diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml b/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml
index 8eac2424..78fa4a5c 100644
--- a/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml
+++ b/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml
@@ -23,11 +23,8 @@ spec:
     - toCIDRSet:
         - cidr: "${IP_PVE_CEPH_CIDR}"
     # k8s apiserver
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: default
-            component: apiserver
-            provider: kubernetes
+    - toEntities:
+        - kube-apiserver
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
@@ -48,6 +45,21 @@ spec:
       toPorts:
         - ports:
             - port: "6953"
+    # allow CNPG to connect
+    - fromEndpoints:
+        - matchExpressions:
+            - key: cnpg.io/cluster
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "6953"
+              protocol: TCP
+            - port: "6953"
+              protocol: UDP
+            - port: "8080"
+              protocol: TCP
+            - port: "8080"
+              protocol: UDP
   egress:
     # ingress controller webhook admission
     - toServices: