diff --git a/apps/k8s01/blog/blog.yaml b/apps/k8s01/blog/blog.yaml
index cc110868a48d7e8a5942f2ae7315d9f0ab8ac6d9..a0c4fc4d3a4686873e976fec1dbbc9de20034226 100644
--- a/apps/k8s01/blog/blog.yaml
+++ b/apps/k8s01/blog/blog.yaml
@@ -3,18 +3,13 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: blog
-  labels:
-    app.kubernetes.io/name: blog
 spec:
   replicas: 2
   selector:
-    matchLabels:
-      app.kubernetes.io/name: blog
+    matchLabels: {}
   template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: blog
     spec:
+      serviceAccountName: blog
       automountServiceAccountToken: false
       containers:
         - name: blog
@@ -58,8 +53,7 @@ spec:
           topologyKey: kubernetes.io/hostname
           whenUnsatisfiable: DoNotSchedule
           labelSelector:
-            matchLabels:
-              app.kubernetes.io/name: blog
+            matchLabels: {}
           matchLabelKeys:
             - pod-template-hash
 ---
@@ -67,12 +61,9 @@ apiVersion: v1
 kind: Service
 metadata:
   name: blog
-  labels:
-    app.kubernetes.io/name: blog
 spec:
-  type: LoadBalancer
-  selector:
-    app.kubernetes.io/name: blog
+  type: ClusterIP
+  selector: {}
   ports:
     - name: http
       protocol: TCP
@@ -86,5 +77,4 @@ metadata:
 spec:
   minAvailable: 1
   selector:
-    matchLabels:
-      app.kubernetes.io/name: blog
+    matchLabels: {}
diff --git a/apps/k8s01/blog/certificate.yaml b/apps/k8s01/blog/certificate.yaml
index 58d9b57a0efdb4c587e275bbf1b8624c83f17173..a2c752e21dcc051a75adce4ebc57cb03be8bc983 100644
--- a/apps/k8s01/blog/certificate.yaml
+++ b/apps/k8s01/blog/certificate.yaml
@@ -3,8 +3,6 @@ kind: Certificate
 metadata:
     name: blog-tls
     namespace: blog
-    labels:
-        app.kubernetes.io/name: blog
 spec:
     dnsNames:
         - ENC[AES256_GCM,data:e3PPdTF5o9u8HB8EFiPCC5AQTA==,iv:oJUqFVCwqxOPEedcVaKVnG7JBvq87Lb6OptXxX+oFFE=,tag:AW+DOX0gd3dmxkTV3PmtaA==,type:str]
diff --git a/apps/k8s01/blog/ingress.yaml b/apps/k8s01/blog/ingress.yaml
index 45c77d282fd63a06cff3dc22593f5eef6f2aa4c7..015e758ba54330e62be4db383b2dc18520249d79 100644
--- a/apps/k8s01/blog/ingress.yaml
+++ b/apps/k8s01/blog/ingress.yaml
@@ -3,8 +3,6 @@ kind: Ingress
 metadata:
     name: blog
     namespace: blog
-    labels:
-        app.kubernetes.io/name: blog
     annotations:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Blog
diff --git a/apps/k8s01/blog/kustomization.yaml b/apps/k8s01/blog/kustomization.yaml
index 36ca0b56e1945bf47add7a25a389a93f66ea30ad..6ecabbafdcd89eaf74a89bbb499528e5ad7898d8 100644
--- a/apps/k8s01/blog/kustomization.yaml
+++ b/apps/k8s01/blog/kustomization.yaml
@@ -1,15 +1,21 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: blog
+
+commonLabels:
+  app.kubernetes.io/name: blog
+
 resources:
   - namespace.yaml
   - certificate.yaml
   - blog.yaml
   - ingress.yaml
   - slo.yaml
+  - serviceaccount.yaml
   - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
   - ../../../shared/networkpolicies/deny-by-default-egress.yaml
   - ../../../shared/networkpolicies/allow-from-ingress.yaml
   - ../../../shared/resourcequotas/default.yaml
-patchesStrategicMerge:
-  - networkpolicy.yaml
\ No newline at end of file
+
+components:
+  - ../../../shared/components/namespace-restricted
\ No newline at end of file
diff --git a/apps/k8s01/blog/namespace.yaml b/apps/k8s01/blog/namespace.yaml
index 9b0aaca7300018fad6a246bf09b7f0462e58bc15..a98aecffbc206d54fe970384a03aa8c93555a2c9 100644
--- a/apps/k8s01/blog/namespace.yaml
+++ b/apps/k8s01/blog/namespace.yaml
@@ -1,31 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: blog
-  labels:
-    pod-security.kubernetes.io/audit: restricted
-    pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/warn: restricted
-    pod-security.kubernetes.io/audit-version: v1.27
-    pod-security.kubernetes.io/enforce-version: v1.26
-    pod-security.kubernetes.io/warn-version: v1.27
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: flux-reconciler
-  namespace: blog
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: flux-reconciler
-  namespace: blog
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-  - kind: ServiceAccount
-    name: flux-reconciler
-    namespace: blog
+  name: blog
\ No newline at end of file
diff --git a/apps/k8s01/blog/networkpolicy.yaml b/apps/k8s01/blog/networkpolicy.yaml
deleted file mode 100644
index d89a282562366feb498834bb880301f0014b64a7..0000000000000000000000000000000000000000
--- a/apps/k8s01/blog/networkpolicy.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-from-ingress
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: blog
diff --git a/apps/k8s01/blog/serviceaccount.yaml b/apps/k8s01/blog/serviceaccount.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d41ce8d10be69989a0da7441df1f189eb15fb6ef
--- /dev/null
+++ b/apps/k8s01/blog/serviceaccount.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: blog
+automountServiceAccountToken: false
\ No newline at end of file
diff --git a/shared/components/namespace-restricted/kustomization.yaml b/shared/components/namespace-restricted/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e748e75a5dab68574f75253f440fa2f27d1d3d78
--- /dev/null
+++ b/shared/components/namespace-restricted/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - path: namespace.yaml
+    target:
+      kind: Namespace
\ No newline at end of file
diff --git a/shared/components/namespace-restricted/namespace.yaml b/shared/components/namespace-restricted/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fe13196e953b088f3f292b3e4726ef4d2b5c2caa
--- /dev/null
+++ b/shared/components/namespace-restricted/namespace.yaml
@@ -0,0 +1,21 @@
+- op: add
+  path: /metadata/labels
+  value: {}
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1audit
+  value: restricted
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1enforce
+  value: restricted
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1warn
+  value: restricted
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1audit-version
+  value: v1.28
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1enforce-version
+  value: v1.28
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1warn-version
+  value: v1.28