diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index e304eed75c07c57d5783e7338a1dc253e94d791f..6da7799a1b73146125691131bd97374d1b0cb965 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -12,3 +12,4 @@ resources:
   - longhorn
   - monitoring
   - k8up
+  - postgres
diff --git a/infrastructure/postgres/kustomization.yaml b/infrastructure/postgres/kustomization.yaml
index dd7e5f88da7604e9028b464bef6f30ff2c3e1429..df609e8f1a8c1944b44ae3b7bf5890da23d551c4 100644
--- a/infrastructure/postgres/kustomization.yaml
+++ b/infrastructure/postgres/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: zalando-postgres
+namespace: postgres-system
 resources:
   - namespace.yaml
+  - repository.yaml
   - release.yaml
-  - user-namespace-network-policy.yaml
diff --git a/infrastructure/postgres/namespace.yaml b/infrastructure/postgres/namespace.yaml
index 10d72f25ea4a50fdfd3583dcf4b56d9f927e769e..f2b5639f2974448d14540d600b52b0cfd4aad99c 100644
--- a/infrastructure/postgres/namespace.yaml
+++ b/infrastructure/postgres/namespace.yaml
@@ -1,7 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: zalando-postgres
+  name: postgres-system
   labels:
-    name: zalando-postgres
+    name: postgres-system
     kyverno.shivering-isles.com/class: "system"
+    database.shivering-isles.com/network-access-required: "true"
diff --git a/infrastructure/postgres/release.yaml b/infrastructure/postgres/release.yaml
index ff031b4e97f9a26ead8e1dcf59f277964ce2fda8..4100a320227e68dde4fe13624689e407b38d68d8 100644
--- a/infrastructure/postgres/release.yaml
+++ b/infrastructure/postgres/release.yaml
@@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: zalando-postgres-operator
-  namespace: zalando-postgres
+  namespace: postgres-system
 spec:
   releaseName: zalando-postgres-operator
   chart:
@@ -11,9 +11,9 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: zalando-postgres-operator
+        namespace: postgres-system
       valuesFiles:
         - values.yaml
-      # renovate: helmRepo=https://opensource.zalando.com/postgres-operator/charts/postgres-operator/ depName=postgres-operator
       version: 1.7.1
   interval: 5m
   values:
diff --git a/infrastructure/postgres/repository.yaml b/infrastructure/postgres/repository.yaml
index ade97c6138248a7a03e79b9094dabd8fc16243f1..39f5e7bc910cd69592aff6d5104d15f23c7419a6 100644
--- a/infrastructure/postgres/repository.yaml
+++ b/infrastructure/postgres/repository.yaml
@@ -2,6 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: HelmRepository
 metadata:
   name: zalando-postgres-operator
+  namespace: postgres-system
 spec:
   interval: 30m
   url: https://opensource.zalando.com/postgres-operator/charts/postgres-operator/
diff --git a/infrastructure/postgres/user-namespace-network-policy.yaml b/infrastructure/postgres/user-namespace-network-policy.yaml
deleted file mode 100644
index fabc183d046bd7abf8e3f6197e7e6092bce9bc96..0000000000000000000000000000000000000000
--- a/infrastructure/postgres/user-namespace-network-policy.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: default
-spec:
-  rules:
-  - name: allow-from-zalando-postgres
-    match:
-      resources:
-        kinds:
-        - Namespace
-    exclude:
-      resources:
-        namespaces:
-        - *-system
-        - default
-        - kube-public
-        - kyverno
-    generate:
-      apiVersion: networking.k8s.io/v1
-      kind: NetworkPolicy
-      metadata:
-        name: allow-from-zalando-postgres-managed
-        namespace: "{{request.object.metadata.name}}"
-      spec:
-        ingress:
-        - from:
-          - namespaceSelector:
-              matchLabels:
-                name: zalando-postgres
-          ports:
-          - port: 8008
-            protocol: TCP
-          - port: 5432
-            protocol: TCP
-          - port: 8080
-            protocol: TCP
-        podSelector:
-          matchLabels:
-            application: spilo
-        policyTypes:
-        - Ingress
diff --git a/shared/networkpolicies/allow-from-database.yaml b/shared/networkpolicies/allow-from-database.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e7a2e9cf8d552e422bf0bc6dfd5323b6258e109c
--- /dev/null
+++ b/shared/networkpolicies/allow-from-database.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-database
+  namespace: "{{request.object.metadata.name}}"
+spec:
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          database.shivering-isles.com/network-access-required: "true"
+    ports:
+    - port: 8008
+      protocol: TCP
+    - port: 5432
+      protocol: TCP
+    - port: 8080
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      application: spilo