diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
new file mode 100644
index 00000000..fc7fa004
--- /dev/null
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "flux-operator.fullname" . }}-restrict
+spec:
+  nodeSelector: {}
+  ingressDeny:
+    - fromEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+            - port: "8081"
+              protocol: TCP
+  ingress:
+    - fromEntities:
+        - cluster
diff --git a/packages/system/fluxcd-operator/values.yaml b/packages/system/fluxcd-operator/values.yaml
index 250c19c4..9053689a 100644
--- a/packages/system/fluxcd-operator/values.yaml
+++ b/packages/system/fluxcd-operator/values.yaml
@@ -4,7 +4,7 @@ flux-operator:
     - key: node.kubernetes.io/not-ready
       operator: Exists
       effect: NoSchedule
-  hostNetwork: false
+  hostNetwork: true
   resources:
     limits:
       cpu: 100m