Using authorizationPolicy to deny traffic to certain routes from the ingress namesapce

[felipesere]

We have a namespace that houses our ingress controller and pods.
On some applications, we have routes/endpoints that we deliberately don't want to be accessible from that ingress namespace.
This includes routes for maintenance and other operational duties.

Given that our ingress controller (nginx) is also meshed and inside the cluster, I don't think I can use the cluster-authenticated policy.
Keeping the deny by default on the Server object and then listing all namespaces that should have access also seems intractable as that set will change quite a bit over time.

Is there any way to express "deny from namespace X" or the inverse "all from all namespaces except X"?