diff --git a/kube/deploy/core/storage/volsync/app/netpol.yaml b/kube/deploy/core/storage/volsync/app/netpol.yaml
index 094b8a6c..65d463e0 100644
--- a/kube/deploy/core/storage/volsync/app/netpol.yaml
+++ b/kube/deploy/core/storage/volsync/app/netpol.yaml
@@ -39,3 +39,15 @@ spec:
     # allow all to public Internet
     - toEntities:
         - world
+    # Ceph RGW
+    - toEntities:
+        - host
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "6953"
+    - toCIDRSet:
+        - cidr: "${IP_VLAN_CEPH_CIDR}"
+      toPorts:
+        - ports:
+            - port: "6953"