diff --git a/controllers/envoy_gateway_extension_reconciler.go b/controllers/envoy_gateway_extension_reconciler.go
index a2e07a80e..9e8ad2fdf 100644
--- a/controllers/envoy_gateway_extension_reconciler.go
+++ b/controllers/envoy_gateway_extension_reconciler.go
@@ -12,6 +12,7 @@ import (
 	"github.com/kuadrant/policy-machinery/machinery"
 	"github.com/samber/lo"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/utils/ptr"
@@ -78,7 +79,7 @@ func (r *envoyGatewayExtensionReconciler) Reconcile(ctx context.Context, _ []con
 		resource := r.client.Resource(kuadrantenvoygateway.EnvoyExtensionPoliciesResource).Namespace(desiredEnvoyExtensionPolicy.GetNamespace())
 
 		existingEnvoyExtensionPolicyObj, found := lo.Find(topology.Objects().Children(gateway), func(child machinery.Object) bool {
-			return child.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyExtensionPolicyGroupKind && child.GetName() == desiredEnvoyExtensionPolicy.GetName() && child.GetNamespace() == desiredEnvoyExtensionPolicy.GetNamespace()
+			return child.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyExtensionPolicyGroupKind && child.GetName() == desiredEnvoyExtensionPolicy.GetName() && child.GetNamespace() == desiredEnvoyExtensionPolicy.GetNamespace() && labels.Set(child.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(labels.Set(desiredEnvoyExtensionPolicy.GetLabels()))
 		})
 
 		// create
@@ -184,6 +185,7 @@ func buildEnvoyExtensionPolicyForGateway(gateway *machinery.Gateway, wasmConfig
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      wasm.ExtensionName(gateway.GetName()),
 			Namespace: gateway.GetNamespace(),
+			Labels:    KuadrantManagedObjectLabels(),
 			OwnerReferences: []metav1.OwnerReference{
 				{
 					APIVersion:         gateway.GroupVersionKind().GroupVersion().String(),
diff --git a/controllers/envoy_gateway_rate_limit_cluster_reconciler.go b/controllers/envoy_gateway_rate_limit_cluster_reconciler.go
index aac65e024..b61eab34a 100644
--- a/controllers/envoy_gateway_rate_limit_cluster_reconciler.go
+++ b/controllers/envoy_gateway_rate_limit_cluster_reconciler.go
@@ -14,6 +14,7 @@ import (
 	"github.com/samber/lo"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/utils/ptr"
@@ -98,7 +99,7 @@ func (r *envoyGatewayRateLimitClusterReconciler) Reconcile(ctx context.Context,
 		resource := r.client.Resource(kuadrantenvoygateway.EnvoyPatchPoliciesResource).Namespace(desiredEnvoyPatchPolicy.GetNamespace())
 
 		existingEnvoyPatchPolicyObj, found := lo.Find(topology.Objects().Children(gateway), func(child machinery.Object) bool {
-			return child.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyPatchPolicyGroupKind && child.GetName() == desiredEnvoyPatchPolicy.GetName() && child.GetNamespace() == desiredEnvoyPatchPolicy.GetNamespace()
+			return child.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyPatchPolicyGroupKind && child.GetName() == desiredEnvoyPatchPolicy.GetName() && child.GetNamespace() == desiredEnvoyPatchPolicy.GetNamespace() && labels.Set(child.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(labels.Set(desiredEnvoyPatchPolicy.GetLabels()))
 		})
 
 		// create
@@ -147,7 +148,7 @@ func (r *envoyGatewayRateLimitClusterReconciler) Reconcile(ctx context.Context,
 	// cleanup envoy gateway clusters for gateways that are not in the effective policies
 	staleEnvoyPatchPolicies := topology.Objects().Items(func(o machinery.Object) bool {
 		_, desired := desiredEnvoyPatchPolicies[k8stypes.NamespacedName{Name: o.GetName(), Namespace: o.GetNamespace()}]
-		return o.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyPatchPolicyGroupKind && !desired
+		return o.GroupVersionKind().GroupKind() == kuadrantenvoygateway.EnvoyPatchPolicyGroupKind && labels.Set(o.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(RateLimitObjectLabels()) && !desired
 	})
 
 	for _, envoyPatchPolicy := range staleEnvoyPatchPolicies {
@@ -169,7 +170,7 @@ func (r *envoyGatewayRateLimitClusterReconciler) buildDesiredEnvoyPatchPolicy(li
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      RateLimitClusterName(gateway.GetName()),
 			Namespace: gateway.GetNamespace(),
-			Labels:    map[string]string{rateLimitClusterLabelKey: "true"},
+			Labels:    RateLimitObjectLabels(),
 			OwnerReferences: []metav1.OwnerReference{
 				{
 					APIVersion:         gateway.GroupVersionKind().GroupVersion().String(),
diff --git a/controllers/istio_extension_reconciler.go b/controllers/istio_extension_reconciler.go
index d483160cf..5ff22ac85 100644
--- a/controllers/istio_extension_reconciler.go
+++ b/controllers/istio_extension_reconciler.go
@@ -13,6 +13,7 @@ import (
 	istiov1beta1 "istio.io/api/type/v1beta1"
 	istioclientgoextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/utils/ptr"
@@ -78,7 +79,7 @@ func (r *istioExtensionReconciler) Reconcile(ctx context.Context, _ []controller
 		resource := r.client.Resource(kuadrantistio.WasmPluginsResource).Namespace(desiredWasmPlugin.GetNamespace())
 
 		existingWasmPluginObj, found := lo.Find(topology.Objects().Children(gateway), func(child machinery.Object) bool {
-			return child.GroupVersionKind().GroupKind() == kuadrantistio.WasmPluginGroupKind && child.GetName() == desiredWasmPlugin.GetName() && child.GetNamespace() == desiredWasmPlugin.GetNamespace()
+			return child.GroupVersionKind().GroupKind() == kuadrantistio.WasmPluginGroupKind && child.GetName() == desiredWasmPlugin.GetName() && child.GetNamespace() == desiredWasmPlugin.GetNamespace() && labels.Set(child.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(labels.Set(desiredWasmPlugin.GetLabels()))
 		})
 
 		// create
@@ -186,6 +187,7 @@ func buildIstioWasmPluginForGateway(gateway *machinery.Gateway, wasmConfig wasm.
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      wasm.ExtensionName(gateway.GetName()),
 			Namespace: gateway.GetNamespace(),
+			Labels:    KuadrantManagedObjectLabels(),
 			OwnerReferences: []metav1.OwnerReference{
 				{
 					APIVersion:         gateway.GroupVersionKind().GroupVersion().String(),
diff --git a/controllers/istio_rate_limit_cluster_reconciler.go b/controllers/istio_rate_limit_cluster_reconciler.go
index 3f4f9f084..10c20b792 100644
--- a/controllers/istio_rate_limit_cluster_reconciler.go
+++ b/controllers/istio_rate_limit_cluster_reconciler.go
@@ -15,6 +15,7 @@ import (
 	istiov1beta1 "istio.io/api/type/v1beta1"
 	istioclientgonetworkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/utils/ptr"
@@ -98,7 +99,7 @@ func (r *istioRateLimitClusterReconciler) Reconcile(ctx context.Context, _ []con
 		resource := r.client.Resource(kuadrantistio.EnvoyFiltersResource).Namespace(desiredEnvoyFilter.GetNamespace())
 
 		existingEnvoyFilterObj, found := lo.Find(topology.Objects().Children(gateway), func(child machinery.Object) bool {
-			return child.GroupVersionKind().GroupKind() == kuadrantistio.EnvoyFilterGroupKind && child.GetName() == desiredEnvoyFilter.GetName() && child.GetNamespace() == desiredEnvoyFilter.GetNamespace()
+			return child.GroupVersionKind().GroupKind() == kuadrantistio.EnvoyFilterGroupKind && child.GetName() == desiredEnvoyFilter.GetName() && child.GetNamespace() == desiredEnvoyFilter.GetNamespace() && labels.Set(child.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(labels.Set(desiredEnvoyFilter.GetLabels()))
 		})
 
 		// create
@@ -146,7 +147,7 @@ func (r *istioRateLimitClusterReconciler) Reconcile(ctx context.Context, _ []con
 	// cleanup istio clusters for gateways that are not in the effective policies
 	staleEnvoyFilters := topology.Objects().Items(func(o machinery.Object) bool {
 		_, desired := desiredEnvoyFilters[k8stypes.NamespacedName{Name: o.GetName(), Namespace: o.GetNamespace()}]
-		return o.GroupVersionKind().GroupKind() == kuadrantistio.EnvoyFilterGroupKind && !desired
+		return o.GroupVersionKind().GroupKind() == kuadrantistio.EnvoyFilterGroupKind && labels.Set(o.(*controller.RuntimeObject).GetLabels()).AsSelector().Matches(RateLimitObjectLabels()) && !desired
 	})
 
 	for _, envoyFilter := range staleEnvoyFilters {
@@ -168,7 +169,7 @@ func (r *istioRateLimitClusterReconciler) buildDesiredEnvoyFilter(limitador *lim
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      RateLimitClusterName(gateway.GetName()),
 			Namespace: gateway.GetNamespace(),
-			Labels:    map[string]string{rateLimitClusterLabelKey: "true"},
+			Labels:    RateLimitObjectLabels(),
 			OwnerReferences: []metav1.OwnerReference{
 				{
 					APIVersion:         gateway.GroupVersionKind().GroupVersion().String(),
diff --git a/controllers/ratelimit_workflow.go b/controllers/ratelimit_workflow.go
index 594681d1a..de4ec0ccc 100644
--- a/controllers/ratelimit_workflow.go
+++ b/controllers/ratelimit_workflow.go
@@ -13,6 +13,7 @@ import (
 	"github.com/samber/lo"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/utils/env"
@@ -134,6 +135,12 @@ func LimitNameToLimitadorIdentifier(rlpKey k8stypes.NamespacedName, uniqueLimitN
 	return identifier
 }
 
+func RateLimitObjectLabels() labels.Set {
+	m := KuadrantManagedObjectLabels()
+	m[rateLimitClusterLabelKey] = "true"
+	return m
+}
+
 func RateLimitClusterName(gatewayName string) string {
 	return fmt.Sprintf("kuadrant-ratelimiting-%s", gatewayName)
 }
diff --git a/controllers/ratelimitpolicy_status_updater.go b/controllers/ratelimitpolicy_status_updater.go
index 85406fea8..b3757e572 100644
--- a/controllers/ratelimitpolicy_status_updater.go
+++ b/controllers/ratelimitpolicy_status_updater.go
@@ -39,7 +39,7 @@ type rateLimitPolicyStatusUpdater struct {
 func (r *rateLimitPolicyStatusUpdater) Subscription() controller.Subscription {
 	return controller.Subscription{
 		ReconcileFunc: r.UpdateStatus,
-		Events: rateLimitEventMatchers,
+		Events:        rateLimitEventMatchers,
 	}
 }
 
diff --git a/controllers/state_of_the_world.go b/controllers/state_of_the_world.go
index 93c2defb3..4b5801f52 100644
--- a/controllers/state_of_the_world.go
+++ b/controllers/state_of_the_world.go
@@ -19,6 +19,7 @@ import (
 	istioclientgosecurityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/utils/env"
@@ -41,8 +42,10 @@ import (
 )
 
 var (
+	operatorNamespace       = env.GetString("OPERATOR_NAMESPACE", "kuadrant-system")
+	kuadrantManagedLabelKey = "kuadrant.io/managed"
+
 	ConfigMapGroupKind = schema.GroupKind{Group: corev1.GroupName, Kind: "ConfigMap"}
-	operatorNamespace  = env.GetString("OPERATOR_NAMESPACE", "kuadrant-system")
 )
 
 // gateway-api permissions
@@ -212,12 +215,13 @@ func (b *BootOptionsBuilder) getEnvoyGatewayOptions() []controller.ControllerOpt
 				&egv1alpha1.EnvoyPatchPolicy{},
 				envoygateway.EnvoyPatchPoliciesResource,
 				metav1.NamespaceAll,
-				controller.FilterResourcesByLabel[*egv1alpha1.EnvoyPatchPolicy](fmt.Sprintf("%s=true", rateLimitClusterLabelKey)),
+				controller.FilterResourcesByLabel[*egv1alpha1.EnvoyPatchPolicy](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
 			)),
 			controller.WithRunnable("envoyextensionpolicy watcher", controller.Watch(
 				&egv1alpha1.EnvoyExtensionPolicy{},
 				envoygateway.EnvoyExtensionPoliciesResource,
 				metav1.NamespaceAll,
+				controller.FilterResourcesByLabel[*egv1alpha1.EnvoyExtensionPolicy](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
 			)),
 			controller.WithRunnable("envoysecuritypolicy watcher", controller.Watch(
 				&egv1alpha1.SecurityPolicy{},
@@ -252,12 +256,13 @@ func (b *BootOptionsBuilder) getIstioOptions() []controller.ControllerOption {
 				&istioclientnetworkingv1alpha3.EnvoyFilter{},
 				istio.EnvoyFiltersResource,
 				metav1.NamespaceAll,
-				controller.FilterResourcesByLabel[*istioclientnetworkingv1alpha3.EnvoyFilter](fmt.Sprintf("%s=true", rateLimitClusterLabelKey)),
+				controller.FilterResourcesByLabel[*istioclientnetworkingv1alpha3.EnvoyFilter](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
 			)),
 			controller.WithRunnable("wasmplugin watcher", controller.Watch(
 				&istioclientgoextensionv1alpha1.WasmPlugin{},
 				istio.WasmPluginsResource,
 				metav1.NamespaceAll,
+				controller.FilterResourcesByLabel[*istioclientgoextensionv1alpha1.WasmPlugin](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
 			)),
 			controller.WithRunnable("authorizationpolicy watcher", controller.Watch(
 				&istioclientgosecurityv1beta1.AuthorizationPolicy{},
@@ -439,6 +444,12 @@ func GetKuadrantFromTopology(topology *machinery.Topology) (*kuadrantv1beta1.Kua
 	return kuadrant, nil
 }
 
+func KuadrantManagedObjectLabels() labels.Set {
+	return labels.Set(map[string]string{
+		kuadrantManagedLabelKey: "true",
+	})
+}
+
 func isObjectOwnedByGroupKind(o client.Object, groupKind schema.GroupKind) bool {
 	for _, o := range o.GetOwnerReferences() {
 		oGV, err := schema.ParseGroupVersion(o.APIVersion)