diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 85e25e9ba8303fa1f4cd9e9cf2cb3904779ee421..7cb063434b6befc83547a94d1f202de1ecad0243 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -3,6 +3,8 @@ kind: Kustomization
 resources:
   - sources
   - rook
+  - namespace-configuration
   - postgres
   - openshift-monitoring
   - cert-manager
+
diff --git a/infrastructure/namespace-configuration/kustomization.yaml b/infrastructure/namespace-configuration/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d18e9d5e1ee1d0e2e50be073dc44db0293ee1109
--- /dev/null
+++ b/infrastructure/namespace-configuration/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: zalando-postgres
+resources:
+- namespace.yaml
+- subscription.yaml
+- network-policy.yaml
diff --git a/infrastructure/namespace-configuration/namespace.yaml b/infrastructure/namespace-configuration/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..72846f8f38683c78c9a1de95919be84dd2d587f2
--- /dev/null
+++ b/infrastructure/namespace-configuration/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: namespace-configuration-operator
diff --git a/infrastructure/namespace-configuration/network-policy.yaml b/infrastructure/namespace-configuration/network-policy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..963ab704b4ceea23cc4f9813728564e256faf930
--- /dev/null
+++ b/infrastructure/namespace-configuration/network-policy.yaml
@@ -0,0 +1,52 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: NamespaceConfig
+metadata:
+  name: default-networkpolicy
+spec:
+  annotationSelector:
+    matchExpressions:
+      - operator: Exists
+        key: "openshift.io/requester"
+  templates:
+    - objectTemplate: |
+        apiVersion: networking.k8s.io/v1
+        kind: NetworkPolicy
+        metadata:
+          name: allow-from-same-namespace
+          namespace: {{ .Name }}
+        spec:
+          podSelector: {}
+          ingress:
+          - from:
+            - podSelector: {}
+
+    - objectTemplate: |
+        apiVersion: networking.k8s.io/v1
+        kind: NetworkPolicy
+        metadata:
+          name: allow-from-openshift-ingress
+          namespace: {{ .Name }}
+        spec:
+          ingress:
+          - from:
+            - namespaceSelector:
+                matchLabels:
+                  network.openshift.io/policy-group: ingress
+          podSelector: {}
+          policyTypes:
+          - Ingress
+    - objectTemplate: |
+        apiVersion: networking.k8s.io/v1
+        kind: NetworkPolicy
+        metadata:
+          name: allow-from-openshift-monitoring
+          namespace: {{ .Name }}
+        spec:
+          ingress:
+          - from:
+            - namespaceSelector:
+                matchLabels:
+                  network.openshift.io/policy-group: monitoring
+          podSelector: {}
+          policyTypes:
+          - Ingress
diff --git a/infrastructure/namespace-configuration/subscription.yaml b/infrastructure/namespace-configuration/subscription.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..43216076b6d144cdca18dc31e5904736ce7aee42
--- /dev/null
+++ b/infrastructure/namespace-configuration/subscription.yaml
@@ -0,0 +1,10 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: namespace-configuration-operator
+  namespace: namespace-configuration-operator
+spec:
+  channel: alpha
+  name: namespace-configuration-operator
+  source: community-operators
+  sourceNamespace: openshift-marketplace
diff --git a/infrastructure/postgres/kustomization.yaml b/infrastructure/postgres/kustomization.yaml
index 4a2392914dcab321290de6374c36bd8032e52b93..dd7e5f88da7604e9028b464bef6f30ff2c3e1429 100644
--- a/infrastructure/postgres/kustomization.yaml
+++ b/infrastructure/postgres/kustomization.yaml
@@ -4,3 +4,4 @@ namespace: zalando-postgres
 resources:
   - namespace.yaml
   - release.yaml
+  - user-namespace-network-policy.yaml
diff --git a/infrastructure/postgres/user-namespace-network-policy.yaml b/infrastructure/postgres/user-namespace-network-policy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fa2530518da22dbb5009807ee9ac6ff920cfcc3a
--- /dev/null
+++ b/infrastructure/postgres/user-namespace-network-policy.yaml
@@ -0,0 +1,25 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: NamespaceConfig
+metadata:
+  name: user-namespaces-network-policy-zalando-postgres
+spec:
+  annotationSelector:
+    matchExpressions:
+      - operator: Exists
+        key: "openshift.io/requester"
+  templates:
+    - objectTemplate: |
+        apiVersion: networking.k8s.io/v1
+        kind: NetworkPolicy
+        metadata:
+          name: allow-from-zalando-postgres
+          namespace: {{ .Name }}
+        spec:
+          ingress:
+          - from:
+            - namespaceSelector:
+                matchLabels:
+                  name: zalando-postgres
+          podSelector: {}
+          policyTypes:
+          - Ingress