Max Smythe

> No, I wouldn't say that. Creating such a heirarchy is of course possible with the construct I've proposed, but the policy exceptions I'm descrbing have no need to be...

> Perhaps we can come up with a small but simple approach that would get us 80% of the way there with 20% of the effort. Curious if you have...

There are definitely some caveats around the ability to reference dynamic data during mutation. One way this can go wrong is described in the [The ability to reference mutable data](https://docs.google.com/document/d/1WKj-9xYYVO9IckQVZHYVFCziRVS6zxCfvJxWbkbLcOM/view#heading=h.3bx0bwon5nyn)...

It sounds like the "only on create" aspect of this can be achieved by only setting the field if it is unset. I'm not sure if this always generalizes, but...

Moving the below reply to the appropriate issue https://github.com/open-policy-agent/gatekeeper/issues/140#issuecomment-546600800 > Note @jpreese started looking at this in https://github.com/plexsystems/konstraint

Some requirements I think we may want to keep in mind: 1. We should have a way to declare dependencies on Rego libraries, where the dependencies get bundled into the...

going concern

We should default enabling external data to false to avoid unexpected outbound HTTP requests happening to users who run `gator` in build pipelines, to avoid potential security issues. I'm open...

I like the idea, so long as the code path can be turned off to avoid the performance hit for those who don't use it. I'm assuming that the call...

Thanks for this! I don't have time to give this a close reading today, but def. want to follow up. I'm wondering if we could turn this into a google...