diff --git a/README.md b/README.md
index 4eae809..0b46889 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ sys     0m2.015s
 |------|------|
 | [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_network_policy.operators_default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
diff --git a/main.tf b/main.tf
index cf838c3..402b050 100644
--- a/main.tf
+++ b/main.tf
@@ -25,10 +25,6 @@ resource "kubernetes_storage_class" "gp3_encrypted" {
   reclaim_policy         = "Delete"
   volume_binding_mode    = "WaitForFirstConsumer" # Changed from Immediate for better scheduling
   allow_volume_expansion = "true"
-
-  # lifecycle {
-  #    prevent_destroy = true  # Protect storage class from accidental deletion
-  # }
 }
 
 resource "kubernetes_storage_class" "ebs_encrypted" {
@@ -90,5 +86,42 @@ resource "kubernetes_storage_class" "efs_sc" {
 resource "kubernetes_namespace" "operators" {
   metadata {
     name = var.operators_ns
+    labels = {
+      "app.kubernetes.io/managed-by" = "terraform"
+      "app.kubernetes.io/part-of"    = var.cluster_name
+    }
+  }
+}
+
+resource "kubernetes_network_policy" "operators_default" {
+  metadata {
+    name      = "default-deny"
+    namespace = kubernetes_namespace.operators.metadata[0].name
+  }
+
+  spec {
+    pod_selector {}
+    policy_types = ["Ingress", "Egress"]
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            "kubernetes.io/metadata.name" = "kube-system"
+          }
+        }
+      }
+    }
+
+    egress {
+      to {
+        ip_block {
+          cidr = "0.0.0.0/0"
+          except = [
+            "169.254.169.254/32" # Instance metadata
+          ]
+        }
+      }
+    }
   }
 }
diff --git a/providers.tf b/providers.tf
deleted file mode 100644
index 82bcf8b..0000000
--- a/providers.tf
+++ /dev/null
@@ -1,22 +0,0 @@
-provider "aws" {
-  region = var.region
-
-  default_tags {
-    tags = {
-      "boc:tf_module_name"    = local.module_name
-      "boc:tf_module_version" = local.module_version
-    }
-  }
-}
-
-provider "kubernetes" {
-  experiments {
-    manifest_resource = true
-  }
-}
-
-provider "helm" {
-  kubernetes {
-    # Configuration will be loaded from KUBECONFIG environment variable
-  }
-}