To enable a basic layer of isolation between namespaces, there is a Helm chart shown as recommended app for your clusters which is called isolation-templates. Installing this app into your cluster, will install a cluster-wide PodSecurityPolicy as well as some templates for NetworkPolicies and LimitRanges for resource limits.


The isolation-templates chart installs a cluster-wide PodSecurityPolicy (see YAML template on GitHub).


It is highly recommended to have a PodSecurityPolicy in your cluster.

Network Isolation

The isolation-templates chart installs 4 templates for Network Policies:


It is recommended to enforce all network policies provided by the isolation-templates chart. Learn how to enforce a template for your cluster accounts.


If you want to use one of the network policies, you should always use deny-default and combine it with any other allow-* policies you want to use. Just using one or multiple allow-* policies will not have any effect if you do not use the deny-default policy.

Limit Resources

The isolation-templates chart installs one template that shows you how to configure a LimitRange (see YAML template on GitHub).


The LimitRange defined by the template within the isolation-templates chart is just an example. It is strongly recommended that you define additional templates with additional LimitRanges and then enforce these templates for your cluster accounts. Learn how to enforce a template for your cluster accounts.