | boolean |Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> 
-| false |
+| **externalName** | boolean | Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> | false |
+| **loadBalancer** | boolean | Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> | false |
+| **nodePort** | boolean | Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> | false |
 
 
 ### Tenant.spec.serviceOptions.externalIPs
@@ -2087,8 +1773,7 @@ Specifies the external IPs that can be used in Services with type ClusterIP. An
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string | 
-| true |
+| **allowed** | []string |  | true |
 
 
 ### Tenant.spec.serviceOptions.forbiddenAnnotations
@@ -2100,10 +1785,8 @@ Define the annotations that a Tenant Owner cannot set for their Service resource
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **denied** | []string | 
-| false |
-| **deniedRegex** | string | 
-| false |
+| **denied** | []string |  | false |
+| **deniedRegex** | string |  | false |
 
 
 ### Tenant.spec.serviceOptions.forbiddenLabels
@@ -2115,10 +1798,8 @@ Define the labels that a Tenant Owner cannot set for their Service resources.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **denied** | []string | 
-| false |
-| **deniedRegex** | string | 
-| false |
+| **denied** | []string |  | false |
+| **deniedRegex** | string |  | false |
 
 
 ### Tenant.spec.storageClasses
@@ -2133,16 +1814,11 @@ Optional.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
-| **default** | string | 
-| false |
-| **[matchExpressions](#tenantspecstorageclassesmatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
+| **default** | string |  | false |
+| **[matchExpressions](#tenantspecstorageclassesmatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.storageClasses.matchExpressions[index]
@@ -2155,12 +1831,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.status
@@ -2172,20 +1845,13 @@ Returns the observed state of the Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[conditions](#tenantstatusconditionsindex)** | []object |Tenant Condition 
-| true |
-| **size** | integer |How many namespaces are assigned to the Tenant. 
-| true |
-| **state** | enum |The operational state of the Tenant. Possible values are "Active", "Cordoned".<br/>*Enum*: Cordoned, Active<br/>*Default*: Active<br/> 
-| true |
-| **[classes](#tenantstatusclasses)** | object |Available Class Types within Tenant 
-| false |
-| **namespaces** | []string |<span style="color:red;font-weight:bold">List of namespaces assigned to the Tenant. (Deprecated)</span> 
-| false |
-| **[owners](#tenantstatusownersindex)** | []object |Collected owners for this tenant 
-| false |
-| **[spaces](#tenantstatusspacesindex)** | []object |Tracks state for the namespaces associated with this tenant 
-| false |
+| **[conditions](#tenantstatusconditionsindex)** | []object | Tenant Condition | true |
+| **size** | integer | How many namespaces are assigned to the Tenant. | true |
+| **state** | enum | The operational state of the Tenant. Possible values are "Active", "Cordoned".<br/>*Enum*: Cordoned, Active<br/>*Default*: Active<br/> | true |
+| **[classes](#tenantstatusclasses)** | object | Available Class Types within Tenant | false |
+| **namespaces** | []string | <span style="color:red;font-weight:bold">List of namespaces assigned to the Tenant. (Deprecated)</span> | false |
+| **[owners](#tenantstatusownersindex)** | []object | Collected owners for this tenant | false |
+| **[spaces](#tenantstatusspacesindex)** | []object | Tracks state for the namespaces associated with this tenant | false |
 
 
 ### Tenant.status.conditions[index]
@@ -2197,18 +1863,12 @@ Condition contains details for one aspect of the current state of this API Resou
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **lastTransitionTime** | string |lastTransitionTime is the last time the condition transitioned from one status to another.<br>This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.<br/>*Format*: date-time<br/> 
-| true |
-| **message** | string |message is a human readable message indicating details about the transition.<br>This may be an empty string. 
-| true |
-| **reason** | string |reason contains a programmatic identifier indicating the reason for the condition's last transition.<br>Producers of specific condition types may define expected values and meanings for this field,<br>and whether the values are considered a guaranteed API.<br>The value should be a CamelCase string.<br>This field may not be empty. 
-| true |
-| **status** | enum |status of the condition, one of True, False, Unknown.<br/>*Enum*: True, False, Unknown<br/> 
-| true |
-| **type** | string |type of condition in CamelCase or in foo.example.com/CamelCase. 
-| true |
-| **observedGeneration** | integer |observedGeneration represents the .metadata.generation that the condition was set based upon.<br>For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date<br>with respect to the current state of the instance.<br/>*Format*: int64<br/>*Minimum*: 0<br/> 
-| false |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.<br>This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.<br/>*Format*: date-time<br/> | true |
+| **message** | string | message is a human readable message indicating details about the transition.<br>This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.<br>Producers of specific condition types may define expected values and meanings for this field,<br>and whether the values are considered a guaranteed API.<br>The value should be a CamelCase string.<br>This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.<br/>*Enum*: True, False, Unknown<br/> | true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.<br>For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date<br>with respect to the current state of the instance.<br/>*Format*: int64<br/>*Minimum*: 0<br/> | false |
 
 
 ### Tenant.status.classes
@@ -2220,16 +1880,11 @@ Available Class Types within Tenant
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **device** | []string |Available DeviceClasses 
-| false |
-| **gateway** | []string |Available GatewayClasses 
-| false |
-| **priority** | []string |Available PriorityClasses 
-| false |
-| **runtime** | []string |Available StorageClasses 
-| false |
-| **storage** | []string |Available Storageclasses (Only collected if any matching condition is specified) 
-| false |
+| **device** | []string | Available DeviceClasses | false |
+| **gateway** | []string | Available GatewayClasses | false |
+| **priority** | []string | Available PriorityClasses | false |
+| **runtime** | []string | Available StorageClasses | false |
+| **storage** | []string | Available Storageclasses (Only collected if any matching condition is specified) | false |
 
 
 ### Tenant.status.owners[index]
@@ -2241,12 +1896,9 @@ Available Class Types within Tenant
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> 
-| true |
-| **name** | string |Name of the entity. 
-| true |
-| **clusterRoles** | []string |Defines additional cluster-roles for the specific Owner.<br/>*Default*: [admin capsule-namespace-deleter]<br/> 
-| false |
+| **kind** | enum | Kind of entity. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of the entity. | true |
+| **clusterRoles** | []string | Defines additional cluster-roles for the specific Owner.<br/>*Default*: [admin capsule-namespace-deleter]<br/> | false |
 
 
 ### Tenant.status.spaces[index]
@@ -2258,14 +1910,10 @@ Available Class Types within Tenant
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[conditions](#tenantstatusspacesindexconditionsindex)** | []object |Conditions 
-| true |
-| **name** | string |Namespace Name 
-| true |
-| **[metadata](#tenantstatusspacesindexmetadata)** | object |Managed Metadata 
-| false |
-| **uid** | string |Namespace UID 
-| false |
+| **[conditions](#tenantstatusspacesindexconditionsindex)** | []object | Conditions | true |
+| **name** | string | Namespace Name | true |
+| **[metadata](#tenantstatusspacesindexmetadata)** | object | Managed Metadata | false |
+| **uid** | string | Namespace UID | false |
 
 
 ### Tenant.status.spaces[index].conditions[index]
@@ -2277,18 +1925,12 @@ Condition contains details for one aspect of the current state of this API Resou
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **lastTransitionTime** | string |lastTransitionTime is the last time the condition transitioned from one status to another.<br>This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.<br/>*Format*: date-time<br/> 
-| true |
-| **message** | string |message is a human readable message indicating details about the transition.<br>This may be an empty string. 
-| true |
-| **reason** | string |reason contains a programmatic identifier indicating the reason for the condition's last transition.<br>Producers of specific condition types may define expected values and meanings for this field,<br>and whether the values are considered a guaranteed API.<br>The value should be a CamelCase string.<br>This field may not be empty. 
-| true |
-| **status** | enum |status of the condition, one of True, False, Unknown.<br/>*Enum*: True, False, Unknown<br/> 
-| true |
-| **type** | string |type of condition in CamelCase or in foo.example.com/CamelCase. 
-| true |
-| **observedGeneration** | integer |observedGeneration represents the .metadata.generation that the condition was set based upon.<br>For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date<br>with respect to the current state of the instance.<br/>*Format*: int64<br/>*Minimum*: 0<br/> 
-| false |
+| **lastTransitionTime** | string | lastTransitionTime is the last time the condition transitioned from one status to another.<br>This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.<br/>*Format*: date-time<br/> | true |
+| **message** | string | message is a human readable message indicating details about the transition.<br>This may be an empty string. | true |
+| **reason** | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.<br>Producers of specific condition types may define expected values and meanings for this field,<br>and whether the values are considered a guaranteed API.<br>The value should be a CamelCase string.<br>This field may not be empty. | true |
+| **status** | enum | status of the condition, one of True, False, Unknown.<br/>*Enum*: True, False, Unknown<br/> | true |
+| **type** | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
+| **observedGeneration** | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.<br>For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date<br>with respect to the current state of the instance.<br/>*Format*: int64<br/>*Minimum*: 0<br/> | false |
 
 
 ### Tenant.status.spaces[index].metadata
@@ -2300,10 +1942,8 @@ Managed Metadata
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string |Managed Annotations 
-| false |
-| **labels** | map[string]string |Managed Labels 
-| false |
+| **annotations** | map[string]string | Managed Annotations | false |
+| **labels** | map[string]string | Managed Labels | false |
 
 # capsule.clastix.io/v1beta1
 
@@ -2329,10 +1969,8 @@ Tenant is the Schema for the tenants API.
 | **apiVersion** | string | capsule.clastix.io/v1beta1 | true |
 | **kind** | string | Tenant | true |
 | **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#tenantspec)** | object |TenantSpec defines the desired state of Tenant. 
-| false |
-| **[status](#tenantstatus)** | object |Returns the observed state of the Tenant. 
-| false |
+| **[spec](#tenantspec)** | object | TenantSpec defines the desired state of Tenant. | true |
+| **[status](#tenantstatus)** | object | Returns the observed state of the Tenant. | false |
 
 
 ### Tenant.spec
@@ -2344,32 +1982,19 @@ TenantSpec defines the desired state of Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[owners](#tenantspecownersindex)** | []object |Specifies the owners of the Tenant. Mandatory. 
-| true |
-| **[additionalRoleBindings](#tenantspecadditionalrolebindingsindex)** | []object |Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional. 
-| false |
-| **[containerRegistries](#tenantspeccontainerregistries)** | object |Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional. 
-| false |
-| **imagePullPolicies** | []enum |Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.<br/>*Enum*: Always, Never, IfNotPresent<br/> 
-| false |
-| **[ingressOptions](#tenantspecingressoptions)** | object |Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional. 
-| false |
-| **[limitRanges](#tenantspeclimitranges)** | object |Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional. 
-| false |
-| **[namespaceOptions](#tenantspecnamespaceoptions)** | object |Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional. 
-| false |
-| **[networkPolicies](#tenantspecnetworkpolicies)** | object |Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional. 
-| false |
-| **nodeSelector** | map[string]string |Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional. 
-| false |
-| **[priorityClasses](#tenantspecpriorityclasses)** | object |Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional. 
-| false |
-| **[resourceQuotas](#tenantspecresourcequotas)** | object |Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional. 
-| false |
-| **[serviceOptions](#tenantspecserviceoptions)** | object |Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional. 
-| false |
-| **[storageClasses](#tenantspecstorageclasses)** | object |Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional. 
-| false |
+| **[owners](#tenantspecownersindex)** | []object | Specifies the owners of the Tenant. Mandatory. | true |
+| **[additionalRoleBindings](#tenantspecadditionalrolebindingsindex)** | []object | Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional. | false |
+| **[containerRegistries](#tenantspeccontainerregistries)** | object | Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional. | false |
+| **imagePullPolicies** | []enum | Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.<br/>*Enum*: Always, Never, IfNotPresent<br/> | false |
+| **[ingressOptions](#tenantspecingressoptions)** | object | Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional. | false |
+| **[limitRanges](#tenantspeclimitranges)** | object | Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional. | false |
+| **[namespaceOptions](#tenantspecnamespaceoptions)** | object | Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional. | false |
+| **[networkPolicies](#tenantspecnetworkpolicies)** | object | Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional. | false |
+| **nodeSelector** | map[string]string | Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional. | false |
+| **[priorityClasses](#tenantspecpriorityclasses)** | object | Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional. | false |
+| **[resourceQuotas](#tenantspecresourcequotas)** | object | Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional. | false |
+| **[serviceOptions](#tenantspecserviceoptions)** | object | Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional. | false |
+| **[storageClasses](#tenantspecstorageclasses)** | object | Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional. | false |
 
 
 ### Tenant.spec.owners[index]
@@ -2381,12 +2006,9 @@ TenantSpec defines the desired state of Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> 
-| true |
-| **name** | string |Name of tenant owner. 
-| true |
-| **[proxySettings](#tenantspecownersindexproxysettingsindex)** | []object |Proxy settings for tenant owner. 
-| false |
+| **kind** | enum | Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"<br/>*Enum*: User, Group, ServiceAccount<br/> | true |
+| **name** | string | Name of tenant owner. | true |
+| **[proxySettings](#tenantspecownersindexproxysettingsindex)** | []object | Proxy settings for tenant owner. | false |
 
 
 ### Tenant.spec.owners[index].proxySettings[index]
@@ -2398,10 +2020,8 @@ TenantSpec defines the desired state of Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | enum |<br/>*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses<br/> 
-| true |
-| **operations** | []enum |<br/>*Enum*: List, Update, Delete<br/> 
-| true |
+| **kind** | enum | <br/>*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses<br/> | true |
+| **operations** | []enum | <br/>*Enum*: List, Update, Delete<br/> | true |
 
 
 ### Tenant.spec.additionalRoleBindings[index]
@@ -2413,14 +2033,10 @@ TenantSpec defines the desired state of Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **clusterRoleName** | string | 
-| true |
-| **[subjects](#tenantspecadditionalrolebindingsindexsubjectsindex)** | []object |kubebuilder:validation:Minimum=1 
-| true |
-| **annotations** | map[string]string |Additional Annotations for the synchronized rolebindings 
-| false |
-| **labels** | map[string]string |Additional Labels for the synchronized rolebindings 
-| false |
+| **clusterRoleName** | string |  | true |
+| **[subjects](#tenantspecadditionalrolebindingsindexsubjectsindex)** | []object | kubebuilder:validation:Minimum=1 | true |
+| **annotations** | map[string]string | Additional Annotations for the synchronized rolebindings | false |
+| **labels** | map[string]string | Additional Labels for the synchronized rolebindings | false |
 
 
 ### Tenant.spec.additionalRoleBindings[index].subjects[index]
@@ -2433,14 +2049,10 @@ or a value for non-objects such as user and group names.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **kind** | string |Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".<br>If the Authorizer does not recognized the kind value, the Authorizer should report an error. 
-| true |
-| **name** | string |Name of the object being referenced. 
-| true |
-| **apiGroup** | string |APIGroup holds the API group of the referenced subject.<br>Defaults to "" for ServiceAccount subjects.<br>Defaults to "rbac.authorization.k8s.io" for User and Group subjects. 
-| false |
-| **namespace** | string |Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty<br>the Authorizer should report an error. 
-| false |
+| **kind** | string | Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".<br>If the Authorizer does not recognized the kind value, the Authorizer should report an error. | true |
+| **name** | string | Name of the object being referenced. | true |
+| **apiGroup** | string | APIGroup holds the API group of the referenced subject.<br>Defaults to "" for ServiceAccount subjects.<br>Defaults to "rbac.authorization.k8s.io" for User and Group subjects. | false |
+| **namespace** | string | Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty<br>the Authorizer should report an error. | false |
 
 
 ### Tenant.spec.containerRegistries
@@ -2452,10 +2064,8 @@ Specifies the trusted Image Registries assigned to the Tenant. Capsule assures t
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
 
 
 ### Tenant.spec.ingressOptions
@@ -2467,12 +2077,9 @@ Specifies options for the Ingress resources, such as allowed hostnames and Ingre
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[allowedClasses](#tenantspecingressoptionsallowedclasses)** | object |Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional. 
-| false |
-| **[allowedHostnames](#tenantspecingressoptionsallowedhostnames)** | object |Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional. 
-| false |
-| **hostnameCollisionScope** | enum |Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.<br><br>- Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.<br><br>- Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.<br><br>- Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.<br><br>Optional.<br/>*Enum*: Cluster, Tenant, Namespace, Disabled<br/>*Default*: Disabled<br/> 
-| false |
+| **[allowedClasses](#tenantspecingressoptionsallowedclasses)** | object | Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional. | false |
+| **[allowedHostnames](#tenantspecingressoptionsallowedhostnames)** | object | Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional. | false |
+| **hostnameCollisionScope** | enum | Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.<br><br>- Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.<br><br>- Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.<br><br>- Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.<br><br>Optional.<br/>*Enum*: Cluster, Tenant, Namespace, Disabled<br/>*Default*: Disabled<br/> | false |
 
 
 ### Tenant.spec.ingressOptions.allowedClasses
@@ -2484,10 +2091,8 @@ Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures tha
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
 
 
 ### Tenant.spec.ingressOptions.allowedHostnames
@@ -2499,10 +2104,8 @@ Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assur
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
 
 
 ### Tenant.spec.limitRanges
@@ -2514,8 +2117,7 @@ Specifies the resource min/max usage restrictions to the Tenant. The assigned va
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[items](#tenantspeclimitrangesitemsindex)** | []object | 
-| false |
+| **[items](#tenantspeclimitrangesitemsindex)** | []object |  | false |
 
 
 ### Tenant.spec.limitRanges.items[index]
@@ -2527,8 +2129,7 @@ LimitRangeSpec defines a min/max usage limit for resources that match on kind.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[limits](#tenantspeclimitrangesitemsindexlimitsindex)** | []object |Limits is the list of LimitRangeItem objects that are enforced. 
-| true |
+| **[limits](#tenantspeclimitrangesitemsindexlimitsindex)** | []object | Limits is the list of LimitRangeItem objects that are enforced. | true |
 
 
 ### Tenant.spec.limitRanges.items[index].limits[index]
@@ -2540,18 +2141,12 @@ LimitRangeItem defines a min/max usage limit for any resource that matches on ki
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **type** | string |Type of resource that this limit applies to. 
-| true |
-| **default** | map[string]int or string |Default resource requirement limit value by resource name if resource limit is omitted. 
-| false |
-| **defaultRequest** | map[string]int or string |DefaultRequest is the default resource requirement request value by resource name if resource request is omitted. 
-| false |
-| **max** | map[string]int or string |Max usage constraints on this kind by resource name. 
-| false |
-| **maxLimitRequestRatio** | map[string]int or string |MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource. 
-| false |
-| **min** | map[string]int or string |Min usage constraints on this kind by resource name. 
-| false |
+| **type** | string | Type of resource that this limit applies to. | true |
+| **default** | map[string]int or string | Default resource requirement limit value by resource name if resource limit is omitted. | false |
+| **defaultRequest** | map[string]int or string | DefaultRequest is the default resource requirement request value by resource name if resource request is omitted. | false |
+| **max** | map[string]int or string | Max usage constraints on this kind by resource name. | false |
+| **maxLimitRequestRatio** | map[string]int or string | MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource. | false |
+| **min** | map[string]int or string | Min usage constraints on this kind by resource name. | false |
 
 
 ### Tenant.spec.namespaceOptions
@@ -2563,10 +2158,8 @@ Specifies options for the Namespaces, such as additional metadata or maximum num
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[additionalMetadata](#tenantspecnamespaceoptionsadditionalmetadata)** | object |Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional. 
-| false |
-| **quota** | integer |Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.<br/>*Format*: int32<br/>*Minimum*: 1<br/> 
-| false |
+| **[additionalMetadata](#tenantspecnamespaceoptionsadditionalmetadata)** | object | Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional. | false |
+| **quota** | integer | Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.<br/>*Format*: int32<br/>*Minimum*: 1<br/> | false |
 
 
 ### Tenant.spec.namespaceOptions.additionalMetadata
@@ -2578,10 +2171,8 @@ Specifies additional labels and annotations the Capsule operator places on any N
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | 
-| false |
-| **labels** | map[string]string | 
-| false |
+| **annotations** | map[string]string |  | false |
+| **labels** | map[string]string |  | false |
 
 
 ### Tenant.spec.networkPolicies
@@ -2593,8 +2184,7 @@ Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolici
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[items](#tenantspecnetworkpoliciesitemsindex)** | []object | 
-| false |
+| **[items](#tenantspecnetworkpoliciesitemsindex)** | []object |  | false |
 
 
 ### Tenant.spec.networkPolicies.items[index]
@@ -2606,14 +2196,10 @@ NetworkPolicySpec provides the specification of a NetworkPolicy
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[egress](#tenantspecnetworkpoliciesitemsindexegressindex)** | []object |egress is a list of egress rules to be applied to the selected pods. Outgoing traffic<br>is allowed if there are no NetworkPolicies selecting the pod (and cluster policy<br>otherwise allows the traffic), OR if the traffic matches at least one egress rule<br>across all of the NetworkPolicy objects whose podSelector matches the pod. If<br>this field is empty then this NetworkPolicy limits all outgoing traffic (and serves<br>solely to ensure that the pods it selects are isolated by default).<br>This field is beta-level in 1.8 
-| false |
-| **[ingress](#tenantspecnetworkpoliciesitemsindexingressindex)** | []object |ingress is a list of ingress rules to be applied to the selected pods.<br>Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod<br>(and cluster policy otherwise allows the traffic), OR if the traffic source is<br>the pod's local node, OR if the traffic matches at least one ingress rule<br>across all of the NetworkPolicy objects whose podSelector matches the pod. If<br>this field is empty then this NetworkPolicy does not allow any traffic (and serves<br>solely to ensure that the pods it selects are isolated by default) 
-| false |
-| **[podSelector](#tenantspecnetworkpoliciesitemsindexpodselector)** | object |podSelector selects the pods to which this NetworkPolicy object applies.<br>The array of rules is applied to any pods selected by this field. An empty<br>selector matches all pods in the policy's namespace.<br>Multiple network policies can select the same set of pods. In this case,<br>the ingress rules for each are combined additively.<br>This field is optional. If it is not specified, it defaults to an empty selector. 
-| false |
-| **policyTypes** | []string |policyTypes is a list of rule types that the NetworkPolicy relates to.<br>Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].<br>If this field is not specified, it will default based on the existence of ingress or egress rules;<br>policies that contain an egress section are assumed to affect egress, and all policies<br>(whether or not they contain an ingress section) are assumed to affect ingress.<br>If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].<br>Likewise, if you want to write a policy that specifies that no egress is allowed,<br>you must specify a policyTypes value that include "Egress" (since such a policy would not include<br>an egress section and would otherwise default to just [ "Ingress" ]).<br>This field is beta-level in 1.8 
-| false |
+| **[egress](#tenantspecnetworkpoliciesitemsindexegressindex)** | []object | egress is a list of egress rules to be applied to the selected pods. Outgoing traffic<br>is allowed if there are no NetworkPolicies selecting the pod (and cluster policy<br>otherwise allows the traffic), OR if the traffic matches at least one egress rule<br>across all of the NetworkPolicy objects whose podSelector matches the pod. If<br>this field is empty then this NetworkPolicy limits all outgoing traffic (and serves<br>solely to ensure that the pods it selects are isolated by default).<br>This field is beta-level in 1.8 | false |
+| **[ingress](#tenantspecnetworkpoliciesitemsindexingressindex)** | []object | ingress is a list of ingress rules to be applied to the selected pods.<br>Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod<br>(and cluster policy otherwise allows the traffic), OR if the traffic source is<br>the pod's local node, OR if the traffic matches at least one ingress rule<br>across all of the NetworkPolicy objects whose podSelector matches the pod. If<br>this field is empty then this NetworkPolicy does not allow any traffic (and serves<br>solely to ensure that the pods it selects are isolated by default) | false |
+| **[podSelector](#tenantspecnetworkpoliciesitemsindexpodselector)** | object | podSelector selects the pods to which this NetworkPolicy object applies.<br>The array of rules is applied to any pods selected by this field. An empty<br>selector matches all pods in the policy's namespace.<br>Multiple network policies can select the same set of pods. In this case,<br>the ingress rules for each are combined additively.<br>This field is optional. If it is not specified, it defaults to an empty selector. | false |
+| **policyTypes** | []string | policyTypes is a list of rule types that the NetworkPolicy relates to.<br>Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].<br>If this field is not specified, it will default based on the existence of ingress or egress rules;<br>policies that contain an egress section are assumed to affect egress, and all policies<br>(whether or not they contain an ingress section) are assumed to affect ingress.<br>If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].<br>Likewise, if you want to write a policy that specifies that no egress is allowed,<br>you must specify a policyTypes value that include "Egress" (since such a policy would not include<br>an egress section and would otherwise default to just [ "Ingress" ]).<br>This field is beta-level in 1.8 | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index]
@@ -2627,10 +2213,8 @@ This type is beta-level in 1.8
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[ports](#tenantspecnetworkpoliciesitemsindexegressindexportsindex)** | []object |ports is a list of destination ports for outgoing traffic.<br>Each item in this list is combined using a logical OR. If this field is<br>empty or missing, this rule matches all ports (traffic not restricted by port).<br>If this field is present and contains at least one item, then this rule allows<br>traffic only if the traffic matches at least one port in the list. 
-| false |
-| **[to](#tenantspecnetworkpoliciesitemsindexegressindextoindex)** | []object |to is a list of destinations for outgoing traffic of pods selected for this rule.<br>Items in this list are combined using a logical OR operation. If this field is<br>empty or missing, this rule matches all destinations (traffic not restricted by<br>destination). If this field is present and contains at least one item, this rule<br>allows traffic only if the traffic matches at least one item in the to list. 
-| false |
+| **[ports](#tenantspecnetworkpoliciesitemsindexegressindexportsindex)** | []object | ports is a list of destination ports for outgoing traffic.<br>Each item in this list is combined using a logical OR. If this field is<br>empty or missing, this rule matches all ports (traffic not restricted by port).<br>If this field is present and contains at least one item, then this rule allows<br>traffic only if the traffic matches at least one port in the list. | false |
+| **[to](#tenantspecnetworkpoliciesitemsindexegressindextoindex)** | []object | to is a list of destinations for outgoing traffic of pods selected for this rule.<br>Items in this list are combined using a logical OR operation. If this field is<br>empty or missing, this rule matches all destinations (traffic not restricted by<br>destination). If this field is present and contains at least one item, this rule<br>allows traffic only if the traffic matches at least one item in the to list. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].ports[index]
@@ -2642,12 +2226,9 @@ NetworkPolicyPort describes a port to allow traffic on
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **endPort** | integer |endPort indicates that the range of ports from port to endPort if set, inclusive,<br>should be allowed by the policy. This field cannot be defined if the port field<br>is not defined or if the port field is defined as a named (string) port.<br>The endPort must be equal or greater than port.<br/>*Format*: int32<br/> 
-| false |
-| **port** | int or string |port represents the port on the given protocol. This can either be a numerical or named<br>port on a pod. If this field is not provided, this matches all port names and<br>numbers.<br>If present, only traffic on the specified protocol AND port will be matched. 
-| false |
-| **protocol** | string |protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br>If not specified, this field defaults to TCP. 
-| false |
+| **endPort** | integer | endPort indicates that the range of ports from port to endPort if set, inclusive,<br>should be allowed by the policy. This field cannot be defined if the port field<br>is not defined or if the port field is defined as a named (string) port.<br>The endPort must be equal or greater than port.<br/>*Format*: int32<br/> | false |
+| **port** | int or string | port represents the port on the given protocol. This can either be a numerical or named<br>port on a pod. If this field is not provided, this matches all port names and<br>numbers.<br>If present, only traffic on the specified protocol AND port will be matched. | false |
+| **protocol** | string | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br>If not specified, this field defaults to TCP. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index]
@@ -2660,12 +2241,9 @@ fields are allowed
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[ipBlock](#tenantspecnetworkpoliciesitemsindexegressindextoindexipblock)** | object |ipBlock defines policy on a particular IPBlock. If this field is set then<br>neither of the other fields can be. 
-| false |
-| **[namespaceSelector](#tenantspecnetworkpoliciesitemsindexegressindextoindexnamespaceselector)** | object |namespaceSelector selects namespaces using cluster-scoped labels. This field follows<br>standard label selector semantics; if present but empty, it selects all namespaces.<br><br>If podSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the namespaces selected by namespaceSelector.<br>Otherwise it selects all pods in the namespaces selected by namespaceSelector. 
-| false |
-| **[podSelector](#tenantspecnetworkpoliciesitemsindexegressindextoindexpodselector)** | object |podSelector is a label selector which selects pods. This field follows standard label<br>selector semantics; if present but empty, it selects all pods.<br><br>If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the Namespaces selected by NamespaceSelector.<br>Otherwise it selects the pods matching podSelector in the policy's own namespace. 
-| false |
+| **[ipBlock](#tenantspecnetworkpoliciesitemsindexegressindextoindexipblock)** | object | ipBlock defines policy on a particular IPBlock. If this field is set then<br>neither of the other fields can be. | false |
+| **[namespaceSelector](#tenantspecnetworkpoliciesitemsindexegressindextoindexnamespaceselector)** | object | namespaceSelector selects namespaces using cluster-scoped labels. This field follows<br>standard label selector semantics; if present but empty, it selects all namespaces.<br><br>If podSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the namespaces selected by namespaceSelector.<br>Otherwise it selects all pods in the namespaces selected by namespaceSelector. | false |
+| **[podSelector](#tenantspecnetworkpoliciesitemsindexegressindextoindexpodselector)** | object | podSelector is a label selector which selects pods. This field follows standard label<br>selector semantics; if present but empty, it selects all pods.<br><br>If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the Namespaces selected by NamespaceSelector.<br>Otherwise it selects the pods matching podSelector in the policy's own namespace. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].ipBlock
@@ -2678,10 +2256,8 @@ neither of the other fields can be.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **cidr** | string |cidr is a string representing the IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64" 
-| true |
-| **except** | []string |except is a slice of CIDRs that should not be included within an IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br>Except values will be rejected if they are outside the cidr range 
-| false |
+| **cidr** | string | cidr is a string representing the IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64" | true |
+| **except** | []string | except is a slice of CIDRs that should not be included within an IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br>Except values will be rejected if they are outside the cidr range | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].namespaceSelector
@@ -2698,10 +2274,8 @@ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexegressindextoindexnamespaceselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexegressindextoindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].namespaceSelector.matchExpressions[index]
@@ -2714,12 +2288,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].podSelector
@@ -2736,10 +2307,8 @@ Otherwise it selects the pods matching podSelector in the policy's own namespace
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexegressindextoindexpodselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexegressindextoindexpodselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].egress[index].to[index].podSelector.matchExpressions[index]
@@ -2752,12 +2321,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index]
@@ -2770,10 +2336,8 @@ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[from](#tenantspecnetworkpoliciesitemsindexingressindexfromindex)** | []object |from is a list of sources which should be able to access the pods selected for this rule.<br>Items in this list are combined using a logical OR operation. If this field is<br>empty or missing, this rule matches all sources (traffic not restricted by<br>source). If this field is present and contains at least one item, this rule<br>allows traffic only if the traffic matches at least one item in the from list. 
-| false |
-| **[ports](#tenantspecnetworkpoliciesitemsindexingressindexportsindex)** | []object |ports is a list of ports which should be made accessible on the pods selected for<br>this rule. Each item in this list is combined using a logical OR. If this field is<br>empty or missing, this rule matches all ports (traffic not restricted by port).<br>If this field is present and contains at least one item, then this rule allows<br>traffic only if the traffic matches at least one port in the list. 
-| false |
+| **[from](#tenantspecnetworkpoliciesitemsindexingressindexfromindex)** | []object | from is a list of sources which should be able to access the pods selected for this rule.<br>Items in this list are combined using a logical OR operation. If this field is<br>empty or missing, this rule matches all sources (traffic not restricted by<br>source). If this field is present and contains at least one item, this rule<br>allows traffic only if the traffic matches at least one item in the from list. | false |
+| **[ports](#tenantspecnetworkpoliciesitemsindexingressindexportsindex)** | []object | ports is a list of ports which should be made accessible on the pods selected for<br>this rule. Each item in this list is combined using a logical OR. If this field is<br>empty or missing, this rule matches all ports (traffic not restricted by port).<br>If this field is present and contains at least one item, then this rule allows<br>traffic only if the traffic matches at least one port in the list. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index]
@@ -2786,12 +2350,9 @@ fields are allowed
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[ipBlock](#tenantspecnetworkpoliciesitemsindexingressindexfromindexipblock)** | object |ipBlock defines policy on a particular IPBlock. If this field is set then<br>neither of the other fields can be. 
-| false |
-| **[namespaceSelector](#tenantspecnetworkpoliciesitemsindexingressindexfromindexnamespaceselector)** | object |namespaceSelector selects namespaces using cluster-scoped labels. This field follows<br>standard label selector semantics; if present but empty, it selects all namespaces.<br><br>If podSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the namespaces selected by namespaceSelector.<br>Otherwise it selects all pods in the namespaces selected by namespaceSelector. 
-| false |
-| **[podSelector](#tenantspecnetworkpoliciesitemsindexingressindexfromindexpodselector)** | object |podSelector is a label selector which selects pods. This field follows standard label<br>selector semantics; if present but empty, it selects all pods.<br><br>If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the Namespaces selected by NamespaceSelector.<br>Otherwise it selects the pods matching podSelector in the policy's own namespace. 
-| false |
+| **[ipBlock](#tenantspecnetworkpoliciesitemsindexingressindexfromindexipblock)** | object | ipBlock defines policy on a particular IPBlock. If this field is set then<br>neither of the other fields can be. | false |
+| **[namespaceSelector](#tenantspecnetworkpoliciesitemsindexingressindexfromindexnamespaceselector)** | object | namespaceSelector selects namespaces using cluster-scoped labels. This field follows<br>standard label selector semantics; if present but empty, it selects all namespaces.<br><br>If podSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the namespaces selected by namespaceSelector.<br>Otherwise it selects all pods in the namespaces selected by namespaceSelector. | false |
+| **[podSelector](#tenantspecnetworkpoliciesitemsindexingressindexfromindexpodselector)** | object | podSelector is a label selector which selects pods. This field follows standard label<br>selector semantics; if present but empty, it selects all pods.<br><br>If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects<br>the pods matching podSelector in the Namespaces selected by NamespaceSelector.<br>Otherwise it selects the pods matching podSelector in the policy's own namespace. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].ipBlock
@@ -2804,10 +2365,8 @@ neither of the other fields can be.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **cidr** | string |cidr is a string representing the IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64" 
-| true |
-| **except** | []string |except is a slice of CIDRs that should not be included within an IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br>Except values will be rejected if they are outside the cidr range 
-| false |
+| **cidr** | string | cidr is a string representing the IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64" | true |
+| **except** | []string | except is a slice of CIDRs that should not be included within an IPBlock<br>Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br>Except values will be rejected if they are outside the cidr range | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].namespaceSelector
@@ -2824,10 +2383,8 @@ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexingressindexfromindexnamespaceselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexingressindexfromindexnamespaceselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].namespaceSelector.matchExpressions[index]
@@ -2840,12 +2397,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].podSelector
@@ -2862,10 +2416,8 @@ Otherwise it selects the pods matching podSelector in the policy's own namespace
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexingressindexfromindexpodselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexingressindexfromindexpodselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].from[index].podSelector.matchExpressions[index]
@@ -2878,12 +2430,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].ingress[index].ports[index]
@@ -2895,12 +2444,9 @@ NetworkPolicyPort describes a port to allow traffic on
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **endPort** | integer |endPort indicates that the range of ports from port to endPort if set, inclusive,<br>should be allowed by the policy. This field cannot be defined if the port field<br>is not defined or if the port field is defined as a named (string) port.<br>The endPort must be equal or greater than port.<br/>*Format*: int32<br/> 
-| false |
-| **port** | int or string |port represents the port on the given protocol. This can either be a numerical or named<br>port on a pod. If this field is not provided, this matches all port names and<br>numbers.<br>If present, only traffic on the specified protocol AND port will be matched. 
-| false |
-| **protocol** | string |protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br>If not specified, this field defaults to TCP. 
-| false |
+| **endPort** | integer | endPort indicates that the range of ports from port to endPort if set, inclusive,<br>should be allowed by the policy. This field cannot be defined if the port field<br>is not defined or if the port field is defined as a named (string) port.<br>The endPort must be equal or greater than port.<br/>*Format*: int32<br/> | false |
+| **port** | int or string | port represents the port on the given protocol. This can either be a numerical or named<br>port on a pod. If this field is not provided, this matches all port names and<br>numbers.<br>If present, only traffic on the specified protocol AND port will be matched. | false |
+| **protocol** | string | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br>If not specified, this field defaults to TCP. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].podSelector
@@ -2917,10 +2463,8 @@ This field is optional. If it is not specified, it defaults to an empty selector
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexpodselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed. 
-| false |
-| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. 
-| false |
+| **[matchExpressions](#tenantspecnetworkpoliciesitemsindexpodselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
+| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels<br>map is equivalent to an element of matchExpressions, whose key field is "key", the<br>operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
 
 
 ### Tenant.spec.networkPolicies.items[index].podSelector.matchExpressions[index]
@@ -2933,12 +2477,9 @@ relates the key and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **key** | string |key is the label key that the selector applies to. 
-| true |
-| **operator** | string |operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. 
-| true |
-| **values** | []string |values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. 
-| false |
+| **key** | string | key is the label key that the selector applies to. | true |
+| **operator** | string | operator represents a key's relationship to a set of values.<br>Valid operators are In, NotIn, Exists and DoesNotExist. | true |
+| **values** | []string | values is an array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty. This array is replaced during a strategic<br>merge patch. | false |
 
 
 ### Tenant.spec.priorityClasses
@@ -2950,10 +2491,8 @@ Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures th
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
 
 
 ### Tenant.spec.resourceQuotas
@@ -2965,10 +2504,8 @@ Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[items](#tenantspecresourcequotasitemsindex)** | []object | 
-| false |
-| **scope** | enum |Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant<br/>*Enum*: Tenant, Namespace<br/>*Default*: Tenant<br/> 
-| false |
+| **[items](#tenantspecresourcequotasitemsindex)** | []object |  | false |
+| **scope** | enum | Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant<br/>*Enum*: Tenant, Namespace<br/>*Default*: Tenant<br/> | false |
 
 
 ### Tenant.spec.resourceQuotas.items[index]
@@ -2980,12 +2517,9 @@ ResourceQuotaSpec defines the desired hard limits to enforce for Quota.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **hard** | map[string]int or string |hard is the set of desired hard limits for each named resource.<br>More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ 
-| false |
-| **[scopeSelector](#tenantspecresourcequotasitemsindexscopeselector)** | object |scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota<br>but expressed using ScopeSelectorOperator in combination with possible values.<br>For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. 
-| false |
-| **scopes** | []string |A collection of filters that must match each object tracked by a quota.<br>If not specified, the quota matches all objects. 
-| false |
+| **hard** | map[string]int or string | hard is the set of desired hard limits for each named resource.<br>More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ | false |
+| **[scopeSelector](#tenantspecresourcequotasitemsindexscopeselector)** | object | scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota<br>but expressed using ScopeSelectorOperator in combination with possible values.<br>For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. | false |
+| **scopes** | []string | A collection of filters that must match each object tracked by a quota.<br>If not specified, the quota matches all objects. | false |
 
 
 ### Tenant.spec.resourceQuotas.items[index].scopeSelector
@@ -2999,8 +2533,7 @@ For a resource to match, both scopes AND scopeSelector (if specified in spec), m
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#tenantspecresourcequotasitemsindexscopeselectormatchexpressionsindex)** | []object |A list of scope selector requirements by scope of the resources. 
-| false |
+| **[matchExpressions](#tenantspecresourcequotasitemsindexscopeselectormatchexpressionsindex)** | []object | A list of scope selector requirements by scope of the resources. | false |
 
 
 ### Tenant.spec.resourceQuotas.items[index].scopeSelector.matchExpressions[index]
@@ -3013,12 +2546,9 @@ that relates the scope name and values.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **operator** | string |Represents a scope's relationship to a set of values.<br>Valid operators are In, NotIn, Exists, DoesNotExist. 
-| true |
-| **scopeName** | string |The name of the scope that the selector applies to. 
-| true |
-| **values** | []string |An array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty.<br>This array is replaced during a strategic merge patch. 
-| false |
+| **operator** | string | Represents a scope's relationship to a set of values.<br>Valid operators are In, NotIn, Exists, DoesNotExist. | true |
+| **scopeName** | string | The name of the scope that the selector applies to. | true |
+| **values** | []string | An array of string values. If the operator is In or NotIn,<br>the values array must be non-empty. If the operator is Exists or DoesNotExist,<br>the values array must be empty.<br>This array is replaced during a strategic merge patch. | false |
 
 
 ### Tenant.spec.serviceOptions
@@ -3030,16 +2560,11 @@ Specifies options for the Service, such as additional metadata or block of certa
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **[additionalMetadata](#tenantspecserviceoptionsadditionalmetadata)** | object |Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional. 
-| false |
-| **[allowedServices](#tenantspecserviceoptionsallowedservices)** | object |Block or deny certain type of Services. Optional. 
-| false |
-| **[externalIPs](#tenantspecserviceoptionsexternalips)** | object |Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional. 
-| false |
-| **[forbiddenAnnotations](#tenantspecserviceoptionsforbiddenannotations)** | object |Define the annotations that a Tenant Owner cannot set for their Service resources. 
-| false |
-| **[forbiddenLabels](#tenantspecserviceoptionsforbiddenlabels)** | object |Define the labels that a Tenant Owner cannot set for their Service resources. 
-| false |
+| **[additionalMetadata](#tenantspecserviceoptionsadditionalmetadata)** | object | Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional. | false |
+| **[allowedServices](#tenantspecserviceoptionsallowedservices)** | object | Block or deny certain type of Services. Optional. | false |
+| **[externalIPs](#tenantspecserviceoptionsexternalips)** | object | Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional. | false |
+| **[forbiddenAnnotations](#tenantspecserviceoptionsforbiddenannotations)** | object | Define the annotations that a Tenant Owner cannot set for their Service resources. | false |
+| **[forbiddenLabels](#tenantspecserviceoptionsforbiddenlabels)** | object | Define the labels that a Tenant Owner cannot set for their Service resources. | false |
 
 
 ### Tenant.spec.serviceOptions.additionalMetadata
@@ -3051,10 +2576,8 @@ Specifies additional labels and annotations the Capsule operator places on any S
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **annotations** | map[string]string | 
-| false |
-| **labels** | map[string]string | 
-| false |
+| **annotations** | map[string]string |  | false |
+| **labels** | map[string]string |  | false |
 
 
 ### Tenant.spec.serviceOptions.allowedServices
@@ -3066,12 +2589,9 @@ Block or deny certain type of Services. Optional.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **externalName** | boolean |Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> 
-| false |
-| **loadBalancer** | boolean |Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> 
-| false |
-| **nodePort** | boolean |Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> 
-| false |
+| **externalName** | boolean | Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> | false |
+| **loadBalancer** | boolean | Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> | false |
+| **nodePort** | boolean | Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.<br/>*Default*: true<br/> | false |
 
 
 ### Tenant.spec.serviceOptions.externalIPs
@@ -3083,8 +2603,7 @@ Specifies the external IPs that can be used in Services with type ClusterIP. An
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string | 
-| true |
+| **allowed** | []string |  | true |
 
 
 ### Tenant.spec.serviceOptions.forbiddenAnnotations
@@ -3096,10 +2615,8 @@ Define the annotations that a Tenant Owner cannot set for their Service resource
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **denied** | []string | 
-| false |
-| **deniedRegex** | string | 
-| false |
+| **denied** | []string |  | false |
+| **deniedRegex** | string |  | false |
 
 
 ### Tenant.spec.serviceOptions.forbiddenLabels
@@ -3111,10 +2628,8 @@ Define the labels that a Tenant Owner cannot set for their Service resources.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **denied** | []string | 
-| false |
-| **deniedRegex** | string | 
-| false |
+| **denied** | []string |  | false |
+| **deniedRegex** | string |  | false |
 
 
 ### Tenant.spec.storageClasses
@@ -3126,10 +2641,8 @@ Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures tha
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **allowed** | []string |Match exact elements which are allowed as class names within this tenant 
-| false |
-| **allowedRegex** | string |<span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> 
-| false |
+| **allowed** | []string | Match exact elements which are allowed as class names within this tenant | false |
+| **allowedRegex** | string | <span style="color:red;font-weight:bold">Deprecated: will be removed in a future release<br><br>Match elements by regex.</span> | false |
 
 
 ### Tenant.status
@@ -3141,10 +2654,7 @@ Returns the observed state of the Tenant.
 
 | **Name** | **Type** | **Description** | **Required** |
 | :---- | :---- | :----------- | :-------- |
-| **size** | integer |How many namespaces are assigned to the Tenant. 
-| true |
-| **state** | enum |The operational state of the Tenant. Possible values are "Active", "Cordoned".<br/>*Enum*: Cordoned, Active<br/>*Default*: Active<br/> 
-| true |
-| **namespaces** | []string |List of namespaces assigned to the Tenant. 
-| false |
+| **size** | integer | How many namespaces are assigned to the Tenant. | true |
+| **state** | enum | The operational state of the Tenant. Possible values are "Active", "Cordoned".<br/>*Enum*: Cordoned, Active<br/>*Default*: Active<br/> | true |
+| **namespaces** | []string | List of namespaces assigned to the Tenant. | false |
 
diff --git a/templates/crds.tmpl b/templates/crds.tmpl
index eb53966..ab5dd12 100644
--- a/templates/crds.tmpl
+++ b/templates/crds.tmpl
@@ -42,19 +42,19 @@ Resource Types:
 {{- end -}}
 {{- range .Fields }}
 {{- $lowerDesc := lower .Description }}
-| **{{if .TypeKey}}[{{.Name}}](#{{.TypeKey}}){{else}}{{.Name}}{{end}}** | {{.Type}} | 
+| **{{if .TypeKey}}[{{.Name}}](#{{.TypeKey}}){{else}}{{.Name}}{{end}}** | {{.Type}} |{{" " -}}
+{{- /* Description and schema details stay within the same table cell */ -}}
 {{- if contains "deprecated" $lowerDesc -}}
 <span style="color:red;font-weight:bold">{{ .Description | replace "\n" "<br>" }}</span>
 {{- else -}}
 {{ .Description | replace "\n" "<br>" }}
 {{- end -}}
-{{- if or .Schema.Format .Schema.Enum .Schema.Default .Schema.Minimum .Schema.Maximum }}<br/>{{- end}} 
-{{- if .Schema.Format }}*Format*: {{.Schema.Format}}<br/>{{- end}} 
-{{- if .Schema.Enum }}*Enum*: {{.Schema.Enum | toStrings | join ", "}}<br/>{{- end}} 
-{{- if .Schema.Default }}*Default*: {{.Schema.Default}}<br/>{{- end}} 
-{{- if .Schema.Minimum }}*Minimum*: {{.Schema.Minimum}}<br/>{{- end}} 
-{{- if .Schema.Maximum }}*Maximum*: {{.Schema.Maximum}}<br/>{{- end}} 
-| {{.Required}} |
+{{- if or .Schema.Format .Schema.Enum .Schema.Default .Schema.Minimum .Schema.Maximum }}<br/>{{- end}}
+{{- if .Schema.Format }}*Format*: {{.Schema.Format}}<br/>{{- end}}
+{{- if .Schema.Enum }}*Enum*: {{.Schema.Enum | toStrings | join ", "}}<br/>{{- end}}
+{{- if .Schema.Default }}*Default*: {{.Schema.Default}}<br/>{{- end}}
+{{- if .Schema.Minimum }}*Minimum*: {{.Schema.Minimum}}<br/>{{- end}}
+{{- if .Schema.Maximum }}*Maximum*: {{.Schema.Maximum}}<br/>{{- end}} | {{.Required}} |
 {{- end -}}
 
 {{- end}}{{/* range .Types */}}

From cb03eb5591c0bbbaa0590e5e340c55151662585c Mon Sep 17 00:00:00 2001
From: sandert-k8s <sandert98@gmail.com>
Date: Thu, 15 Jan 2026 07:20:39 +0100
Subject: [PATCH 2/3] fix(lychee): fix config

Signed-off-by: sandert-k8s <sandert98@gmail.com>
---
 .github/workflows/check-links.yml | 8 ++++++--
 config/lychee.toml                | 3 +++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml
index d0e0dd5..7e93d13 100644
--- a/.github/workflows/check-links.yml
+++ b/.github/workflows/check-links.yml
@@ -12,12 +12,16 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-      
+
 jobs:
   linkChecker:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Copy images to content folder for lychee # Hugo serves images from /static, lychee needs them in content/en/images
+      run: |
+        mkdir -p content/en/images
+        cp -R static/images/. content/en/images/
     - name: Check unrendered links
       id: lychee_unrendered
       uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1
@@ -26,4 +30,4 @@ jobs:
       with:
         fail: true
         debug: false
-        args: --github-token ${{secrets.GITHUB_TOKEN}} --config config/lychee.toml --max-concurrency 2 --max-retries 3 --retry-wait-time 5 --accept 200,429 --timeout 60 -E ./content
\ No newline at end of file
+        args: --github-token ${{secrets.GITHUB_TOKEN}} --config config/lychee.toml --max-concurrency 2 --max-retries 3 --retry-wait-time 5 --accept 200,429 --timeout 60 -E ./content
diff --git a/config/lychee.toml b/config/lychee.toml
index 17eae79..8a90b99 100644
--- a/config/lychee.toml
+++ b/config/lychee.toml
@@ -1 +1,4 @@
+root_dir = "content/en"
+fallback_extensions = ["md", "html"]
+exclude = ["https://goteleport.com/"] # Teleport always returns 403, even it is available
 exclude_path = ["public/docs/reference/"]

From 5b1edd3c23251ddfbbab8cf4f9767334fddf49c1 Mon Sep 17 00:00:00 2001
From: sandert-k8s <sandert98@gmail.com>
Date: Thu, 15 Jan 2026 09:22:04 +0100
Subject: [PATCH 3/3] fix(docs): broken links

Signed-off-by: sandert-k8s <sandert98@gmail.com>
---
 content/en/_index.md                                 |  2 +-
 content/en/docs/operating/monitoring.md              |  2 +-
 content/en/docs/operating/setup/installation.md      |  2 +-
 .../en/docs/operating/setup/managed-kubernetes.md    |  2 +-
 content/en/docs/operating/setup/rancher.md           |  6 +++---
 content/en/docs/proxy/options.md                     |  4 ++--
 content/en/docs/tenants/metadata.md                  |  4 ++--
 content/en/docs/tenants/namespaces.md                | 12 ++++++------
 content/en/docs/tenants/quickstart.md                |  8 ++++----
 content/en/ecosystem/integrations/dashboard.md       |  8 ++++----
 content/en/ecosystem/integrations/gangplank.md       |  2 +-
 content/en/ecosystem/integrations/headlamp.md        |  2 +-
 content/en/ecosystem/integrations/kyverno.md         |  6 +++---
 content/en/ecosystem/integrations/monitoring.md      |  4 ++--
 content/en/ecosystem/integrations/teleport.md        |  2 +-
 15 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/content/en/_index.md b/content/en/_index.md
index 7485ab6..4470053 100644
--- a/content/en/_index.md
+++ b/content/en/_index.md
@@ -78,7 +78,7 @@ Capsule is completely declarative and GitOps ready.
 <br/>
 
 <div class="mt-8 mx-auto">
-	<small class="text-white">The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage</a>.</small>
+	<small class="text-white">The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see <a href="https://www.linuxfoundation.org/legal/trademark-usage">Trademark Usage</a>.</small>
 </div>
 
 {{% /blocks/lead %}}
diff --git a/content/en/docs/operating/monitoring.md b/content/en/docs/operating/monitoring.md
index 90f959d..a017abe 100644
--- a/content/en/docs/operating/monitoring.md
+++ b/content/en/docs/operating/monitoring.md
@@ -232,7 +232,7 @@ capsule_tenant_resource_usage{resource="requests.memory",resourcequotaindex="0",
 
 ## Custom Metrics
 
-You can gather more information based on the status of the tenants. These can be scrapped via [Kube-State-Metrics CustomResourcesState Metrics](https://github.com/kubernetes/kube-state-metrics/blob/main/docs/customresourcestate-metrics.md). With these you have the possibility to create custom metrics based on the status of the tenants.
+You can gather more information based on the status of the tenants. These can be scrapped via [Kube-State-Metrics CustomResourcesState Metrics](https://github.com/kubernetes/kube-state-metrics/blob/main/docs/metrics/extend/customresourcestate-metrics.md). With these you have the possibility to create custom metrics based on the status of the tenants.
 
 Here as an example with the [kube-prometheus-stack chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack), set the following values:
 
diff --git a/content/en/docs/operating/setup/installation.md b/content/en/docs/operating/setup/installation.md
index fbfa6f7..8cdebd6 100644
--- a/content/en/docs/operating/setup/installation.md
+++ b/content/en/docs/operating/setup/installation.md
@@ -323,7 +323,7 @@ spec:
 
 ### Signature
 
-To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/cosign/verifying/verify/#keyless-verification-using-openid-connect). You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
 
     # Docker Image
     export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
diff --git a/content/en/docs/operating/setup/managed-kubernetes.md b/content/en/docs/operating/setup/managed-kubernetes.md
index d67ccde..0e4c60f 100644
--- a/content/en/docs/operating/setup/managed-kubernetes.md
+++ b/content/en/docs/operating/setup/managed-kubernetes.md
@@ -133,7 +133,7 @@ Export "admin" kubeconfig to be able to install Capsule:
 export KUBECONFIG=kubeconfig.conf
 ```
 
-[Install Capsule](/docs/getting-started#install) and create a tenant where alice has ownership. Use the default Tenant example:
+[Install Capsule](./installation#installation) and create a tenant where alice has ownership. Use the default Tenant example:
 
 ```bash
 kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/master/config/samples/capsule_v1beta1_tenant.yaml
diff --git a/content/en/docs/operating/setup/rancher.md b/content/en/docs/operating/setup/rancher.md
index e837595..ab51dd1 100644
--- a/content/en/docs/operating/setup/rancher.md
+++ b/content/en/docs/operating/setup/rancher.md
@@ -17,7 +17,7 @@ Tenant users will have the ability to access Kubernetes resources through:
 * Rancher UI
 * Rancher Shell
 * Kubernetes CLI
-  
+
 On the other side, administrators need to manage the Kubernetes clusters through Rancher.
 
 Rancher provides a feature called Projects to segregate resources inside a common domain. At the same time Projects doesn't provide way to segregate Kubernetes cluster-scope resources.
@@ -154,7 +154,7 @@ the `Namespace` is now part of both the Tenant and the Project.
 
 #### Project monitoring
 
-Before proceeding is recommended to read the official Rancher documentation about [Project Monitors](https://ranchermanager.docs.rancher.com/v2.6/how-to-guides/advanced-user-guides/monitoring-alerting-guides/prometheus-federator-guides/project-monitors).
+Before proceeding is recommended to read the official Rancher documentation about [Project Monitors](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/monitoring-alerting-guides/prometheus-federator-guides/project-monitors).
 
 In summary, the setup is composed by a cluster-level Prometheus, Prometheus Federator via which single Project-level Prometheus federate to.
 
@@ -261,7 +261,7 @@ Install keeping attention to the following Helm values:
 
 ### Rancher Cluster Agent
 
-In both CLI and dashboard use cases, the [Cluster Agent](https://ranchermanager.docs.rancher.com/v2.5/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/launch-kubernetes-with-rancher/about-rancher-agents) is responsible for the two-way communication between Rancher and the downstream cluster.
+In both CLI and dashboard use cases, the [Cluster Agent](https://ranchermanager.docs.rancher.com/reference-guides/rancher-manager-architecture/communicating-with-downstream-user-clusters#2-cluster-controllers-and-cluster-agents) is responsible for the two-way communication between Rancher and the downstream cluster.
 
 In a standard setup, the Cluster Agents communicates to the API server. In this setup it will communicate with Capsule Proxy to ensure filtering of cluster-scope resources, for Tenants.
 
diff --git a/content/en/docs/proxy/options.md b/content/en/docs/proxy/options.md
index 1db11a9..46d7ca5 100644
--- a/content/en/docs/proxy/options.md
+++ b/content/en/docs/proxy/options.md
@@ -19,6 +19,6 @@ Feature Gates are a set of key/value pairs that can be used to enable or disable
 
 | **Feature Gate** | **Default Value** | **Description** |
 | :--- | :--- | :--- |
-| `ProxyAllNamespaced` | `false` | `ProxyAllNamespaced` allows to proxy all the Namespaced objects. When enabled, it will discover apis and ensure labels are set for resources in all tenant namespaces resulting in increased memory. However this feature helps with user experience. |
+| `ProxyAllNamespaced` | `true` | `ProxyAllNamespaced` allows to proxy all the Namespaced objects. When enabled, it will discover apis and ensure labels are set for resources in all tenant namespaces resulting in increased memory. However this feature helps with user experience. |
 | `SkipImpersonationReview` | `false` | `SkipImpersonationReview` allows to skip the impersonation review for all requests containing impersonation headers (user and groups). **DANGER:** Enabling this flag allows any user to impersonate as any user or group essentially bypassing any authorization. Only use this option in trusted environments where authorization/authentication is offloaded to external systems. |
-| `ProxyClusterScoped` | `false` | `ProxyClusterScoped` allows to proxy all clusterScoped objects for all tenant users. These can be defined via [ProxySettings](/docs/integrations/capsule-proxy/proxysettings/#cluster-resources) |
+| `ProxyClusterScoped` | `false` | `ProxyClusterScoped` allows to proxy all clusterScoped objects for all tenant users. These can be defined via [ProxySettings](./proxysettings) |
diff --git a/content/en/docs/tenants/metadata.md b/content/en/docs/tenants/metadata.md
index 7741a1b..3f66cbe 100644
--- a/content/en/docs/tenants/metadata.md
+++ b/content/en/docs/tenants/metadata.md
@@ -158,7 +158,7 @@ spec:
 Due to [CVE-2021-25735](https://github.com/kubernetes/kubernetes/issues/100096) this feature is only supported for Kubernetes version older than: v1.18.18, v1.19.10, v1.20.6, v1.21.0
 {{% /alert %}}
 
-When using capsule together with [capsule-proxy](/docs/integrations/capsule-proxy), Bill can allow Tenant Owners to modify Nodes.
+When using capsule together with [capsule-proxy](/docs/proxy/_index), Bill can allow Tenant Owners to modify Nodes.
 
 By default, it will allow tenant owners to add and modify any label or annotation on their nodes.
 
@@ -269,4 +269,4 @@ metadata:
   annotations:
     storagelocationtype: s3
 ...
-```
\ No newline at end of file
+```
diff --git a/content/en/docs/tenants/namespaces.md b/content/en/docs/tenants/namespaces.md
index b6c23b2..2314b30 100644
--- a/content/en/docs/tenants/namespaces.md
+++ b/content/en/docs/tenants/namespaces.md
@@ -11,12 +11,12 @@ Alice, once logged with her credentials, can create a new `Namespace` in her `Te
 kubectl create ns solar-production
 ```
 
-Alice started the name of the `Namespace` prepended by the name of the `Tenant`: this is not a strict requirement but it is highly suggested because it is likely that many different `Tenants` would like to call their `Namespaces` `production`, `test`, or `demo`, etc. The enforcement of this naming convention is optional and can be controlled by the cluster administrator with [forceTenantPrefix](/docs/tenants/configuration/#forcetenantprefix) option.
+Alice started the name of the `Namespace` prepended by the name of the `Tenant`: this is not a strict requirement but it is highly suggested because it is likely that many different `Tenants` would like to call their `Namespaces` `production`, `test`, or `demo`, etc. The enforcement of this naming convention is optional and can be controlled by the cluster administrator with [forceTenantPrefix](/docs/tenants/administration/#force-tenant-prefix) option.
 
 Alice can deploy any resource in any of the `Namespaces`. That is because she is the [owner](/docs/tenants/permissions/#ownership) of the tenant `solar` and therefore she has full control over all `Namespaces` assigned to that `Tenant`.
 
 ```bash
-kubectl -n solar-development run nginx --image=docker.io/nginx 
+kubectl -n solar-development run nginx --image=docker.io/nginx
 kubectl -n solar-development get pods
 ```
 
@@ -114,7 +114,7 @@ spec:
     kind: User
 ```
 
-and 
+and
 
 ```yaml
 apiVersion: capsule.clastix.io/v1beta2
@@ -150,7 +150,7 @@ When Alice logs in, she has access to all namespaces belonging to both the solar
 
 > We recommend to use the [forceTenantPrefix](/docs/tenants/administration/#force-tenant-prefix) for production environments.
 
-If the [forceTenantPrefix](/docs/operating/setup/configuration/#forcetenantprefix) option is enabled, which is **not** the case by default, the `Namespaces` are automatically assigned to the right tenant by Capsule because the operator does a lookup on the tenant names. 
+If the [forceTenantPrefix](/docs/tenants/administration/#force-tenant-prefix) option is enabled, which is **not** the case by default, the `Namespaces` are automatically assigned to the right tenant by Capsule because the operator does a lookup on the tenant names.
 
 For example, Alice creates a `Namespace` called `solar-production` and `green-production`:
 
@@ -177,7 +177,7 @@ Error from server (Forbidden): admission webhook "owner.namespace.capsule.clasti
 
 ### Label
 
-The default behavior, if the [forceTenantPrefix](/docs/tenants/configuration/#forcetenantprefix) option is not enabled, Alice needs to specify the `Tenant` name as a label capsule.`clastix.io/tenant=<desired_tenant>` in the `Namespace` manifest:
+The default behavior, if the [forceTenantPrefix](/docs/tenants/administration/#force-tenant-prefix) option is not enabled, Alice needs to specify the `Tenant` name as a label capsule.`clastix.io/tenant=<desired_tenant>` in the `Namespace` manifest:
 
 ```yaml
 kind: Namespace
@@ -188,7 +188,7 @@ metadata:
     capsule.clastix.io/tenant: solar
 ```
 
-If not specified, Capsule will deny with the following message: Unable to assign `Namespace` to `Tenant`: 
+If not specified, Capsule will deny with the following message: Unable to assign `Namespace` to `Tenant`:
 
 ```bash
 $ kubectl create ns solar-production
diff --git a/content/en/docs/tenants/quickstart.md b/content/en/docs/tenants/quickstart.md
index d2a1543..b2dce61 100644
--- a/content/en/docs/tenants/quickstart.md
+++ b/content/en/docs/tenants/quickstart.md
@@ -5,7 +5,7 @@ weight: 1
 description: "Create your first Capsule Tenant"
 ---
 
-In Capsule, a Tenant is an abstraction to group multiple namespaces in a single entity within a set of boundaries defined by the Cluster Administrator. The tenant is then assigned to a user or group of users who is called [Tenant Owner](/docs/overview/architecture#ownership). Capsule defines a Tenant as Custom Resource with cluster scope. Create the tenant as cluster admin:
+In Capsule, a Tenant is an abstraction to group multiple namespaces in a single entity within a set of boundaries defined by the Cluster Administrator. The tenant is then assigned to a user or group of users who is called [Tenant Owner](/docs/operating/architecture/#tenant-owners). Capsule defines a Tenant as Custom Resource with cluster scope. Create the tenant as cluster admin:
 
 ```bash
 kubectl create -f - << EOF
@@ -30,7 +30,7 @@ solar    Active                     0                                 10s
 
 ## Login as Tenant Owner
 
-Each tenant comes with a delegated user or group of users acting as the tenant admin. In the Capsule jargon, this is called the [Tenant Owner](/docs/concepts/ownership/). Other users can operate inside a tenant with different levels of permissions and authorizations assigned directly by the Tenant Owner.
+Each tenant comes with a delegated user or group of users acting as the tenant admin. In the Capsule jargon, this is called the [Tenant Owners](/docs/operating/architecture/#tenant-owners). Other users can operate inside a tenant with different levels of permissions and authorizations assigned directly by the Tenant Owner.
 
 Capsule does not care about the authentication strategy used in the cluster and all the Kubernetes methods of authentication are supported. The only requirement to use Capsule is to assign tenant users to the group defined by --capsule-user-group option, which defaults to `capsule.clastix.io`.
 
@@ -82,7 +82,7 @@ $ kubectl create namespace solar-production
 $ kubectl create namespace solar-development
 ```
 
-or 
+or
 
 ```bash
 $ kubectl --as alice --as-group capsule.clastix.io create namespace solar-production
@@ -92,7 +92,7 @@ $ kubectl --as alice --as-group capsule.clastix.io create namespace solar-develo
 And operate with fully admin permissions:
 
 ```bash
-$ kubectl -n solar-development run nginx --image=docker.io/nginx 
+$ kubectl -n solar-development run nginx --image=docker.io/nginx
 $ kubectl -n solar-development get pods
 ```
 
diff --git a/content/en/ecosystem/integrations/dashboard.md b/content/en/ecosystem/integrations/dashboard.md
index baf3860..e28efd7 100644
--- a/content/en/ecosystem/integrations/dashboard.md
+++ b/content/en/ecosystem/integrations/dashboard.md
@@ -13,11 +13,11 @@ This guide works with the kubernetes dashboard v2.0.0 ([Chart 6.0.8](https://art
 We recommend to use [Headlamp](/ecosystem/integrations/headlamp/) as a more modern alternative to the Kubernetes Dashboard.
 {{% /pageinfo %}}
 
-This guide describes how to integrate the [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/) and [Capsule Proxy](/docs/capsule-proxy/) with OIDC authorization. 
+This guide describes how to integrate the [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/) and [Capsule Proxy](/docs/proxy/_index) with OIDC authorization.
 
 ## OIDC Authentication
 
-Your cluster must also be configured to use [OIDC Authentication](/docs/guides/authentication/#oidc) for seemless Kubernetes RBAC integration. In a such scenario, you should have in the kube-apiserver.yaml manifest the following content:
+Your cluster must also be configured to use [OIDC Authentication](/docs/operating/authentication#oidc) for seemless Kubernetes RBAC integration. In a such scenario, you should have in the kube-apiserver.yaml manifest the following content:
 
 ```yaml
 spec:
@@ -69,7 +69,7 @@ EOF
 ```
 
 
-More information about the keycloak-oidc provider can be found on the [oauth2-proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/#keycloak-oidc-auth-provider). We're ready to install the oauth2-proxy:
+More information about the keycloak-oidc provider can be found on the [oauth2-proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc). We're ready to install the oauth2-proxy:
 
 ```bash
 helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
@@ -78,7 +78,7 @@ helm install oauth2-proxy oauth2-proxy/oauth2-proxy -n ${KUBERNETES_DASHBOARD_NA
 
 ## Configuring Keycloak
 
-The Kubernetes cluster must be configured with a valid OIDC provider: for our guide, we're giving for granted that Keycloak is used, if you need more info please follow the [OIDC Authentication](/docs/guides/oidc-auth) section.
+The Kubernetes cluster must be configured with a valid OIDC provider: for our guide, we're giving for granted that Keycloak is used, if you need more info please follow the [OIDC Authentication](/docs/operating/authentication#oidc) section.
 
 In a such scenario, you should have in the `kube-apiserver.yaml` manifest the following content:
 ```yaml
diff --git a/content/en/ecosystem/integrations/gangplank.md b/content/en/ecosystem/integrations/gangplank.md
index d93fd35..bfe56ab 100644
--- a/content/en/ecosystem/integrations/gangplank.md
+++ b/content/en/ecosystem/integrations/gangplank.md
@@ -12,7 +12,7 @@ integration: true
 ## Prerequisites
 
 1. You will need a running [Capsule Proxy](/docs/proxy/) instance.
-2. For Authentication you will need a Confidential OIDC client configured in your OIDC provider, such as [Keycloak](https://www.keycloak.org/), [Dex](https://dexidp.io/), or [Google Cloud Identity](https://cloud.google.com/identity/docs/openid-connect-protocol). By default the Kubernetes API only validates tokens against a Public OIDC client, so you will need to configure your OIDC provider to allow the Gangplank client to issue tokens. You must make use of the Kubernetes Authentication Configuration, which allows to define multiple audiences (clients). This way we can issue tokens for a gangplank client, which is Confidential, and a kubernetes client, which is Public. The Kubernetes API will validate the tokens against both clients. The Config might look like this:
+2. For Authentication you will need a Confidential OIDC client configured in your OIDC provider, such as [Keycloak](https://www.keycloak.org/), [Dex](https://dexidp.io/), or [Google Cloud Identity](https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform). By default the Kubernetes API only validates tokens against a Public OIDC client, so you will need to configure your OIDC provider to allow the Gangplank client to issue tokens. You must make use of the Kubernetes Authentication Configuration, which allows to define multiple audiences (clients). This way we can issue tokens for a gangplank client, which is Confidential, and a kubernetes client, which is Public. The Kubernetes API will validate the tokens against both clients. The Config might look like this:
 
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1beta1
diff --git a/content/en/ecosystem/integrations/headlamp.md b/content/en/ecosystem/integrations/headlamp.md
index 4eeb193..83485c5 100644
--- a/content/en/ecosystem/integrations/headlamp.md
+++ b/content/en/ecosystem/integrations/headlamp.md
@@ -14,7 +14,7 @@ Headlamp was created to blend the traditional feature set of other web UIs/dashb
 ## Prerequisites
 
 1. You will need a running [Capsule Proxy](/docs/proxy/) instance.
-2. For Authentication you will need a Confidential OIDC client configured in your OIDC provider, such as [Keycloak](https://www.keycloak.org/), [Dex](https://dexidp.io/), or [Google Cloud Identity](https://cloud.google.com/identity/docs/openid-connect-protocol). By default the Kubernetes API only validates tokens against a Public OIDC client, so you will need to configure your OIDC provider to allow the Headlamp client to issue tokens. You must make use of the Kubernetes Authentication Configuration, which allows to define multiple audiences (clients). This way we can issue tokens for a **headlamp** client, which is Confidential (Client Secret), and a **kubernetes** client, which is Public. The Kubernetes API will validate the tokens against both clients. The Config might look like this:
+2. For Authentication you will need a Confidential OIDC client configured in your OIDC provider, such as [Keycloak](https://www.keycloak.org/), [Dex](https://dexidp.io/), or [Google Cloud Identity](https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform). By default the Kubernetes API only validates tokens against a Public OIDC client, so you will need to configure your OIDC provider to allow the Headlamp client to issue tokens. You must make use of the Kubernetes Authentication Configuration, which allows to define multiple audiences (clients). This way we can issue tokens for a **headlamp** client, which is Confidential (Client Secret), and a **kubernetes** client, which is Public. The Kubernetes API will validate the tokens against both clients. The Config might look like this:
 
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1beta1
diff --git a/content/en/ecosystem/integrations/kyverno.md b/content/en/ecosystem/integrations/kyverno.md
index e9bb7d9..d4bce38 100644
--- a/content/en/ecosystem/integrations/kyverno.md
+++ b/content/en/ecosystem/integrations/kyverno.md
@@ -27,7 +27,7 @@ admissionController:
 
 Not all relevant settings are covered by Capsule. We recommend to use Kyverno to enforce additional policies, as their policy implementation is of a very high standard. Here are some policies you might want to consider in multi-tenant environments:
 
-[Moved to new page](/docs/operating/setup/admission-policies/)
+[Moved to new page](/docs/operating/architecture.md)
 
 ## References
 
@@ -35,7 +35,7 @@ Here are some policies for reference. We do not provide a complete list of polic
 
 ### Extract tenant based on namespace
 
-To get the tenant name based on the namespace, you can use a [context](https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls). With this context we resolve the tenant, based on the `{{request.namespace}}` for the requested resource. The context calls `/api/v1/namespaces/` API with the `{{request.namespace}}`. The `jmesPath` is used to check if the tenant label is present. You could assign a default if nothing was found, in this case it's empty string:
+To get the tenant name based on the namespace, you can use a [context](https://kyverno.io/docs/policy-types/cluster-policy/external-data-sources/#variables-from-kubernetes-api-server-calls). With this context we resolve the tenant, based on the `{{request.namespace}}` for the requested resource. The context calls `/api/v1/namespaces/` API with the `{{request.namespace}}`. The `jmesPath` is used to check if the tenant label is present. You could assign a default if nothing was found, in this case it's empty string:
 
 
 ```yaml
@@ -157,7 +157,7 @@ data:
   tenant_identifier_label: "capsule.clastix.io/tenant"
 ```
 
-This configuration can be referenced via [context](https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-configmaps) in your policies. Let's extend the above policy with the global configuration. Additionally we would like to allow the usage of public namespaces:
+This configuration can be referenced via [context](https://kyverno.io/docs/policy-types/cluster-policy/external-data-sources/#variables-from-configmaps) in your policies. Let's extend the above policy with the global configuration. Additionally we would like to allow the usage of public namespaces:
 
 ```yaml
 apiVersion: kyverno.io/v1
diff --git a/content/en/ecosystem/integrations/monitoring.md b/content/en/ecosystem/integrations/monitoring.md
index f2aa797..ee336aa 100644
--- a/content/en/ecosystem/integrations/monitoring.md
+++ b/content/en/ecosystem/integrations/monitoring.md
@@ -16,7 +16,7 @@ While we can not provide a full list of all the monitoring solutions available,
 ### Loki
 
 
-### Promtail 
+### Promtail
 
 
 
@@ -68,7 +68,7 @@ config:
 
 
 
-As mentioned, the above configuration will not work if the pods on the cluster are not labeled with tenant. You can use the following [Kyverno policy](/docs/integrations/tools/kyverno/) to ensure that all pods are labeled with tenant. If the pod does not belong to any tenant, it will be labeled with management (assuming you have a central management tenant)
+As mentioned, the above configuration will not work if the pods on the cluster are not labeled with tenant. You can use the following [Kyverno policy](./kyverno/) to ensure that all pods are labeled with tenant. If the pod does not belong to any tenant, it will be labeled with management (assuming you have a central management tenant)
 
 ```yaml
 apiVersion: kyverno.io/v1
diff --git a/content/en/ecosystem/integrations/teleport.md b/content/en/ecosystem/integrations/teleport.md
index 2453599..3a84d07 100644
--- a/content/en/ecosystem/integrations/teleport.md
+++ b/content/en/ecosystem/integrations/teleport.md
@@ -99,7 +99,7 @@ Create certificates for `teleport.demo`:
 ## Teleport installation
 
 - Run Ubuntu docker image in the `teleport` network using `teleport.demo` alias on port `443`:
-  
+
     ```bash
     docker run -it -v .:/etc/teleport-tls --name teleport --network teleport --network-alias teleport.demo -p 443:443 ubuntu:22.04
     ```