Currently the admission controller applies to all namespaces, except for a handful that have been hardcoded as part of the ValidatingWebhookConfiguration

We have unofficially recommended users edit it in place and add a new namespace if they want it excluded. This is because we actually don't recommend running it on system namespaces like istio or kube-system.

However, for customers using operator this VWC config gets reconciled by the operator if the customer modifies it so the changes are never persisted.

The recommendation is to allow customers to exclude namespaces without editing it.

One suggestion is to use a unique label on the namespace instead. And the webhook can use the label to skip it. Something like `policyeval.stackrox.io/no-admission-control: false` .