diff --git a/pkg/apis/tenant/v1alpha1/workspace_types.go b/pkg/apis/tenant/v1alpha1/workspace_types.go
index a77d7df85..dfb9af43c 100644
--- a/pkg/apis/tenant/v1alpha1/workspace_types.go
+++ b/pkg/apis/tenant/v1alpha1/workspace_types.go
@@ -33,7 +33,7 @@ const (
 // WorkspaceSpec defines the desired state of Workspace
 type WorkspaceSpec struct {
 	Manager          string `json:"manager,omitempty"`
-	NetworkIsolation bool   `json:"networkIsolation,omitempty"`
+	NetworkIsolation *bool  `json:"networkIsolation,omitempty"`
 }
 
 // WorkspaceStatus defines the observed state of Workspace
diff --git a/pkg/apis/tenant/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/tenant/v1alpha1/zz_generated.deepcopy.go
index 08f7c8006..393122d0b 100644
--- a/pkg/apis/tenant/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/tenant/v1alpha1/zz_generated.deepcopy.go
@@ -29,7 +29,7 @@ func (in *Workspace) DeepCopyInto(out *Workspace) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 	out.Status = in.Status
 }
 
@@ -86,6 +86,11 @@ func (in *WorkspaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkspaceSpec) DeepCopyInto(out *WorkspaceSpec) {
 	*out = *in
+	if in.NetworkIsolation != nil {
+		in, out := &in.NetworkIsolation, &out.NetworkIsolation
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceSpec.
diff --git a/pkg/apis/tenant/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/tenant/v1alpha2/zz_generated.deepcopy.go
index 6cc1c4c13..0c1ae363b 100644
--- a/pkg/apis/tenant/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/tenant/v1alpha2/zz_generated.deepcopy.go
@@ -146,7 +146,7 @@ func (in *Placement) DeepCopy() *Placement {
 func (in *Template) DeepCopyInto(out *Template) {
 	*out = *in
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Template.
diff --git a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
index 17e7ba8ab..ea4e3aedd 100644
--- a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
+++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
@@ -384,8 +384,8 @@ func (c *NSNetworkPolicyController) addNamespace(obj interface{}) {
 	c.nsEnqueue(ns)
 }
 
-func isNetworkIsolateEnabled(ns *corev1.Namespace) bool {
-	if ns.Annotations[NamespaceNPAnnotationKey] == NamespaceNPAnnotationEnabled {
+func namespaceNetworkIsolateEnabled(ns *corev1.Namespace) bool {
+	if ns.Annotations != nil && ns.Annotations[NamespaceNPAnnotationKey] == NamespaceNPAnnotationEnabled {
 		return true
 	}
 
@@ -429,9 +429,9 @@ func (c *NSNetworkPolicyController) syncNs(key string) error {
 	matchWorkspace := false
 	delete := false
 	nsnpList, err := c.informer.Lister().NamespaceNetworkPolicies(ns.Name).List(labels.Everything())
-	if isNetworkIsolateEnabled(ns) {
+	if namespaceNetworkIsolateEnabled(ns) {
 		matchWorkspace = false
-	} else if wksp.Spec.NetworkIsolation {
+	} else if workspaceNetworkIsolationEnabled(wksp) {
 		matchWorkspace = true
 	} else {
 		delete = true
@@ -573,6 +573,13 @@ func (c *NSNetworkPolicyController) processNSNPWorkItem() bool {
 	return true
 }
 
+func workspaceNetworkIsolationEnabled(wksp *workspacev1alpha1.Workspace) bool {
+	if wksp.Spec.NetworkIsolation != nil && *wksp.Spec.NetworkIsolation {
+		return true
+	}
+	return false
+}
+
 // NewnamespacenpController returns a controller which manages NSNSP objects.
 func NewNSNetworkPolicyController(
 	client kubernetes.Interface,
@@ -607,7 +614,7 @@ func NewNSNetworkPolicyController(
 		UpdateFunc: func(oldObj, newObj interface{}) {
 			old := oldObj.(*workspacev1alpha1.Workspace)
 			new := newObj.(*workspacev1alpha1.Workspace)
-			if old.Spec.NetworkIsolation == new.Spec.NetworkIsolation {
+			if workspaceNetworkIsolationEnabled(old) == workspaceNetworkIsolationEnabled(new) {
 				return
 			}
 			controller.addWorkspace(newObj)
diff --git a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go
index 9de28bccc..899218f15 100644
--- a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go
+++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go
@@ -134,6 +134,25 @@ var _ = Describe("Nsnetworkpolicy", func() {
 		go c.Start(stopCh)
 	})
 
+	It("test func namespaceNetworkIsolateEnabled", func() {
+		ns := &corev1.Namespace{}
+		Expect(namespaceNetworkIsolateEnabled(ns)).To(BeFalse())
+		ns.Annotations = make(map[string]string)
+		Expect(namespaceNetworkIsolateEnabled(ns)).To(BeFalse())
+		ns.Annotations[NamespaceNPAnnotationKey] = NamespaceNPAnnotationEnabled
+		Expect(namespaceNetworkIsolateEnabled(ns)).To(BeTrue())
+	})
+
+	It("test func workspaceNetworkIsolationEnabled", func() {
+		value := false
+		wksp := &wkspv1alpha1.Workspace{}
+		Expect(workspaceNetworkIsolationEnabled(wksp)).To(BeFalse())
+		wksp.Spec.NetworkIsolation = &value
+		Expect(workspaceNetworkIsolationEnabled(wksp)).To(BeFalse())
+		value = true
+		Expect(workspaceNetworkIsolationEnabled(wksp)).To(BeTrue())
+	})
+
 	It("Should create ns networkisolate np correctly in workspace", func() {
 		objSrt := fmt.Sprintf(workspaceNP, "testns", constants.WorkspaceLabelKey, "testworkspace")
 		obj := &netv1.NetworkPolicy{}