Max Smythe
Max Smythe
I thought of an edge case for this. Example: there is a config that says to sync all pods unless the pod's namespace has a do-not-sync label - Namespace foo...
I'm open to a PR like the above (though of course the specifics pending). Some considerations: * We should warn users about namespace label selectors and security just in case...
Thanks for the feedback! IIRC standard OPA policies use rule headers like: `deny[msg]` would keeping that same rule header but adding the Gatekeeper-specific: ``` violation[{"msg": msg}] { deny[msg] } ```...
This still seems relevant
@ritazh @sozercan @shomron I think this is another thing that could be made easier by using Go to coordinate constraint execution. Gonna file a bug on the constraint framework so...
Created as https://github.com/open-policy-agent/frameworks/issues/135
`gator validate` provides some timing information, LMK if this is helpful
https://open-policy-agent.github.io/gatekeeper/website/docs/gator
Having this on a live cluster may be good for debugging.
- I think the `--user` flag needs to come before the image name - Why is Docker caring about `.tmp` for building gatekeeper-tooling? The Dockerfile just downloads controller gen and...