Max Smythe

Sounds interesting! How does the ratio help prevent rapid expansion? Feel free to add a PR with the constraint template @ritazh to see if she has any opinions on the...

Unique names for the constraint template make it easier to copy templates around without losing context. It also allows storing more than one template per directory. I would argue that...

This is because when Rego encounters a runtime error like this, it halts all execution. This means that not only is this constraint not getting executed, but there may be...

@marcinkubica The Rego syntax in your example is correct, but attempts to access a non-existing field. When that happens, that line is considered "undefined", which is "falsey", and Rego considers...

It looks like the error issue has been mitigated somewhat by this code: https://github.com/open-policy-agent/frameworks/blob/9db6a6b27c9741bcf9c5f4d8c6e3ef230b49f41d/constraint/pkg/client/drivers/local/driver.go#L248-L263 Which makes it so a failure only affects all constraints of the same kind (as opposed...

You would use a label selector (`spec.match.labelSelector`): https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#constraints We should probably have better documentation for label selector's schemas. I'm not aware of any K8s docs where they explicitly document the...

Also, to limit your search a bit more, `spec.match.labelselector.matchExpressions`, and you want the `NotIn` operator.

My first guess is that there is some sort of coercion happening on the API server that Gatekeeper detects as drift. Maybe setting of default values on the CRD? Would...

I wouldn't be surprised if the issue was something like defaulting. The DeepCopy() thing is worth a try, though I'd be surprised if it fixed anything as there don't appear...

Interesting. It looks like `Items:` is part of the JSONSchema for an array. It looks like the diff is between a nil pointer and an empty object. Any way to...