diff --git a/bootstrap/kyverno/namespace.yaml b/bootstrap/kyverno/namespace.yaml
index e5d0650e5c7868a8dbef9b6d35a049086db3327f..3c428410e3a265b065c32d1cc572a2d618ef4d3c 100644
--- a/bootstrap/kyverno/namespace.yaml
+++ b/bootstrap/kyverno/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
   name: kyverno
   labels:
     name: kyverno
+    kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/cert-manager/namespace.yaml b/infrastructure/cert-manager/namespace.yaml
index 237888c1ca123fa65dd33ec48825b910f6b13f19..4555234eaea60f61402eef9f6ab7ea46f34ee1e5 100644
--- a/infrastructure/cert-manager/namespace.yaml
+++ b/infrastructure/cert-manager/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
   name: cert-manager
   labels:
     name: cert-manager
+    kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/ingress-nginx/namespace.yaml b/infrastructure/ingress-nginx/namespace.yaml
index f2e980136694979c0ae1564ef49d750a545de9c7..f098abde2e41c22d08be2d1396a98f1908a7935f 100644
--- a/infrastructure/ingress-nginx/namespace.yaml
+++ b/infrastructure/ingress-nginx/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
   name: nginx-system
   labels:
     name: nginx-system
+    kyverno.shivering-isles.com/class: "system" 
diff --git a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
index 07d3936a8b3a0f53963ada2af168cf79e6c00f09..2e52f8920c41164af6ca5ace6a33ff41bfacc401 100644
--- a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
+++ b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
@@ -9,21 +9,24 @@ spec:
       resources:
         kinds:
         - Namespace
+      selector:
+        matchExpressions:
+          - {key: kyverno.shivering-isles.com/class operator: NotIn, values: [system]}
     exclude:
       resources:
         namespaces:
         - '*-system'
         - default
         - kube-public
-        - kyverno
+        - tigera-operator
     generate:
-      apiVersion: networking.k8s.io/v1
       kind: NetworkPolicy
-      metadata:
-        name: allow-from-same-namespace-managed
-        namespace: "{{request.object.metadata.name}}"
-      spec:
-        podSelector: {}
-        ingress:
-        - from:
-          - podSelector: {}
+      name: allow-from-same-namespace-managed
+      namespace: "{{request.object.metadata.name}}"
+      data:
+        apiVersion: networking.k8s.io/v1
+        spec:
+          podSelector: {}
+          ingress:
+          - from:
+            - podSelector: {}
diff --git a/infrastructure/postgres/namespace.yaml b/infrastructure/postgres/namespace.yaml
index 87ce1a9e864d0b23af4c192e4347fb5ce809d196..10d72f25ea4a50fdfd3583dcf4b56d9f927e769e 100644
--- a/infrastructure/postgres/namespace.yaml
+++ b/infrastructure/postgres/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
   name: zalando-postgres
   labels:
     name: zalando-postgres
+    kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/prometheus/namespace.yaml b/infrastructure/prometheus/namespace.yaml
index 90d12efda293fe61f980c2914b5d8a121200db0f..14d23d81737f047784cd0e27302690787cb951cd 100644
--- a/infrastructure/prometheus/namespace.yaml
+++ b/infrastructure/prometheus/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
   name: monitoring
   labels:
     name: monitoring
+    kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/rook/namespace.yaml b/infrastructure/rook/namespace.yaml
index f046b87cda3f6830987e3fd4b3885f5944453d5d..c4ddccc6ba4aeba61a2a67421c60664b535d2a92 100644
--- a/infrastructure/rook/namespace.yaml
+++ b/infrastructure/rook/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
   name: rook-ceph
   labels:
     name: rook-ceph
+    kyverno.shivering-isles.com/class: "system"