Snippets:Primary network namespace isolation

#!/bin/sh
# public domain
mkdir -p /_netns
mount --bind /proc/self/ns/net /_netns/main
umount -l /sys
exec unshare -n "${real_init:-/lib/systemd/systemd}" "$@"

Save this shell script somewhere in a root-owned directory and make it executable with chmod +x. Add init=/path/to/this/shell/script into the kernel cmdline (exact instructions depend on which bootloader you use, for GRUB it's /etc/default/grub)