Max Smythe

I thought of an edge case for this. Example: there is a config that says to sync all pods unless the pod's namespace has a do-not-sync label - Namespace foo...

I'm open to a PR like the above (though of course the specifics pending). Some considerations: * We should warn users about namespace label selectors and security just in case...

Thanks for the feedback! IIRC standard OPA policies use rule headers like: `deny[msg]` would keeping that same rule header but adding the Gatekeeper-specific: ``` violation[{"msg": msg}] { deny[msg] } ```...

This still seems relevant

@ritazh @sozercan @shomron I think this is another thing that could be made easier by using Go to coordinate constraint execution. Gonna file a bug on the constraint framework so...

Created as https://github.com/open-policy-agent/frameworks/issues/135

`gator validate` provides some timing information, LMK if this is helpful

https://open-policy-agent.github.io/gatekeeper/website/docs/gator

Having this on a live cluster may be good for debugging.

- I think the `--user` flag needs to come before the image name - Why is Docker caring about `.tmp` for building gatekeeper-tooling? The Dockerfile just downloads controller gen and...