diff --git a/files/NetworkPolicies/allow-from-namespaces.yaml b/files/NetworkPolicies/allow-from-namespaces.yaml
new file mode 100644
index 0000000..2cc8cdc
--- /dev/null
+++ b/files/NetworkPolicies/allow-from-namespaces.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-namespaces
+  namespace: kubernetes-dashboard
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+      - podSelector: {}
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            namespace: tools
+        podSelector:
+          matchLabels:
+            app: traefik
+  policyTypes:
+  - Ingress
diff --git a/files/NetworkPolicies/default-deny-all.yaml b/files/NetworkPolicies/default-deny-all.yaml
new file mode 100644
index 0000000..7032924
--- /dev/null
+++ b/files/NetworkPolicies/default-deny-all.yaml
@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: kubernetes-dashboard
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/tasks/main.yml b/tasks/main.yml
index 3c054e1..2750d8d 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -4,9 +4,12 @@
     k8s:
       state: present
       context: "{{ my_context }}"
+      merge_type: merge
       resource_definition: "{{ lookup('file', item) | from_yaml }}"
     with_items:
       - "kubernetes-dashboard-Namespace.yaml"
+      - NetworkPolicies/default-deny-all.yaml
+      - NetworkPolicies/allow-from-namespaces.yaml
       - "kubernetes-dashboard-ServiceAccount.yaml"
       - "kubernetes-dashboard-Service.yaml"
       - "kubernetes-dashboard-certs-Secret.yaml"
@@ -35,6 +38,7 @@
     k8s:
       state: present
       context: "{{ my_context }}"
+      merge_type: merge
       definition:
         apiVersion: traefik.containo.us/v1alpha1
         kind: Middleware
@@ -53,6 +57,7 @@
     k8s:
       state: present
       context: "{{ my_context }}"
+      merge_type: merge
       resource_definition: "{{ lookup('template', item) | from_yaml }}"
     with_items:
       - dashboard-ingress.yaml
diff --git a/templates/dashboard-ingress.yaml b/templates/dashboard-ingress.yaml
index 5410c8c..4225d11 100644
--- a/templates/dashboard-ingress.yaml
+++ b/templates/dashboard-ingress.yaml
@@ -1,4 +1,4 @@
-{% if traefik_version | regex_search('(1.)') %}
+{% if traefik_version | regex_search('(^1.)') %}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
@@ -25,7 +25,7 @@ spec:
           serviceName: kubernetes-dashboard
           servicePort: 443
 {% else %}
-{% if traefik_version | regex_search('(2.)') %}
+{% if traefik_version | regex_search('(^2.)') %}
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -43,11 +43,11 @@ spec:
     middlewares:
 {% if ingress_whitelist is defined %}
       - name: traefik-ipwhitelist
-        namespace: tools
+        namespace: traefik
 {% endif %}
 {% if basic_auth is defined %}
       - name: basic-auth
-        namespace: tools
+        namespace: traefik
 {% endif %}
       - name: kubernetes-dashboard-auth
     services:
@@ -60,7 +60,7 @@ spec:
   tls:
     options:
       name: default
-      namespace: tools
+      namespace: traefik
     secretName: wildcard-cluster
 {% endif %}
 {% endif %}