diff --git a/kustomization.yaml b/kustomization.yaml
index 2aab637..8bd9582 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -1,6 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+
+namespace: irc
+
 resources:
+  - namespace.yaml
+  - waypoint.yaml
 # Uncomment if storing configuration in the repo
 # - configmap.yaml
   - ./thelounge
diff --git a/namespace.yaml b/namespace.yaml
new file mode 100644
index 0000000..98975b1
--- /dev/null
+++ b/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: irc
+  labels:
+    istio.io/dataplane-mode: ambient
+    istio.io/use-waypoint: waypoint
diff --git a/thelounge/authorizationpolicy.yaml b/thelounge/authorizationpolicy.yaml
new file mode 100644
index 0000000..c442f94
--- /dev/null
+++ b/thelounge/authorizationpolicy.yaml
@@ -0,0 +1,16 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: thelounge
+  namespace: irc
+spec:
+  targetRefs:
+  - group: ""
+    kind: Service
+    name: thelounge
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces:
+        - gateway-system
diff --git a/thelounge/httproute.yaml b/thelounge/httproute.yaml
index 71e044a..9e9973d 100644
--- a/thelounge/httproute.yaml
+++ b/thelounge/httproute.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: irc
 spec:
   parentRefs:
-    - name: external
+    - name: istio-external
       namespace: gateway-system
   hostnames:
     - ${THELOUNGE_HOSTNAME}
diff --git a/thelounge/kustomization.yaml b/thelounge/kustomization.yaml
index f129176..adce6b4 100644
--- a/thelounge/kustomization.yaml
+++ b/thelounge/kustomization.yaml
@@ -4,3 +4,4 @@ resources:
   - statefulset.yaml
   - service.yaml
   - httproute.yaml
+  - authorizationpolicy.yaml
diff --git a/waypoint.yaml b/waypoint.yaml
new file mode 100644
index 0000000..949a97f
--- /dev/null
+++ b/waypoint.yaml
@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: waypoint
+  namespace: irc
+  labels:
+    istio.io/waypoint-for: namespace
+spec:
+  gatewayClassName: istio-waypoint
+  listeners:
+  - name: mesh
+    port: 15008
+    protocol: HBONE
diff --git a/znc/authorizationpolicy.yaml b/znc/authorizationpolicy.yaml
new file mode 100644
index 0000000..c4a4e61
--- /dev/null
+++ b/znc/authorizationpolicy.yaml
@@ -0,0 +1,16 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: znc
+  namespace: irc
+spec:
+  targetRefs:
+  - group: ""
+    kind: Service
+    name: znc
+  action: ALLOW
+  rules:
+  - to:
+    - operation:
+        ports:
+        - "6501"
diff --git a/znc/kustomization.yaml b/znc/kustomization.yaml
index 19751c8..aea7c93 100644
--- a/znc/kustomization.yaml
+++ b/znc/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - statefulset.yaml
   - service.yaml
+  - authorizationpolicy.yaml