Title:
Need a feature to specify multiple namespaces in matchLbels to without individual label matches.

Description:

For example we want to apply BANP to all the namespaces `except the default, OpenShift- * , kube-* ones.

apiVersion: policy.networking.k8s.io/v1alpha1
kind: BaselineAdminNetworkPolicy
metadata:
name: default
spec:
subject:
namespaces:
matchExpressions: <----------------------.

    key: kubernetes.io/metadata.name.
    operator: NotIn <----------------------
    values:
      default 
      kube* 
      openshift 
      openshift*: 

1: The above approach does not work as we cannot use `*` It fails with following error which is understandable:

'values[1][kubernetes.io/metadata.name]: Invalid value: "kube*": a valid label must be an empty string or consist of alphanumeric characters, ''-'', ''_'' or ''.'', and must start and end with an alphanumeric character (e.g. ''MyValue'', or ''my_value'', or ''12345'', regex used for validation is ''(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?''), 

 
2: The other approach we can use is to make use of `operator: Exists` and configure the namespaces where we want BANP to get applied.
3: Label the namespaces and then make use of `matchLabel  parameter`. But the number is high and configuring name of the namespaces and labeling them manually  is not feasible.

So there is way with: https://access.redhat.com/solutions/3357501
we can create project template ...which will apply a label to all new custom project that will be created.
You will need to retroactively apply the label to existing namespaces using a script or one-liner, filtering out system namespaces. And just mention that label in policy

But again a manual effort

Ask: Can we get something which will automate the above process?