diff --git a/packages/system/fluxcd-operator/Makefile b/packages/system/fluxcd-operator/Makefile
index f41360ee..84ffc6fe 100644
--- a/packages/system/fluxcd-operator/Makefile
+++ b/packages/system/fluxcd-operator/Makefile
@@ -10,3 +10,4 @@ update:
 	rm -rf charts
 	helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts
 	patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff
+	patch --no-backup-if-mismatch -p1 < patches/networkPolicy.diff
diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
new file mode 100644
index 00000000..0a9db1cc
--- /dev/null
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
@@ -0,0 +1,21 @@
+{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "flux-operator.fullname" . }}-restrict
+spec:
+  nodeSelector: {}
+  ingressDeny:
+    - fromEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+            - port: "8081"
+              protocol: TCP
+  ingress:
+    - fromEntities:
+        - cluster
+{{- end }}
diff --git a/packages/system/fluxcd-operator/patches/networkPolicy.diff b/packages/system/fluxcd-operator/patches/networkPolicy.diff
new file mode 100644
index 00000000..a7bf3207
--- /dev/null
+++ b/packages/system/fluxcd-operator/patches/networkPolicy.diff
@@ -0,0 +1,25 @@
+diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
+new file mode 100644
+--- /dev/null	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
++++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
+@@ -0,0 +1,18 @@
++{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
++apiVersion: cilium.io/v2
++kind: CiliumClusterwideNetworkPolicy
++metadata:
++  name: {{ include "flux-operator.fullname" . }}-restrict
++spec:
++  nodeSelector: {}
++  ingressDeny:
++    - fromEntities:
++        - world
++      toPorts:
++        - ports:
++            - port: "8080"
++              protocol: TCP
++            - port: "8081"
++              protocol: TCP
++  ingress:
++    - fromEntities:
++        - cluster
++{{- end }}