diff --git a/javascript/packages/orchestrator/src/providers/k8s/kubeClient.ts b/javascript/packages/orchestrator/src/providers/k8s/kubeClient.ts
index a7ec1ba11..6557c655d 100644
--- a/javascript/packages/orchestrator/src/providers/k8s/kubeClient.ts
+++ b/javascript/packages/orchestrator/src/providers/k8s/kubeClient.ts
@@ -89,6 +89,10 @@ export class KubeClient extends Client {
 
     writeLocalJsonFile(this.tmpDir, "namespace", namespaceDef);
     await this.createResource(namespaceDef);
+
+    // ensure namespace isolation IFF we are running in CI
+    if (process.env.RUN_IN_CONTAINER === "1")
+      await this.createStaticResource("namespace-network-policy.yaml");
   }
 
   async spawnFromDef(
diff --git a/javascript/packages/orchestrator/static-configs/namespace-network-policy.yaml b/javascript/packages/orchestrator/static-configs/namespace-network-policy.yaml
new file mode 100644
index 000000000..a7b096d89
--- /dev/null
+++ b/javascript/packages/orchestrator/static-configs/namespace-network-policy.yaml
@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: internal-access
+spec:
+  podSelector: {}
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: In
+          values:
+          - {{namespace}}
+          - gitlab
+          - loki
+          - tempo
+          - monitoring
+          - parachain-exporter
+  policyTypes:
+  - Ingress
\ No newline at end of file