diff --git a/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml b/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml
index 9d407171..fb164085 100644
--- a/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml
+++ b/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml
@@ -65,6 +65,20 @@ spec:
           rules:
             dns:
               - matchPattern: "*"
+    # allow Flux notification-controller ingress
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: flux-system
+            app: notification-controller
+      toPorts:
+        - ports:
+            - port: "9292"
+              protocol: TCP
+            - port: "80"
+              protocol: TCP
+          rules:
+            http:
+              - {}
 ---
 apiVersion: "cilium.io/v2"
 kind: CiliumClusterwideNetworkPolicy