diff --git a/kube/deploy/core/kyverno/app/hr.yaml b/kube/deploy/core/kyverno/app/hr.yaml
index 52ec63c4..19a003e2 100644
--- a/kube/deploy/core/kyverno/app/hr.yaml
+++ b/kube/deploy/core/kyverno/app/hr.yaml
@@ -23,6 +23,7 @@ spec:
       ingress.home.arpa/apiserver: "allow"
       egress.home.arpa/apiserver: "allow"
       egress.home.arpa/host: "allow"
+      prom.home.arpa/kps: "allow"
     config:
       webhooks:
         - objectSelector:
diff --git a/kube/deploy/core/monitoring/kps/app/netpol.yaml b/kube/deploy/core/monitoring/kps/app/netpol.yaml
new file mode 100644
index 00000000..304323aa
--- /dev/null
+++ b/kube/deploy/core/monitoring/kps/app/netpol.yaml
@@ -0,0 +1,33 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: "kps-prometheus-egress-labelled"
+  namespace: "monitoring"
+spec:
+  description: "Allow Prometheus to egress to pods labelled with metrics exporters, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      prometheus: "kps"
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            prom.home.arpa/kps: "allow"
+          matchExpressions:
+            - key: "io.kubernetes.pod.namespace"
+              operator: "Exists"
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "kps-prometheus-ingress-labelled"
+spec:
+  description: "Allow Prometheus to egress to pods labelled with metrics exporters, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      prom.home.arpa/kps: "allow"
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            prometheus: "kps"
diff --git a/kube/deploy/core/storage/_csi-addons/netpol.yaml b/kube/deploy/core/storage/_csi-addons/netpol.yaml
index 8d9a29b2..d8008ef3 100644
--- a/kube/deploy/core/storage/_csi-addons/netpol.yaml
+++ b/kube/deploy/core/storage/_csi-addons/netpol.yaml
@@ -16,6 +16,13 @@ spec:
         - matchLabels:
             io.kubernetes.pod.namespace: "rook-ceph"
             app: "csi-rbdplugin"
+      toPorts:
+        - ports:
+            - port: "9070"
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: "rook-ceph"
+            app: "csi-rbdplugin-provisioner"
       toPorts:
         - ports:
             - port: "9070"
\ No newline at end of file
diff --git a/kube/deploy/core/storage/rook-ceph/cluster/app/hr.yaml b/kube/deploy/core/storage/rook-ceph/cluster/app/hr.yaml
index 6135a755..8453374a 100644
--- a/kube/deploy/core/storage/rook-ceph/cluster/app/hr.yaml
+++ b/kube/deploy/core/storage/rook-ceph/cluster/app/hr.yaml
@@ -42,6 +42,7 @@ spec:
       labels:
         mgr:
           ingress.home.arpa/nginx: "allow"
+          prom.home.arpa/kps: "allow"
       mon:
         count: 3
         allowMultiplePerNode: false