Rita Zhang

+1 Would be great to have an example of this use case in this library once we have external data support working together with mutation. We actually added this image...

Should we feature gate this like all other new features?

> Do we want to flag-gate initializing the controller so that: (1) users can avoid pushing the ExpansionTemplate CRD without errors and (2) removing the controller as a vector for...

/hold confirming latest audit changes

> Helm is the most common reason for users to have stale CRDs, as Helm does not touch CRDs after initial install. We can consider adding pre-install and pre-upgrade [hooks](https://helm.sh/docs/topics/charts_hooks/#the-available-hooks)...

@bj-1795 can you pls share the exact steps you used to reproduce this issue? e.g. helm chart used, values passed in, nodeSelector values?

Hi @aido123 thanks for reporting the issue. When `--audit-from-cache=true`, it is using the OPA cache to perform audit, which requires the Kubernetes data being audited to be replicated into OPA...

@aido123 looks like you are caching alot of resources (entire object) into opa cache, which can impact the memory used by the audit pod. Can you try with `--audit-from-cache=false` as...

This is really cool @redno2 ! Thanks for creating this and sharing! Maybe we should add this to the gk docs. wdyt? @sozercan @maxsmythe ?

> This can allow finer grained permissions and distributed management that may be very difficult with Gatekeeper PSP? Perhaps that really isn't needed though. I would be interested in understanding...