diff --git a/kube/deploy/vm/_kubevirt/netpol.yaml b/kube/deploy/vm/_kubevirt/netpol.yaml
index c70f6926..38b03bcd 100644
--- a/kube/deploy/vm/_kubevirt/netpol.yaml
+++ b/kube/deploy/vm/_kubevirt/netpol.yaml
@@ -7,7 +7,11 @@ metadata:
   namespace: *app
 spec:
   endpointSelector: {}
-  ingress: [{}] # deny all
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+        - host
+        - remote-node
   egress:
     # kube-apiserver
     - toEntities: