diff --git a/README.adoc b/README.adoc
index aa07c6e79..8d2d89092 100644
--- a/README.adoc
+++ b/README.adoc
@@ -61,7 +61,7 @@ There are multiple Makefile targets that will execute the e2e tests, they just d
 * `make test-e2e-host-local` - this target clones only the https://github.com/codeready-toolchain/member-operator[member-operator] repo and builds an image from it. For host-operator, it builds the image from `../host-operator` directory. These images deploys to OpenShift and runs e2e tests against them.
 
 The e2e tests will take care of creating all needed namespaces with random names (or see below for enforcing some specific namespace names).
-It will also create all required CRDs, role and role bindings for the service accounts, build the Docker images for both operators and push them to the OpenShift container registry. Finally, it will deploy the operators and run the tests using the operator-sdk.
+It will also create all required CRDs, role and role bindings for the service accounts, build the container images for both operators and push them to the OpenShift container registry. Finally, it will deploy the operators and run the tests using the operator-sdk.
 
 
 NOTE: you can override the default namespace names where the end-to-end tests are going to be executed - eg.: `make test-e2e HOST_NS=my-host MEMBER_NS=my-member` file.
@@ -165,7 +165,7 @@ NOTE: By default, `SECOND_MEMBER_MODE` is set to false.
 * Get a cluster and setup the following env vars
 ** `export QUAY_NAMESPACE=<your-quay-namespace>`
 ** `export KUBECONFIG=<location-to-kubeconfig>`
-* Run `docker login quay.io`
+* Run `podman login quay.io`
 * Create https://github.com/codeready-toolchain/toolchain-infra/tree/master/config/oauth[IdP]
 * If you need to change any of the default configuration, modify the ToolchainConfig in https://github.com/codeready-toolchain/toolchain-e2e/blob/master/deploy/host-operator/dev/toolchainconfig.yaml[deploy/host-operator/dev/toolchainconfig.yaml]
 * To set working notification/verification secrets, modify them in https://github.com/codeready-toolchain/toolchain-e2e/blob/master/deploy/host-operator/dev/secrets.yaml[deploy/host-operator/dev/secrets.yaml]
diff --git a/deploy/nstemplatetiers/appstudio-env/ns_env.yaml b/deploy/nstemplatetiers/appstudio-env/ns_env.yaml
index f801a2663..86898acb4 100644
--- a/deploy/nstemplatetiers/appstudio-env/ns_env.yaml
+++ b/deploy/nstemplatetiers/appstudio-env/ns_env.yaml
@@ -218,6 +218,19 @@ objects:
     podSelector: {}
     policyTypes:
     - Ingress
+- apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: allow-from-dev-sandbox-managed-ns
+    namespace: ${SPACE_NAME}-env
+  spec:
+    ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            dev-sandbox/policy-group: ingress
+    policyTypes:
+      - Ingress
 parameters:
 - name: SPACE_NAME
   required: true
diff --git a/deploy/nstemplatetiers/appstudio/ns_tenant.yaml b/deploy/nstemplatetiers/appstudio/ns_tenant.yaml
index 8de7cf5b5..f3f26dc4a 100644
--- a/deploy/nstemplatetiers/appstudio/ns_tenant.yaml
+++ b/deploy/nstemplatetiers/appstudio/ns_tenant.yaml
@@ -242,6 +242,19 @@ objects:
     podSelector: {}
     policyTypes:
     - Ingress
+- apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: allow-from-dev-sandbox-managed-ns
+    namespace: ${SPACE_NAME}-tenant
+  spec:
+    ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            dev-sandbox/policy-group: ingress
+    policyTypes:
+      - Ingress
 # ServiceAccount and RoleBindings for running Pipelines.
 # appstudio-pipelines-runner-clusterrole is deployed by the pipeline-service component.
 - apiVersion: v1
diff --git a/make/docker.mk b/make/docker.mk
deleted file mode 100644
index bd2059c6b..000000000
--- a/make/docker.mk
+++ /dev/null
@@ -1,4 +0,0 @@
-.PHONY: docker-image
-## Build the docker image locally that can be deployed (only contains bare operator)
-docker-image: build
-	$(Q)docker build -f build/Dockerfile -t docker.io/${GO_PACKAGE_ORG_NAME}/${GO_PACKAGE_REPO_NAME}:${GIT_COMMIT_ID_SHORT} .
diff --git a/quay.adoc b/quay.adoc
index 9bf3541cd..8690d03ce 100644
--- a/quay.adoc
+++ b/quay.adoc
@@ -7,7 +7,7 @@ There is a set of images that is built and pushed to quay repositories while dep
 . Make sure you have set the _QUAY_NAMESPACE_ variable: +
 `export QUAY_NAMESPACE=<quay-username>`
 . Log in to quay.io using +
-`docker login quay.io`
+`podman login quay.io`
 * Make sure that these repositories exist on quay.io and the visibility is set to `public` for all of them:
  * https://quay.io/repository/<quay-username>/host-operator
  * https://quay.io/repository/<quay-username>/host-operator-bundle
diff --git a/required_tools.adoc b/required_tools.adoc
index 3dbe43996..e15a8509d 100644
--- a/required_tools.adoc
+++ b/required_tools.adoc
@@ -6,7 +6,6 @@ NOTE: Follow the installation instructions https://sdk.operatorframework.io/docs
 * sed
 * yamllint
 * jq
-* podman +
-NOTE: If you need to use docker, then run the make targets with this variable set: `IMAGE_BUILDER=docker`.
+* podman
 * opm v1.26.3 +
 NOTE: To download the Operator Registry tool use either https://github.com/operator-framework/operator-registry/releases or https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/. The version should correspond with the OpenShift version you are running. To confirm that the Operator Registry tool is installed correctly: `$ opm version`
diff --git a/testsupport/tiers/checks.go b/testsupport/tiers/checks.go
index e6b17df05..79856b3f0 100644
--- a/testsupport/tiers/checks.go
+++ b/testsupport/tiers/checks.go
@@ -161,7 +161,7 @@ func (a *baseTierChecks) GetNamespaceObjectChecks(nsType string) []namespaceObje
 	case "stage":
 		otherNamespaceKind = "dev"
 	}
-	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromOtherNamespace(otherNamespaceKind), numberOfNetworkPolicies(10))
+	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromOtherNamespace(otherNamespaceKind), numberOfNetworkPolicies(11))
 
 	return checks
 }
@@ -231,7 +231,7 @@ func (a *base1nsTierChecks) GetNamespaceObjectChecks(_ string) []namespaceObject
 		crtadminViewRoleBinding(),
 	}
 	checks = append(checks, commonNetworkPolicyChecks()...)
-	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9))
+	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10))
 	return checks
 }
 
@@ -381,6 +381,7 @@ func commonNetworkPolicyChecks() []namespaceObjectsCheck {
 		networkPolicyAllowFromIngress(),
 		networkPolicyAllowFromOlmNamespaces(),
 		networkPolicyAllowFromConsoleNamespaces(),
+		networkPolicyIngressAllowFromDevSandboxPolicyGroup(),
 	}
 }
 
@@ -465,7 +466,7 @@ func (a *appstudioTierChecks) GetNamespaceObjectChecks(_ string) []namespaceObje
 		resourceQuotaComputeBuild("120", "128Gi", "60", "64Gi"),
 	}
 	checks = append(checks, commonAppstudioTierChecks()...)
-	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...)
+	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...)
 	return checks
 }
 
@@ -558,7 +559,7 @@ func (a *appstudiolargeTierChecks) GetNamespaceObjectChecks(_ string) []namespac
 		resourceQuotaStorage("50Gi", "400Gi", "50Gi", "180"),
 	}
 	checks = append(checks, commonAppstudioTierChecks()...)
-	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...)
+	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...)
 	return checks
 }
 
@@ -596,7 +597,7 @@ func (a *appstudioEnvTierChecks) GetNamespaceObjectChecks(_ string) []namespaceO
 		appstudioWorkSpaceNameLabel(),
 	}
 
-	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...)
+	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...)
 	return checks
 }
 
@@ -656,7 +657,7 @@ func (a *intelMediumTierChecks) GetNamespaceObjectChecks(_ string) []namespaceOb
 		crtadminViewRoleBinding(),
 	}
 	checks = append(checks, commonNetworkPolicyChecks()...)
-	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9))
+	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10))
 	return checks
 }
 
@@ -736,7 +737,7 @@ func getNamespaceObjectChecksForIntelLarge(memoryLimit string) []namespaceObject
 		crtadminViewRoleBinding(),
 	}
 	checks = append(checks, commonNetworkPolicyChecks()...)
-	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9))
+	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10))
 	return checks
 }
 
@@ -1242,6 +1243,10 @@ func networkPolicyIngressFromPolicyGroup(name, group string) namespaceObjectsChe
 	return assertNetworkPolicyIngressForNamespaces(name, metav1.LabelSelector{}, "network.openshift.io/policy-group", group)
 }
 
+func networkPolicyIngressAllowFromDevSandboxPolicyGroup() namespaceObjectsCheck {
+	return assertNetworkPolicyIngressForNamespaces("allow-from-dev-sandbox-managed-ns", metav1.LabelSelector{}, "dev-sandbox/policy-group", "ingress")
+}
+
 func assertNetworkPolicyIngressForNamespaces(name string, podSelector metav1.LabelSelector, labelNameValuePairs ...string) namespaceObjectsCheck {
 	return func(t *testing.T, ns *corev1.Namespace, memberAwait *wait.MemberAwaitility, userName string) {
 		require.Equal(t, 0, len(labelNameValuePairs)%2, "labelNameValuePairs must be a list of key-value pairs")