Gabe Rosenhouse

Right. There's nothing magic about the `satori` implementation of `V4`. It just opts to crash on error instead of returning an error to the caller. It is an interesting design...

Wow, good pointer! That is, in fact, [an example in their documentation]( https://www.openpolicyagent.org/docs/v0.12.2/kubernetes-admission-control/#6-modify-the-policy-and-exercise-the-changes) which points at [this policy](https://github.com/FairwindsOps/charts/blob/79632a01090ecc65e838df8ab2835bb2179a3ce4/incubator/opa/policies/ingress-conflicts.rego). Would it make sense then for Contour to document an equivalent policy...

Ok, so after looking at this a bit, and a pointer from @cppforlife, I'm concerned that this usage of the OPA Admission Controller (as documented in my previous comment) would...

> seems like a congenital problem for admission controllers for admission controllers that **rely on global state**. For basic controllers that are simply validating contents of the single resource being...

> given that in your environment you know the ownership of each vhost But I don't know. The cluster operator doesn't know, and doesn't want to be bothered with the...