diff --git a/deploy/deploy.yaml.tpl b/deploy/deploy.yaml.tpl
index 590fbb5..3cb36fc 100644
--- a/deploy/deploy.yaml.tpl
+++ b/deploy/deploy.yaml.tpl
@@ -27,6 +27,7 @@ spec:
         - name: k8scc01covidacr-registry-connection
       containers:
       - name: notebook-auth-policy-checker
+        imagePullPolicy: IfNotPresent
         image: k8scc01covidacr.azurecr.io/prob-notebook-controller:${IMAGE_SHA}
         resources:
           limits:
diff --git a/kind/gatekeeper/constraint.yaml b/kind/gatekeeper/constraint.yaml
index 0218670..bc60ddc 100644
--- a/kind/gatekeeper/constraint.yaml
+++ b/kind/gatekeeper/constraint.yaml
@@ -7,3 +7,9 @@ spec:
     kinds:
       - apiGroups: [""]
         kinds: ["Pod"]
+    labelSelector:
+      matchExpressions:
+        - key: data.statcan.gc.ca/classification
+          operator: In
+          values:
+            - protected-b
diff --git a/kind/gatekeeper/constraintTemplate.yaml b/kind/gatekeeper/constraintTemplate.yaml
index 71a2fe6..afb4c91 100644
--- a/kind/gatekeeper/constraintTemplate.yaml
+++ b/kind/gatekeeper/constraintTemplate.yaml
@@ -12,7 +12,6 @@ spec:
       rego: |
         package probauth
         violation[{"msg": msg}] {
-          not input.review.object.metadata.labels["data.statcan.gc.ca/classification"] == "unclassified"
           input.review.object.kind == "Pod"
           ns := input.review.object.metadata.namespace
           namePod := input.review.object.metadata.name
diff --git a/kind/jupyter/values.yaml b/kind/jupyter/values.yaml
index 0d66d0d..4198a68 100644
--- a/kind/jupyter/values.yaml
+++ b/kind/jupyter/values.yaml
@@ -3,7 +3,7 @@ prob: true
 noprob: true
 image:
   image: jupyter/minimal-notebook
-  imagePullPolicy: Always
+  imagePullPolicy: IfNotPresent 
   command: ["jupyter"]
   args:
   - "notebook"
diff --git a/pkg/controller/handler.go b/pkg/controller/handler.go
index 36ee914..7d84d6f 100644
--- a/pkg/controller/handler.go
+++ b/pkg/controller/handler.go
@@ -88,23 +88,34 @@ func (c *Controller) generateAuthorizationPolicy(notebook *v1.Notebook)(*istiose
 				{
 					To: []*v1beta1.Rule_To{
 						{
+							//Rstudio upload
 							Operation: &v1beta1.Operation{
 								Methods: []string{"POST"},
 								Paths: []string{fmt.Sprintf("/notebook/%s/%s/rstudio/upload", notebook.Namespace, notebook.Name)},
 							},
 						},
 						{
+							//Rstudio download
 							Operation: &v1beta1.Operation{
 								Methods: []string{"GET"},
 								Paths: []string{fmt.Sprintf("/notebook/%s/%s/rstudio/export*", notebook.Namespace, notebook.Name)},
 							},
 						},
 						{
+							//Jupyter download
 							Operation: &v1beta1.Operation{
 								Methods: []string{"GET"},
 								Paths: []string{fmt.Sprintf("/notebook/%s/%s/files*", notebook.Namespace, notebook.Name)},
 							},
 						},
+						{
+							//Jupyter download - convert as
+							Operation: &v1beta1.Operation{
+								Methods: []string{"GET"},
+								Paths: []string{fmt.Sprintf("/notebook/%s/%s/nbconvert*", notebook.Namespace, notebook.Name)},
+							},
+						},
+						// VS Code download - handled by the image
 					},
 				},
 			},