[07:51:01] <elukey>	 nice work ottomata! I filed a similar change for changeprop as well :)
[14:12:40] <elukey>	 jayme: I just found out about https://kubernetes.io/blog/2022/12/20/validating-admission-policies-alpha/
[14:13:26] <elukey>	 I am wondering if it could be used with policy security standards to allow the mediawiki use case
[14:13:59] <elukey>	 like, we use restricted but we allow what we need (hostPath, etc..)
[14:18:36] <elukey>	 alpha in 1.26, beta in 1.28 :(
[14:18:48] <elukey>	 basically as alternative for OPA
[14:35:51] <jayme>	 hmm..maybe
[14:36:11] <jayme>	 sounds promising - but I did not read in detail tbh
[14:36:20] <elukey>	 my worry is that we invest in OPA (or similar), and then we have it built in in 1.2[6,8]
[14:36:36] <elukey>	 the main problem is of course that it is "beta" in 1.28
[14:37:30] <elukey>	 jayme: I'll add some info to the task
[14:53:29] <elukey>	 it seems using https://github.com/google/cel-spec behind the scenes (that is similar to what OPA offers)
[14:56:42] <elukey>	 I think I can try to set up a minimal test use case via minikube
[15:51:06] <jayme>	 that would be super nice
[16:15:59] <elukey>	 mmm so it seems able only to deny requests
[16:33:29] <elukey>	 I tried to apply privileged to a namespace (so all perms allowed) and then I added a restriction, this works
[16:42:20] <elukey>	 anyway, will restart on monday :)
[16:42:22] <elukey>	 have a nice weekend folks!
[16:59:00] <inflatador>	 <o/
[17:20:38] <jayme>	 yeah, I think validation hooks can only deny things. So we probably still need to run mediawiki with the privileged profile and deny what we don't need :/