diff --git a/infrastructure/calico/release.yaml b/infrastructure/calico/release.yaml
index 2b328d83322c50cb6fbe188c07ca0e3f39af009a..12d8300841511e0cff64a28f76609d7b9ada4175 100644
--- a/infrastructure/calico/release.yaml
+++ b/infrastructure/calico/release.yaml
@@ -13,3 +13,17 @@ spec:
         name: projectcalico
       version: v3.20.1
   interval: 15m
+  values:
+    installation:
+      enabled: true
+      kubernetesProvider: ""
+      calicoNetwork:
+        bgp: Disabled
+        hostPorts: Enabled
+        ipPools:
+          - blockSize: 26
+            cidr: 192.168.0.0/16
+            encapsulation: VXLAN
+            natOutgoing: Enabled
+            nodeSelector: all()
+
diff --git a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b0b39faa32457eadeaae8bffcae9c13063055608
--- /dev/null
+++ b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: default
+spec:
+  rules:
+  - name: allow-from-same-namespace
+    match:
+      resources:
+        kinds:
+        - Namespace
+    exclude:
+      resources:
+        namespaces:
+        - *-system
+        - default
+        - kube-public
+        - kyverno
+    generate:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-from-same-namespace-managed
+        namespace: {{request.object.metadata.name}}
+      spec:
+        podSelector: {}
+        ingress:
+        - from:
+          - podSelector: {}