Srinivas Padala:
Yeah, @Ansuman Roy, In this case if we have new namespace, We should update the policy to allow.
Instead of that, I’m wondering if there is any policy that directly deny the specific namespace.
For example, there are multiple namespaces like dev, qa, production and I don’t want to touch production namespace, So block it… ( The other namespaces may grow in future )
Ansuman Roy:
network policy is an allow only resource, there is no deny
Ansuman Roy:
if you dont mention it is deny by default
Ansuman Roy:
another question is its risky to split dev and prod workloads in a single cluster, better to separate them in their own cluster
Srinivas Padala:
Yeah…It’s not realistic example… but there is critical namespace that you want to protect… Anyhow… understood the things…
Thanks
Ansuman Roy:
for your usecase, you should try istio, this would give deny
Ansuman Roy:
restricted namespace should be protected by rbac and roles.
Ansuman Roy:
followed by an access webhook that you can have OPA to validate
Ansuman Roy:
thats a separate topic altogether
Ansuman Roy:
all right got to go to bed now its almost 2am for me 
Srinivas Padala:
Yeah, Got it Ansuman, Thanks. Have great sleep