diff --git a/migrations/2022-03-25-label-ns-with-name.sh b/migrations/2022-03-25-label-ns-with-name.sh
new file mode 100755
index 0000000000000000000000000000000000000000..5c63e7ef60b3baf6857ef93806bf17cac7a1026f
--- /dev/null
+++ b/migrations/2022-03-25-label-ns-with-name.sh
@@ -0,0 +1,6 @@
+#!/bin/bash -eu
+
+for NS in `kubectl get ns -A --no-headers -o custom-columns=":metadata.name"`; do
+  echo $NS
+  kubectl label --overwrite ns/$NS name=$NS
+done
diff --git a/migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh b/migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh
new file mode 100755
index 0000000000000000000000000000000000000000..c10d0d21ccee8e67b531a1fd6041a07eaafa84d0
--- /dev/null
+++ b/migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh
@@ -0,0 +1,7 @@
+#!/bin/bash -eu
+
+for NS in `kubectl get ns -A --no-headers -o custom-columns=":metadata.name"`; do
+  echo $NS
+  kubectl -n $NS label --overwrite rs  -l app.kubernetes.io/name=hedgedoc app.kubernetes.io/component=app
+  kubectl -n $NS label --overwrite po  -l app.kubernetes.io/name=hedgedoc app.kubernetes.io/component=app
+done
diff --git a/migrations/2022-04-11-apply-last-np.sh b/migrations/2022-04-11-apply-last-np.sh
new file mode 100755
index 0000000000000000000000000000000000000000..c27a60487285ef6f681aef8a189c05510e2e14c3
--- /dev/null
+++ b/migrations/2022-04-11-apply-last-np.sh
@@ -0,0 +1,6 @@
+#!/bin/bash -eux
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" -l libre.sh/scope=user`; do
+  kubctl -n ${NS} delete networkpolicies allow-from-ingress-namespace
+  cat "/root/domains/common/networkpolicies.yml" | envsubst '$NS' | kubectl -n ${NS} diff -f -
+done
diff --git a/migrations/2022-04-11-label-system-and-user-ns.sh b/migrations/2022-04-11-label-system-and-user-ns.sh
new file mode 100755
index 0000000000000000000000000000000000000000..5894a178214cf6fd6e4289994109ab1fc918bf8a
--- /dev/null
+++ b/migrations/2022-04-11-label-system-and-user-ns.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -eux
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep -v "cert-manager\|default\|kube\|flux-system\|ingress\|operator\|monitoring"`; do
+  kubectl label ns $NS libre.sh/scope=user
+done
+
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep "cert-manager\|default\|kube\|flux-system\|ingress\|operator\|monitoring"`; do
+  kubectl label ns $NS libre.sh/scope=system
+done
diff --git a/networkpolicies.yml b/networkpolicies.yml
index c86a322a4f9c95e202c8a5b2e0c40d6355f3285b..02ba72aa115054bfa1c875b209dd94afb2b5b6c4 100644
--- a/networkpolicies.yml
+++ b/networkpolicies.yml
@@ -1,16 +1,38 @@
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: allow-from-ingress-namespace
+  name: allow-from-pg-operator-to-pg
 spec:
   podSelector:
     matchLabels:
-      app.kubernetes.io/component: web
+      application: spilo
   ingress:
   - from:
     - namespaceSelector:
         matchLabels:
-          name: ingress
+          name: postgres-operator
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-to-web-pods
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: app
+  ingress:
+  - {}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-to-app-pods
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: web
+  ingress:
+  - {}
 ---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
@@ -19,7 +41,10 @@ metadata:
 spec:
   podSelector: {}
   ingress:
-  - {}
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: ${NS}
   policyTypes:
   - Ingress
 ---
diff --git a/scripts/functions.sh b/scripts/functions.sh
index 6ca74b53de97f072906e393b02d67dcf0e3e3973..d194d3021b32bd4b62865d9acf06675bf9c8a310 100644
--- a/scripts/functions.sh
+++ b/scripts/functions.sh
@@ -19,7 +19,9 @@ function create_buckets_for_gitlab() {
 function create_ns() {
   mkdir -p /root/domains/${NS}
   kubectl create ns ${NS} || true
-  kubectl -n ${NS} apply -f /root/domains/common/networkpolicies.yml
+  kubectl label ns $NS libre.sh/scope=user
+  kubectl label ns/$NS name=$NS
+  cat "/root/domains/common/networkpolicies.yml" | envsubst '$NS' | kubectl -n ${NS} apply -f -
 }
 
 function pg_zero_lag() {