Could Gatekeeper act as a reconciling controller for mutations?

[seh]

Reading the code so far, it appears that Gatekeeper only applies mutations in response to admission Webhook requests, and that it does not act as a reconciling controller to catch drift or would-be mutation opportunities by watching target Kubernetes objects. Is that correct? If so, has there been any design discussion about Gatekeeper operating as a controller like that too?

I’m considering what happens if we have to take Gatekeeper out of service temporarily, and it misses some creation or update events that flow through admission while it’s down. When we bring it back up, we’d like to have the mutations apply to existing objects that are eligible.

I started this discussion in the "opa-gatekeeper" channel of the "Open Policy Agent" Slack workspace, before I realized that this Discussions category existed.