diff --git a/elasticsearch/templates/network_policy.yaml b/elasticsearch/templates/network_policy.yaml
new file mode 100644
index 000000000..c29e9ac02
--- /dev/null
+++ b/elasticsearch/templates/network_policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "elasticsearch" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index f9e481bec..56844f815 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -635,6 +635,7 @@ manifests:
       configmap_bin_exporter: true
       deployment_exporter: true
       service_exporter: true
+  network_policy: false
   service_data: true
   service_discovery: true
   service_ingress: true
diff --git a/fluent-logging/templates/network_policy.yaml b/fluent-logging/templates/network_policy.yaml
new file mode 100644
index 000000000..5391bdfc1
--- /dev/null
+++ b/fluent-logging/templates/network_policy.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License. */}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "fluentbit" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluentd" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent-logging" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/fluent-logging/values.yaml b/fluent-logging/values.yaml
index 34b598430..6c464db5a 100644
--- a/fluent-logging/values.yaml
+++ b/fluent-logging/values.yaml
@@ -568,6 +568,7 @@ manifests:
       configmap_bin: true
       deployment_exporter: true
       service_exporter: true
+  network_policy: false
   secret_elasticsearch: true
   service_fluentd: true
   job_elasticsearch_template: true
diff --git a/grafana/templates/network_policy.yaml b/grafana/templates/network_policy.yaml
new file mode 100644
index 000000000..b0bfb79a4
--- /dev/null
+++ b/grafana/templates/network_policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "grafana" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/grafana/values.yaml b/grafana/values.yaml
index d374ca4d8..d3c5dc00b 100644
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -311,6 +311,7 @@ manifests:
   job_db_init_session: true
   job_db_session_sync: true
   job_image_repo_sync: true
+  network_policy: false
   secret_db: true
   secret_db_session: true
   secret_admin_creds: true
diff --git a/helm-toolkit/templates/manifests/_network_policy.tpl b/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 000000000..3d412892a
--- /dev/null
+++ b/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,86 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  network_policy:
+    myLabel:
+      ingress:
+        - from:
+          - podSelector:
+              matchLabels:
+                application: keystone
+          ports:
+          - protocol: TCP
+            port: 80
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+    egress:
+      - {}
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $label := index . "label" -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+  policyTypes:
+    - Egress
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+    - Ingress
+{{- end }}
+{{- end }}
+  podSelector:
+    matchLabels:
+      {{ $name }}: {{ $label }}
+  egress:
+    - {}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/ingress/templates/network_policy.yaml b/ingress/templates/network_policy.yaml
new file mode 100644
index 000000000..51636a750
--- /dev/null
+++ b/ingress/templates/network_policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ingress" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/ingress/values.yaml b/ingress/values.yaml
index 74a890565..7d1568760 100644
--- a/ingress/values.yaml
+++ b/ingress/values.yaml
@@ -175,6 +175,27 @@ endpoints:
     port:
       metrics:
         default: 10254
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns_tcp:
+        default: 53
+      dns:
+        default: 53
+        protocol: UDP
+
+network_policy:
+  ingress:
+    ingress:
+      - {}
 
 conf:
   controller:
@@ -209,3 +230,4 @@ manifests:
   monitoring:
     prometheus:
       service_exporter: true
+  network_policy: false
diff --git a/kibana/templates/network_policy.yaml b/kibana/templates/network_policy.yaml
new file mode 100644
index 000000000..8c84618b9
--- /dev/null
+++ b/kibana/templates/network_policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "kibana" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/kibana/values.yaml b/kibana/values.yaml
index 0fd80406a..9721ff707 100644
--- a/kibana/values.yaml
+++ b/kibana/values.yaml
@@ -318,6 +318,7 @@ manifests:
   deployment: true
   ingress: true
   job_image_repo_sync: true
+  network_policy: false
   secret_elasticsearch: true
   secret_ingress_tls: true
   service: true
diff --git a/ldap/templates/network_policy.yaml b/ldap/templates/network_policy.yaml
new file mode 100644
index 000000000..6ed353835
--- /dev/null
+++ b/ldap/templates/network_policy.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ldap" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/ldap/values.yaml b/ldap/values.yaml
index 72a97b44e..716b31852 100644
--- a/ldap/values.yaml
+++ b/ldap/values.yaml
@@ -147,6 +147,11 @@ endpoints:
       ldap:
         default: 389
 
+network_policy:
+  ldap:
+    ingress:
+      - {}
+
 data:
   sample: |
     dn: ou=People,dc=cluster,dc=local
@@ -231,6 +236,8 @@ manifests:
   configmap_bin: true
   configmap_etc: true
   job_bootstrap: true
+  network_policy: false
   job_image_repo_sync: true
+  network_policy: false
   statefulset: true
   service: true
diff --git a/libvirt/templates/network-policy.yaml b/libvirt/templates/network-policy.yaml
new file mode 100644
index 000000000..dd6d22737
--- /dev/null
+++ b/libvirt/templates/network-policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "libvirt" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/libvirt/values.yaml b/libvirt/values.yaml
index b40cc3cae..b2551d86a 100644
--- a/libvirt/values.yaml
+++ b/libvirt/values.yaml
@@ -58,6 +58,11 @@ endpoints:
       registry:
         node: 5000
 
+network_policy:
+  libvirt:
+    ingress:
+      - {}
+
 ceph_client:
   configmap: ceph-etc
   user_secret_name: pvc-ceph-client-key
@@ -163,3 +168,4 @@ manifests:
   configmap_etc: true
   daemonset_libvirt: true
   job_image_repo_sync: true
+  network_policy: false
diff --git a/lockdown/Chart.yaml b/lockdown/Chart.yaml
new file mode 100644
index 000000000..2c6ebd983
--- /dev/null
+++ b/lockdown/Chart.yaml
@@ -0,0 +1,20 @@
+# Copyright 2017-2018 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+appVersion: "1.0"
+description: |
+  A helm chart used to lockdown all ingress and egress for a namespace
+name: lockdown
+version: 0.1.0
diff --git a/lockdown/templates/network_policy.yaml b/lockdown/templates/network_policy.yaml
new file mode 100644
index 000000000..ab7fb7028
--- /dev/null
+++ b/lockdown/templates/network_policy.yaml
@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  policyTypes:
+    - Egress
+    - Ingress
+  podSelector: {}
+  egress: []
+  ingress: []
diff --git a/lockdown/values.yaml b/lockdown/values.yaml
new file mode 100644
index 000000000..dd425af2e
--- /dev/null
+++ b/lockdown/values.yaml
@@ -0,0 +1,17 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for lockdown chart.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
diff --git a/mariadb/templates/network_policy.yaml b/mariadb/templates/network_policy.yaml
new file mode 100644
index 000000000..e49f9fee4
--- /dev/null
+++ b/mariadb/templates/network_policy.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "mariadb" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index dffca8abf..f71212c37 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -264,6 +264,27 @@ endpoints:
         default: 3306
       wsrep:
         default: 4567
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns_tcp:
+        default: 53
+      dns:
+        default: 53
+        protocol: UDP
+
+network_policy:
+  mariadb:
+    ingress:
+      - {}
 
 manifests:
   configmap_bin: true
@@ -280,6 +301,7 @@ manifests:
       secret_etc: true
       service_exporter: true
   pdb_server: true
+  network_policy: false
   secret_db: true
   secret_etc: true
   service_discovery: true
diff --git a/memcached/templates/network_policy.yaml b/memcached/templates/network_policy.yaml
new file mode 100644
index 000000000..c58043b93
--- /dev/null
+++ b/memcached/templates/network_policy.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "memcached" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/memcached/values.yaml b/memcached/values.yaml
index 7604faa16..9ca41237b 100644
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@@ -82,6 +82,27 @@ endpoints:
     port:
       metrics:
         default: 9150
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns_tcp:
+        default: 53
+      dns:
+        default: 53
+        protocol: UDP
+
+network_policy:
+  memcached:
+    ingress:
+      - {}
 
 monitoring:
   prometheus:
@@ -114,6 +135,7 @@ manifests:
   configmap_bin: true
   deployment: true
   job_image_repo_sync: true
+  network_policy: false
   service: true
   monitoring:
     prometheus:
diff --git a/nagios/templates/network_policy.yaml b/nagios/templates/network_policy.yaml
new file mode 100644
index 000000000..508d4b762
--- /dev/null
+++ b/nagios/templates/network_policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nagios" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/nagios/values.yaml b/nagios/values.yaml
index 83fd664c4..e327f582a 100644
--- a/nagios/values.yaml
+++ b/nagios/values.yaml
@@ -213,6 +213,7 @@ manifests:
   deployment: true
   ingress: true
   job_image_repo_sync: true
+  network_policy: false
   secret_nagios: true
   secret_ingress_tls: true
   service: true
diff --git a/openvswitch/templates/network-policy.yaml b/openvswitch/templates/network-policy.yaml
new file mode 100644
index 000000000..c4ce3aebe
--- /dev/null
+++ b/openvswitch/templates/network-policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "openvswitch" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
index 9d27558c8..de1410f89 100644
--- a/openvswitch/values.yaml
+++ b/openvswitch/values.yaml
@@ -104,6 +104,11 @@ endpoints:
       registry:
         node: 5000
 
+network_policy:
+  openvswitch:
+    ingress:
+      - {}
+
 dependencies:
   dynamic:
     common:
@@ -126,3 +131,4 @@ manifests:
   daemonset_ovs_db: true
   daemonset_ovs_vswitchd: true
   job_image_repo_sync: true
+  network_policy: false
diff --git a/prometheus-alertmanager/templates/network_policy.yaml b/prometheus-alertmanager/templates/network_policy.yaml
new file mode 100644
index 000000000..c4c8d217f
--- /dev/null
+++ b/prometheus-alertmanager/templates/network_policy.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License. */}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "alertmanager" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/prometheus-alertmanager/values.yaml b/prometheus-alertmanager/values.yaml
index 6988e4118..b5ef49819 100644
--- a/prometheus-alertmanager/values.yaml
+++ b/prometheus-alertmanager/values.yaml
@@ -169,6 +169,7 @@ manifests:
   configmap_etc: true
   ingress: true
   job_image_repo_sync: true
+  network_policy: false
   secret_ingress_tls: true
   service: true
   service_discovery: true
diff --git a/prometheus-process-exporter/templates/network_policy.yaml b/prometheus-process-exporter/templates/network_policy.yaml
new file mode 100644
index 000000000..99c1a1456
--- /dev/null
+++ b/prometheus-process-exporter/templates/network_policy.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License. */}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-process-exporter" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/prometheus/templates/network_policy.yaml b/prometheus/templates/network_policy.yaml
new file mode 100644
index 000000000..26ba3404e
--- /dev/null
+++ b/prometheus/templates/network_policy.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License. */}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/prometheus/values.yaml b/prometheus/values.yaml
index c0a7ef002..6cdb49fe9 100644
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@@ -231,6 +231,7 @@ manifests:
   ingress: true
   helm_tests: true
   job_image_repo_sync: true
+  network_policy: false
   secret_ingress_tls: true
   secret_prometheus: true
   service_ingress: true
diff --git a/rabbitmq/templates/network_policy.yaml b/rabbitmq/templates/network_policy.yaml
new file mode 100644
index 000000000..d975b8d72
--- /dev/null
+++ b/rabbitmq/templates/network_policy.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "rabbitmq" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index a8b03ecc8..d1cad04c2 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -249,6 +249,27 @@ endpoints:
     port:
       metrics:
         default: 9095
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns_tcp:
+        default: 53
+      dns:
+        default: 53
+        protocol: UDP
+
+network_policy:
+  rabbitmq:
+    ingress:
+      - {}
 
 volume:
   chown_on_start: true
@@ -267,6 +288,7 @@ manifests:
       configmap_bin: true
       deployment_exporter: true
       service_exporter: true
+  network_policy: false
   service_discovery: true
   service_ingress_management: true
   service: true
diff --git a/tools/deployment/developer/netpol/039-lockdown.sh b/tools/deployment/developer/netpol/039-lockdown.sh
new file mode 100755
index 000000000..08ebbeea2
--- /dev/null
+++ b/tools/deployment/developer/netpol/039-lockdown.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+set -xe
+
+#NOTE: Lint and package chart
+make lockdown
+
+#NOTE: Deploy command
+helm upgrade --install lockdown ./lockdown \
+    --namespace=osh-infra
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh openstack
+
+#NOTE: Validate Deployment info
+helm status lockdown
diff --git a/tools/deployment/developer/netpol/040-ldap.sh b/tools/deployment/developer/netpol/040-ldap.sh
new file mode 100755
index 000000000..259222d5f
--- /dev/null
+++ b/tools/deployment/developer/netpol/040-ldap.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Pull images and lint chart
+make ldap
+
+tee /tmp/ldap.yaml <<EOF
+manifests:
+  network_policy: true
+network_policy:
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: ldap
+      - podSelector:
+          matchLabels:
+            application: grafana
+      - podSelector:
+          matchLabels:
+            application: nagios
+      - podSelector:
+          matchLabels:
+            application: elasticsearch
+      - podSelector:
+          matchLabels:
+            application: kibana
+      ports:
+      - protocol: TCP
+        port: 389
+      - protocol: TCP
+        port: 80
+EOF
+
+#NOTE: Deploy command
+helm upgrade --install ldap ./ldap \
+    --namespace=osh-infra \
+    --values=/tmp/ldap.yaml \
+    --set bootstrap.enabled=true
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status ldap
diff --git a/tools/deployment/developer/netpol/045-mariadb.sh b/tools/deployment/developer/netpol/045-mariadb.sh
new file mode 100755
index 000000000..559120f17
--- /dev/null
+++ b/tools/deployment/developer/netpol/045-mariadb.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make mariadb
+
+tee /tmp/mariadb.yaml <<EOF
+manifests:
+  network_policy: true
+network_policy:
+  mariadb:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: grafana
+        - podSelector:
+            matchLabels:
+              application: mariadb
+        ports:
+        - protocol: TCP
+          port: 3306
+        - protocol: TCP
+          port: 4567
+        - protocol: TCP
+          port: 80
+EOF
+
+#NOTE: Deploy command
+: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
+helm upgrade --install mariadb ./mariadb \
+    --namespace=osh-infra \
+    --values=/tmp/mariadb.yaml \
+    --set pod.replicas.server=1 \
+    ${OSH_INFRA_EXTRA_HELM_ARGS} \
+    ${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status mariadb
diff --git a/tools/deployment/developer/netpol/050-prometheus.sh b/tools/deployment/developer/netpol/050-prometheus.sh
new file mode 100755
index 000000000..825ca34e0
--- /dev/null
+++ b/tools/deployment/developer/netpol/050-prometheus.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make prometheus
+
+tee /tmp/prometheus.yaml <<EOF
+manifests:
+  network_policy: true
+network_policy:
+  prometheus:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: prometheus
+        - podSelector:
+            matchLabels:
+              application: elasticsearch-exporter
+        - podSelector:
+            matchLabels:
+              application: elasticsearch
+        - podSelector:
+            matchLabels:
+              application: grafana
+        - podSelector:
+            matchLabels:
+              application: nagios
+        - podSelector:
+            matchLabels:
+              application: fluentd-exporter
+        - podSelector:
+            matchLabels:
+              application: fluentd
+        ports:
+        - protocol: TCP
+          port: 9093
+        - protocol: TCP
+          port: 6783
+        - protocol: TCP
+          port: 9108
+        - protocol: TCP
+          port: 80
+EOF
+
+#NOTE: Deploy command
+helm upgrade --install prometheus ./prometheus \
+    --namespace=osh-infra \
+    --values=/tmp/prometheus.yaml
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status prometheus
diff --git a/tools/deployment/developer/netpol/060-alertmanager.sh b/tools/deployment/developer/netpol/060-alertmanager.sh
new file mode 100755
index 000000000..ce473461f
--- /dev/null
+++ b/tools/deployment/developer/netpol/060-alertmanager.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make prometheus-alertmanager
+
+tee /tmp/prometheus-alertmanager.yaml <<EOF
+manifests:
+  network_policy: true
+network_policy:
+  alertmanager:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: prometheus-alertmanager
+        ports:
+        - protocol: TCP
+          port: 9093
+        - protocol: TCP
+          port: 6783
+        - protocol: TCP
+          port: 80
+EOF
+
+#NOTE: Deploy command
+helm upgrade --install prometheus-alertmanager ./prometheus-alertmanager \
+    --namespace=osh-infra \
+    --values=/tmp/prometheus-alertmanager.yaml \
+    --set pod.replicas.alertmanager=1
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status prometheus-alertmanager
diff --git a/tools/deployment/developer/netpol/070-kube-state-metrics.sh b/tools/deployment/developer/netpol/070-kube-state-metrics.sh
new file mode 100755
index 000000000..21acee4e2
--- /dev/null
+++ b/tools/deployment/developer/netpol/070-kube-state-metrics.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make prometheus-kube-state-metrics
+
+#NOTE: Deploy command
+helm upgrade --install prometheus-kube-state-metrics \
+    ./prometheus-kube-state-metrics --namespace=kube-system
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Validate Deployment info
+helm status prometheus-kube-state-metrics
diff --git a/tools/deployment/developer/netpol/080-node-exporter.sh b/tools/deployment/developer/netpol/080-node-exporter.sh
new file mode 100755
index 000000000..070472b26
--- /dev/null
+++ b/tools/deployment/developer/netpol/080-node-exporter.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make prometheus-node-exporter
+
+#NOTE: Deploy command
+helm upgrade --install prometheus-node-exporter \
+    ./prometheus-node-exporter --namespace=kube-system
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Validate Deployment info
+helm status prometheus-node-exporter
diff --git a/tools/deployment/developer/netpol/090-process-exporter.sh b/tools/deployment/developer/netpol/090-process-exporter.sh
new file mode 100755
index 000000000..fa2bf674c
--- /dev/null
+++ b/tools/deployment/developer/netpol/090-process-exporter.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make prometheus-process-exporter
+
+#NOTE: Deploy command
+helm upgrade --install prometheus-process-exporter \
+    ./prometheus-process-exporter --namespace=kube-system
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Validate Deployment info
+helm status prometheus-process-exporter
diff --git a/tools/deployment/developer/netpol/100-grafana.sh b/tools/deployment/developer/netpol/100-grafana.sh
new file mode 100755
index 000000000..4c11a21ba
--- /dev/null
+++ b/tools/deployment/developer/netpol/100-grafana.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make grafana
+
+tee /tmp/grafana.yaml <<EOF
+manifests:
+  network_policy: true
+network_policy:
+  grafana:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: grafana
+        ports:
+        - protocol: TCP
+          port: 3000
+        - protocol: TCP
+          port: 80
+EOF
+
+#NOTE: Deploy command
+helm upgrade --install grafana ./grafana \
+    --namespace=osh-infra \
+    --values=/tmp/grafana.yaml
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status grafana
diff --git a/tools/deployment/developer/netpol/110-nagios.sh b/tools/deployment/developer/netpol/110-nagios.sh
new file mode 100755
index 000000000..61623be16
--- /dev/null
+++ b/tools/deployment/developer/netpol/110-nagios.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make nagios
+
+tee /tmp/nagios.yaml <<EOF
+manifests:
+  network_policy: true
+network_policy:
+  nagios:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: nagios
+        ports:
+        - protocol: TCP
+          port: 8000
+        - protocol: TCP
+          port: 80
+EOF
+
+
+#NOTE: Deploy command
+helm upgrade --install nagios ./nagios \
+    --namespace=osh-infra \
+    --values=/tmp/nagios.yaml
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status nagios
diff --git a/tools/deployment/developer/netpol/120-elasticsearch.sh b/tools/deployment/developer/netpol/120-elasticsearch.sh
new file mode 100755
index 000000000..9161d9496
--- /dev/null
+++ b/tools/deployment/developer/netpol/120-elasticsearch.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make elasticsearch
+
+#NOTE: Deploy command
+tee /tmp/elasticsearch.yaml << EOF
+monitoring:
+  prometheus:
+    enabled: true
+pod:
+  replicas:
+    data: 1
+manifests:
+  network_policy: true
+network_policy:
+  elasticsearch:
+    ingress:
+      - from:
+EOF
+
+helm upgrade --install elasticsearch ./elasticsearch \
+    --namespace=osh-infra \
+    --values=/tmp/elasticsearch.yaml
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status elasticsearch
diff --git a/tools/deployment/developer/netpol/125-elasticsearch-ldap.sh b/tools/deployment/developer/netpol/125-elasticsearch-ldap.sh
new file mode 100755
index 000000000..c7166a9c1
--- /dev/null
+++ b/tools/deployment/developer/netpol/125-elasticsearch-ldap.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+ELASTICSEARCH_ENDPOINT="elasticsearch-logging.osh-infra"
+
+#NOTE: Create index with specified LDAP user
+function create_index () {
+  index_result=$(curl -K- <<< "--user $1:$2" \
+  -XPUT "${ELASTICSEARCH_ENDPOINT}/$1_index?pretty" -H 'Content-Type: application/json' -d'
+  {
+    "settings" : {
+      "index" : {
+        "number_of_shards" : 3,
+        "number_of_replicas" : 2
+      }
+    }
+  }
+  ' | python -c "import sys, json; print json.load(sys.stdin)['acknowledged']")
+  if [ "$index_result" == "True" ];
+  then
+     echo "$1's index successfully created!";
+  else
+     echo "$1's index not created!";
+     exit 1;
+  fi
+}
+
+#NOTE: Insert test data with specified LDAP user
+function insert_test_data () {
+  insert_result=$(curl -K- <<< "--user $1:$2" \
+  -XPUT "${ELASTICSEARCH_ENDPOINT}/$1_index/sample_type/123/_create?pretty" -H 'Content-Type: application/json' -d'
+  {
+      "name" : "Elasticsearch",
+      "message" : "Test data text entry"
+  }
+  ' | python -c "import sys, json; print json.load(sys.stdin)['result']")
+  if [ "$insert_result" == "created" ]; then
+     sleep 20
+     echo "Test data inserted into $1's index!";
+  else
+     echo "Test data not inserted into $1's index!";
+     exit 1;
+  fi
+}
+
+#NOTE: Check hits on test data in specified LDAP user's index
+function check_hits () {
+  total_hits=$(curl -K- <<< "--user $1:$2" \
+  "${ELASTICSEARCH_ENDPOINT}/_search?pretty" -H 'Content-Type: application/json' -d'
+  {
+    "query" : {
+      "bool": {
+        "must": [
+          { "match": { "name": "Elasticsearch" }},
+          { "match": { "message": "Test data text entry" }}
+        ]
+      }
+    }
+  }
+  ' | python -c "import sys, json; print json.load(sys.stdin)['hits']['total']")
+  if [ "$total_hits" -gt 0 ]; then
+     echo "Successful hits on test data query on $1's index!"
+  else
+     echo "No hits on query for test data on $1's index!";
+     exit 1;
+  fi
+}
+
+create_index bob password
+create_index alice password
+
+insert_test_data bob password
+insert_test_data alice password
+
+check_hits bob password
+check_hits alice password
diff --git a/tools/deployment/developer/netpol/130-fluent-logging.sh b/tools/deployment/developer/netpol/130-fluent-logging.sh
new file mode 100755
index 000000000..3adb4e851
--- /dev/null
+++ b/tools/deployment/developer/netpol/130-fluent-logging.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make fluent-logging
+
+tee /tmp/fluent-logging.yaml <<EOF
+manifests:
+  network_policy: true
+network_policy:
+  fluentbit:
+    ingress:
+      - from:
+  fluentd:
+    ingress:
+      - from:
+  fluent:
+    ingress:
+      - from:
+  fluent-logging:
+    ingress:
+      - from:
+EOF
+
+
+#NOTE: Deploy command
+helm upgrade --install fluent-logging ./fluent-logging \
+    --namespace=osh-infra \
+    --values=/tmp/fluent-logging.yaml \
+    --set pod.replicas.fluentd=1
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status fluent-logging
diff --git a/tools/deployment/developer/netpol/140-kibana.sh b/tools/deployment/developer/netpol/140-kibana.sh
new file mode 100755
index 000000000..3fc4c4f58
--- /dev/null
+++ b/tools/deployment/developer/netpol/140-kibana.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make kibana
+
+tee /tmp/kibana.yaml <<EOF
+manifests:
+  network_policy: true
+network_policy:
+  kibana:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: kibana
+        ports:
+        - protocol: TCP
+          port: 5601
+        - protocol: TCP
+          port: 80
+EOF
+
+#NOTE: Deploy command
+helm upgrade --install kibana ./kibana \
+    --namespace=osh-infra \
+    --values=/tmp/kibana.yaml
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status kibana
diff --git a/tools/deployment/developer/netpol/901-test-networkpolicy.sh b/tools/deployment/developer/netpol/901-test-networkpolicy.sh
new file mode 100755
index 000000000..98567c5cf
--- /dev/null
+++ b/tools/deployment/developer/netpol/901-test-networkpolicy.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+# test_netpol(namespace, component, target_host, expected_result{fail,success})
+function test_netpol {
+  NS=$1
+  COMPONENT=$2
+  HOST=$3
+  STATUS=$4
+  echo Testing connection from $COMPONENT to host $HOST with namespace $NS
+  POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}')
+  PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
+  if [ "x${STATUS}" == "xfail" ]; then
+    if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
+      echo "Connection timed out; as expected by policy."
+    else
+      exit 1
+    fi
+  else
+    sudo nsenter -t $PID -n wget --spider --timeout=10 --tries=1 $HOST
+  fi
+}
+# Doing negative tests
+test_netpol osh-infra mariadb-server elasticsearch.osh-infra.svc.cluster.local fail
+test_netpol osh-infra mariadb-server nagios.osh-infra.svc.cluster.local fail
+test_netpol osh-infra mariadb-server prometheus.osh-infra.svc.cluster.local fail
+
+# Doing positive tests
+test_netpol osh-infra grafana mariadb.osh-infra.svc.cluster.local:3306 success
+
+echo Test successfully
+
+
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index abff09417..d32ec9874 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -139,6 +139,37 @@
         - ./tools/deployment/developer/nfs/130-fluent-logging.sh
         - ./tools/deployment/developer/nfs/140-kibana.sh
 
+- job:
+    name: openstack-helm-infra-dev-deploy-nfs-networkpolicy
+    parent: openstack-helm-functional
+    timeout: 7200
+    pre-run: playbooks/osh-infra-upgrade-host.yaml
+    run: playbooks/osh-infra-gate-runner.yaml
+    post-run: playbooks/osh-infra-collect-logs.yaml
+    nodeset: openstack-helm-single-node
+    vars:
+      gate_scripts:
+        - ./tools/deployment/developer/nfs/000-install-packages.sh
+        - ./tools/deployment/developer/nfs/005-deploy-k8s.sh
+        - ./tools/deployment/developer/nfs/010-deploy-docker-registry.sh
+        - ./tools/deployment/developer/nfs/020-ingress.sh
+        - ./tools/deployment/developer/nfs/030-nfs-provisioner.sh
+        - ./tools/deployment/developer/netpol/039-lockdown.sh
+        - ./tools/deployment/developer/netpol/040-ldap.sh
+        - ./tools/deployment/developer/netpol/045-mariadb.sh
+        - ./tools/deployment/developer/netpol/050-prometheus.sh
+        - ./tools/deployment/developer/netpol/060-alertmanager.sh
+        - ./tools/deployment/developer/netpol/070-kube-state-metrics.sh
+        - ./tools/deployment/developer/netpol/080-node-exporter.sh
+        - ./tools/deployment/developer/netpol/090-process-exporter.sh
+        - ./tools/deployment/developer/netpol/100-grafana.sh
+        - ./tools/deployment/developer/netpol/110-nagios.sh
+        - ./tools/deployment/developer/netpol/120-elasticsearch.sh
+        - ./tools/deployment/developer/netpol/125-elasticsearch-ldap.sh
+        - ./tools/deployment/developer/netpol/130-fluent-logging.sh
+        - ./tools/deployment/developer/netpol/140-kibana.sh
+        - ./tools/deployment/developer/netpol/901-test-networkpolicy.sh
+
 - job:
     name: openstack-helm-infra-openstack-support
     parent: openstack-helm-infra-functional
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 6bea713fe..2e6d281a5 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -28,6 +28,8 @@
             #NOTE(srwilkers): Changing the dev-deploy-nfs job to nonvoting until
             # we can agree on the proper services to deploy with this job
             voting: false
+        - openstack-helm-infra-dev-deploy-nfs-networkpolicy:
+            voting: false
         - openstack-helm-infra-openstack-support
         - openstack-helm-infra-kubernetes-keystone-auth
     gate: