Platform

The mental model for running on Kestrel — read this section before building anything substantial so the constraints make sense.

Tenancy model Capsule tenants, PI ownership, namespace prefixing, and who can create or delete namespaces inside a tenant.

Identity chain How your UVic identity flows through Keycloak to kube-apiserver OIDC to Capsule Tenant to Kubernetes RBAC.

Resource pools and quotas Shared resource pools across tenant namespaces, quota tiers, how to check current usage, and how to ask for more.

Network model Default-deny NetworkPolicy, intra-tenant allow rules, DNS, Traefik ingress, and monitoring scrape paths.

Known limitations LoadBalancer and NodePort services blocked, tenant-prefix enforcement, shared-pool consequences, and what is not available in v1.