diff --git a/packages/system/fluxcd-operator/Makefile b/packages/system/fluxcd-operator/Makefile
index f41360ee..84ffc6fe 100644
--- a/packages/system/fluxcd-operator/Makefile
+++ b/packages/system/fluxcd-operator/Makefile
@@ -10,3 +10,4 @@ update:
 	rm -rf charts
 	helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts
 	patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff
+	patch --no-backup-if-mismatch -p1 < patches/networkPolicy.diff
diff --git a/packages/system/fluxcd-operator/patches/networkPolicy.diff b/packages/system/fluxcd-operator/patches/networkPolicy.diff
new file mode 100644
index 00000000..d2adc974
--- /dev/null
+++ b/packages/system/fluxcd-operator/patches/networkPolicy.diff
@@ -0,0 +1,23 @@
+diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
+new file mode 100644
+--- /dev/null	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
++++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
+@@ -0,0 +1,18 @@
++apiVersion: cilium.io/v2
++kind: CiliumClusterwideNetworkPolicy
++metadata:
++  name: {{ include "flux-operator.fullname" . }}-restrict
++spec:
++  nodeSelector: {}
++  ingressDeny:
++    - fromEntities:
++        - world
++      toPorts:
++        - ports:
++            - port: "8080"
++              protocol: TCP
++            - port: "8081"
++              protocol: TCP
++  ingress:
++    - fromEntities:
++        - cluster