diff --git a/kube/deploy/core/db/emqx/cluster/emqx.yaml b/kube/deploy/core/db/emqx/cluster/emqx.yaml
index 8cbe92e8..73eff945 100644
--- a/kube/deploy/core/db/emqx/cluster/emqx.yaml
+++ b/kube/deploy/core/db/emqx/cluster/emqx.yaml
@@ -26,7 +26,7 @@ spec:
         deny_action = "ignore"
         sources = [{
           enable = true
-          type = "file"
+          type = file
           path = "/secrets/acl.conf"
         }]
       }
diff --git a/kube/deploy/core/db/emqx/cluster/netpol.yaml b/kube/deploy/core/db/emqx/cluster/netpol.yaml
index d566c698..bdcef831 100644
--- a/kube/deploy/core/db/emqx/cluster/netpol.yaml
+++ b/kube/deploy/core/db/emqx/cluster/netpol.yaml
@@ -1,4 +1,25 @@
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "apps-to-emqx"
+spec:
+  endpointSelector:
+    matchLabels:
+      db.home.arpa/emqx: "emqx"
+  egress:
+    - toEndpoints: &emqx
+        - matchLabels:
+            io.kubernetes.pod.namespace: emqx
+            apps.emqx.io/instance: emqx
+      toPorts:
+        - ports:
+            - port: "8883"
+              protocol: TCP
+    - toEndpoints: *emqx
+      icmps: [{}]
+---
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
@@ -6,14 +27,31 @@ metadata:
   name: &app emqx
   namespace: *app
 spec:
-  endpointSelector: {}
+  endpointSelector: &cluster
+    matchLabels:
+      apps.emqx.io/instance: emqx
   ingress:
-    # same namespace
+    # same EMQX cluster
+    - fromEndpoints: [*cluster]
+    # labelled pods
+    - fromEndpoints: &labelled
+        - matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+            - key: apps.emqx.io/instance
+              operator: In
+              values: [emqx]
+      toPorts:
+        - ports:
+            - port: "8883"
+              protocol: TCP
+    - fromEndpoints: *labelled
+      icmps: [{}]
+    # operator
     - fromEndpoints:
         - matchLabels:
-            io.kubernetes.pod.namespace: *app
+            io.kubernetes.pod.namespace: emqx
+            app.kubernetes.io/name: emqx-operator
   egress:
-    # same namespace
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: *app
+    # same cluster
+    - toEndpoints: [*cluster]