Currently, ACS policies are able to express inclusions and exclusions using:

• cluster name
• namespace name
• deployment name, or deployment label key/value

This request is to also allow label key/value on namespace and cluster, so that the supported list would look like:

• cluster name, or cluster label key/value
• namespace name, or namespace label key/value
• deployment name, or deployment label key/value

Why does the customer need this? (List the business requirements here)

Customer manages security policies for monitoring 100+ clusters, and currently has to do a lot of manual work and updating to target specific deployments in particular clusters and or namespaces, which come and go out of existence. Customer is planning to move to our policy as code feature, and this request would help them with the maintainability of those policy CR files.

List any affected packages or components.

• Policies
• Violations
• config-controller