Ability to have conditionals/match on fields outside of the location prefix for mutate policy.

[warroyo]

I have started looking at using mutation policies and noticed that there is no way to match on resources outside of label selectors and namespace selectors.It would be really useful to be able have more fine grained control over the resources that are selected for mutation. I would like to be able to match on the existence or value of a field anywhere in the k8s resource I am mutating as an example.

additionally this could solved by having access to rego in the mutation policies.

Is there any way to achieve this level of matching today?

for example what if I wanted to change the command field on a container within a deployment but only if it includes a certain volume mount?

overall the mutate feels extremely limited, unless I am missing something entirely. For example Kyverno's approach to this has way more flexibility and can handle conditionals, advanced json patches etc. Is there a plan to make this better?