diff --git a/main.go b/main.go
index add56d97c49..5bafd12dcc8 100644
--- a/main.go
+++ b/main.go
@@ -116,6 +116,7 @@ var (
 	disabledBuiltins                     = util.NewFlagSet()
 	enableK8sCel                         = flag.Bool("enable-k8s-native-validation", true, "enable the validating admission policy driver")
 	externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.")
+	enableReferential                    = flag.Bool("enable-referential-rules", false, "Enable referential rules. Only use this flag if you know what you're doing; referential rules have edge cases where referential constraints may not be perfectly enforced due to the eventual consistency inherent in Kubernetes controllers")
 )
 
 func init() {
@@ -419,6 +420,12 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, sw *watch.Controlle
 		cfArgs = append(cfArgs, constraintclient.Driver(k8sDriver))
 	}
 
+	externs := rego.Externs()
+	if *enableReferential {
+		externs = rego.Externs("inventory")
+	}
+	args = append(args, externs)
+
 	driver, err := rego.New(args...)
 	if err != nil {
 		setupLog.Error(err, "unable to set up Driver")