Max Smythe

I think this is the closest example we have: https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/disallowedtags/template.yaml It prevents users from using specific tags, like `latest`, which is the inverse of what you want. Changing the following...

Allowing special parameters for specific containers via map is interesting. It does have a "priority" problem... if a container could be matched by more than one key in the map,...

> @maxsmythe what do you mean by "system-containers.my.company/*" as a container name ? Is it like FQDN of service to identify 2 containers with same name ? It means "match...

There shouldn't be an issue installing multiple templates at the same time. Can you copy/paste the output of the command so we can see what error you're getting?

Sorry, I missed that you were mixing constraints and templates. My guess is that because constraint templates are not themselves CRDs, but are instead a precursor object for CRDs, there...

I'm a bit unclear on what the exact issue is. * Is the problem that there is a delay in certificate rotation after re-apply of the manifest? * Do the...

Thanks for digging in to this! Some latency is expected, but certainly not days. We rely on the core controller-runtime library to load/watch certs. The library that does the heavy...

We talked about this some in the meeting today. There are a lot of problems with trying to make pod constraints only apply to pods running on certain OS's out...

I suspect this is because an UPDATE request is needed to remove the `foregroundDeletion` finalizer before K8s GC can take effect. I'm curious how the finalizer was added if the...

One use case that would be threatened by either of these solutions: A user who adds a finalizer explicitly so that resources are not cleaned up after deletion until they...