diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml
index 30811454..41e4bbc9 100644
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
index 7c2a7e50..9ecf1bf4 100644
--- a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
+++ b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
@@ -14,6 +14,7 @@ spec:
     metadata:
       labels:
         app: {{ .Release.Name }}-cluster-autoscaler
+        policy.cozystack.io/allow-to-apiserver: "true"
     spec:
       tolerations:
         - key: CriticalAddonsOnly
diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml
index 0ce5d542..24aaeb3a 100644
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -52,8 +52,6 @@ spec:
             emptyDisk:
               capacity: 20Gi
 {{- end }}
-
-
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
@@ -108,6 +106,9 @@ spec:
       hostname: {{ .Values.host | default (printf "%s.%s" .Release.Name $host) }}:443
       className: "{{ $ingress }}"
   deployment:
+    podAdditionalMetadata:
+      labels:
+        policy.cozystack.io/allow-to-etcd: "true"
   replicas: 2
   version: 1.30.1
 ---
diff --git a/packages/apps/kubernetes/templates/csi/deploy.yaml b/packages/apps/kubernetes/templates/csi/deploy.yaml
index f4fbb64d..cb21208b 100644
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -13,6 +13,7 @@ spec:
     metadata:
       labels:
         app: {{ .Release.Name }}-kcsi-driver
+        policy.cozystack.io/allow-to-apiserver: "true"
     spec:
       serviceAccountName: {{ .Release.Name }}-kcsi
       priorityClassName: system-cluster-critical
diff --git a/packages/apps/kubernetes/templates/kccm/manager.yaml b/packages/apps/kubernetes/templates/kccm/manager.yaml
index 586fdbf4..69dd58aa 100644
--- a/packages/apps/kubernetes/templates/kccm/manager.yaml
+++ b/packages/apps/kubernetes/templates/kccm/manager.yaml
@@ -13,6 +13,7 @@ spec:
     metadata:
       labels:
         k8s-app: {{ .Release.Name }}-kccm
+        policy.cozystack.io/allow-to-apiserver: "true"
     spec:
       tolerations:
         - key: CriticalAddonsOnly
diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml
index 5f531c11..700952cf 100644
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.2.0
+version: 1.3.0
diff --git a/packages/apps/tenant/README.md b/packages/apps/tenant/README.md
index 9b17e8fc..6d0373e2 100644
--- a/packages/apps/tenant/README.md
+++ b/packages/apps/tenant/README.md
@@ -56,3 +56,4 @@ tenant-u1
 | `etcd`       | Deploy own Etcd cluster                                                                                                     | `false` |
 | `monitoring` | Deploy own Monitoring Stack                                                                                                 | `false` |
 | `ingress`    | Deploy own Ingress Controller                                                                                               | `false` |
+| `isolated`   | Enforce tenant namespace with network policies                                                                              | `false` |
diff --git a/packages/apps/tenant/templates/networkpolicy.yaml b/packages/apps/tenant/templates/networkpolicy.yaml
new file mode 100644
index 00000000..709b5a19
--- /dev/null
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -0,0 +1,124 @@
+{{- if .Values.isolated }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-internal-communication
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEndpoints:
+    - {}
+  egress:
+  - toEndpoints:
+    - {}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-communication
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEntities:
+      - world
+  egress:
+  - toEntities:
+      - world
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-from-system
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEntities:
+    - cluster
+---
+{{- if ne (include "tenant.name" .) "tenant-root" }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-from-upper-tenants
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        "kubernetes.io/metadata.name": "tenant-root"
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    - matchLabels:
+        "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+{{- end }}
+---
+{{- if not .Values.etcd }}
+{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-etcd
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      policy.cozystack.io/allow-to-etcd: "true"
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}"
+        cozystack.io/service: etcd
+{{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-apiserver
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      policy.cozystack.io/allow-to-apiserver: "true"
+  egress:
+  - toEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-dns
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        io.kubernetes.pod.namespace: kube-system
+        k8s-app: kube-dns
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-ingress
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        cozystack.io/service: ingress
+{{- end }}
diff --git a/packages/apps/tenant/values.schema.json b/packages/apps/tenant/values.schema.json
index a02ffa71..7f87cda1 100644
--- a/packages/apps/tenant/values.schema.json
+++ b/packages/apps/tenant/values.schema.json
@@ -21,6 +21,11 @@
             "type": "boolean",
             "description": "Deploy own Ingress Controller",
             "default": false
+        },
+        "isolated": {
+            "type": "boolean",
+            "description": "Enforce tenant namespace with network policies",
+            "default": false
         }
     }
 }
\ No newline at end of file
diff --git a/packages/apps/tenant/values.yaml b/packages/apps/tenant/values.yaml
index 3c980c00..d52e99ca 100644
--- a/packages/apps/tenant/values.yaml
+++ b/packages/apps/tenant/values.yaml
@@ -4,7 +4,9 @@
 ## @param etcd Deploy own Etcd cluster
 ## @param monitoring Deploy own Monitoring Stack
 ## @param ingress Deploy own Ingress Controller
+## @param isolated Enforce tenant namespace with network policies
 host: ""
 etcd: false
 monitoring: false
 ingress: false
+isolated: false
diff --git a/packages/apps/versions_map b/packages/apps/versions_map
index 5fd623aa..1bc55706 100644
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -12,7 +12,8 @@ kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
 kubernetes 0.4.0 6cae6ce8
 kubernetes 0.5.0 6bd2d455
-kubernetes 0.6.0 HEAD
+kubernetes 0.6.0 4cbc8a2c
+kubernetes 0.7.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
@@ -33,7 +34,8 @@ tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
 tenant 1.1.0 4da8ac3b
-tenant 1.2.0 HEAD
+tenant 1.2.0 15478a88
+tenant 1.3.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD
diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json
index 571f9aa7..de60210f 100644
--- a/packages/core/installer/images/cozystack.json
+++ b/packages/core/installer/images/cozystack.json
@@ -1,10 +1,10 @@
 {
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ta5cc9q3mqtwjyuvg8fviqhe6",
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/kmszyuycqizad8cn86dl2ji9k",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-    "digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
+    "digest": "sha256:e46f725b379d363cce488c7c3ffc7b3de62af4c841c15f48cf035cc0b2007470",
     "size": 685
   },
-  "containerimage.digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
-  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
+  "containerimage.digest": "sha256:e46f725b379d363cce488c7c3ffc7b3de62af4c841c15f48cf035cc0b2007470",
+  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest"
 }
\ No newline at end of file
diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag
index aff03e70..602d7b26 100644
--- a/packages/core/installer/images/cozystack.tag
+++ b/packages/core/installer/images/cozystack.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.9.0
+ghcr.io/aenix-io/cozystack/cozystack:latest
diff --git a/packages/core/platform/templates/namespaces.yaml b/packages/core/platform/templates/namespaces.yaml
index 0d35d7ec..669d852c 100644
--- a/packages/core/platform/templates/namespaces.yaml
+++ b/packages/core/platform/templates/namespaces.yaml
@@ -15,6 +15,7 @@
 {{- end }}
 
 {{/* Add extra namespaces */}}
+{{- $_ := set $namespaces "cozy-system" true }}
 {{- $_ := set $namespaces "cozy-public" false }}
 
 {{- range $namespace, $privileged := $namespaces }}
@@ -24,9 +25,10 @@ kind: Namespace
 metadata:
   annotations:
     "helm.sh/resource-policy": keep
-  {{- if $privileged }}
   labels:
+    cozystack.io/system: "true"
+    {{- if $privileged }}
     pod-security.kubernetes.io/enforce: privileged
-  {{- end }}
+    {{- end }}
   name: {{ $namespace }}
 {{- end }}
diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml
index dc79f3f5..c56e2ade 100644
--- a/packages/extra/etcd/Chart.yaml
+++ b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.1.0
+version: 2.2.0
diff --git a/packages/extra/etcd/templates/etcd-cluster.yaml b/packages/extra/etcd/templates/etcd-cluster.yaml
index 6edf5616..b717031e 100644
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -33,6 +33,9 @@ spec:
       clientTrustedCASecret: etcd-ca-tls
       clientSecret: etcd-client-tls
   podTemplate:
+    metadata:
+      labels:
+        cozystack.io/service: etcd
     spec:
       topologySpreadConstraints:
       - maxSkew: 1
@@ -41,6 +44,7 @@ spec:
         labelSelector:
           matchLabels:
             app.kubernetes.io/instance: etcd
+  podDisruptionBudgetTemplate: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml
index f0ff843f..664a41c5 100644
--- a/packages/extra/ingress/Chart.yaml
+++ b/packages/extra/ingress/Chart.yaml
@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.3.0
+version: 1.2.0
diff --git a/packages/extra/ingress/templates/nginx-ingress.yaml b/packages/extra/ingress/templates/nginx-ingress.yaml
index b0ebd5ac..d0b67be4 100644
--- a/packages/extra/ingress/templates/nginx-ingress.yaml
+++ b/packages/extra/ingress/templates/nginx-ingress.yaml
@@ -23,6 +23,9 @@ spec:
         ingressClassResource:
           name: {{ .Release.Namespace }}
           controllerValue: k8s.io/ingress-nginx-{{ .Release.Namespace }}
+        podLabels:
+          cozystack.io/service: ingress
+          policy.cozystack.io/allow-to-apiserver: "true"
         {{- if not (eq .Release.Namespace "tenant-root") }}
         admissionWebhooks:
           enabled: false
diff --git a/packages/extra/versions_map b/packages/extra/versions_map
index e56c2dec..8453643d 100644
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -1,11 +1,11 @@
 etcd 1.0.0 f7eaab0
 etcd 2.0.0 a6d0f7cf
 etcd 2.0.1 6fc1cc7d
-etcd 2.1.0 HEAD
+etcd 2.1.0 2b00fcf8
+etcd 2.2.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
-ingress 1.2.0 07d666c0
-ingress 1.3.0 HEAD
+ingress 1.2.0 HEAD
 monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 HEAD