diff --git a/resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml b/resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml
new file mode 100644
index 00000000..c10fa676
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-hubble-oidc-login
+  namespace: kube-system
+spec:
+  endpointSelector:
+    matchLabels:
+      k8s-app: oauth2-proxy
+  egress:
+  - toFQDNs:
+    - matchName: login.microsoftonline.com
+    - matchPattern: '*.microsoftonline.com'
diff --git a/resources/oceanbox-cluster/network-policies/atlantis/allow-api-server.yaml b/resources/oceanbox-cluster/network-policies/atlantis/allow-api-server.yaml
new file mode 100644
index 00000000..bee8c729
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/atlantis/allow-api-server.yaml
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: atlantis
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
diff --git a/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-api-server.yaml b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-api-server.yaml
new file mode 100644
index 00000000..4d2c046d
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-api-server.yaml
@@ -0,0 +1,10 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-kube-apiserver
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
diff --git a/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-ekman-egress.yaml b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-ekman-egress.yaml
new file mode 100644
index 00000000..4ed929e8
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-ekman-egress.yaml
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-ekman-egress
+spec:
+  endpointSelector: {}
+  egress:
+  - toCIDR:
+    - 10.255.241.99/32
+    - 10.255.241.100/32
+    toPorts:
+    - ports:
+      - port: "4443"
+        protocol: TCP
+      - port: "30443"
+        protocol: TCP
+      - port: "30080"
+        protocol: TCP
diff --git a/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-oceanboxio.yaml b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-oceanboxio.yaml
new file mode 100644
index 00000000..01670e13
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-oceanboxio.yaml
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-oceanboxio-egress
+spec:
+  endpointSelector: {}
+  egress:
+  - toFQDNs:
+    - matchName: oceanbox.io
+    - matchName: hubble.srv.oceanbox.io
+    - matchPattern: "*oceanbox.io"
+    - matchPattern: "*.oceanbox.io"
+
diff --git a/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-remote-node.yaml b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-remote-node.yaml
new file mode 100644
index 00000000..2bb81aac
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-remote-node.yaml
@@ -0,0 +1,10 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+  - fromEntities:
+    - kube-apiserver
diff --git a/resources/oceanbox-cluster/network-policies/dapr/allow-api-server.yaml b/resources/oceanbox-cluster/network-policies/dapr/allow-api-server.yaml
new file mode 100644
index 00000000..c4ce28c6
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/dapr/allow-api-server.yaml
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: dapr-system
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
diff --git a/resources/oceanbox-cluster/network-policies/dapr/allow-remote-node.yaml b/resources/oceanbox-cluster/network-policies/dapr/allow-remote-node.yaml
new file mode 100644
index 00000000..25df8ea6
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/dapr/allow-remote-node.yaml
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: dapr-system
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "4000"
+        protocol: TCP
diff --git a/resources/oceanbox-cluster/network-policies/geoserver/allow-geoserver-ingress.yaml b/resources/oceanbox-cluster/network-policies/geoserver/allow-geoserver-ingress.yaml
new file mode 100644
index 00000000..8c81a10d
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/geoserver/allow-geoserver-ingress.yaml
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-geoserver-ingress
+  namespace: geoserver
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: geoserver
+  ingress:
+    - fromEndpoints:
+      - matchLabels:
+          io.kubernetes.pod.namespace: ingress-nginx
diff --git a/resources/oceanbox-cluster/network-policies/idp/allow-api-server.yaml b/resources/oceanbox-cluster/network-policies/idp/allow-api-server.yaml
new file mode 100644
index 00000000..f2150982
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/idp/allow-api-server.yaml
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
diff --git a/resources/oceanbox-cluster/network-policies/idp/allow-gitlab.yaml b/resources/oceanbox-cluster/network-policies/idp/allow-gitlab.yaml
new file mode 100644
index 00000000..007e2960
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/idp/allow-gitlab.yaml
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-oidc-login
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: cerbos
+  egress:
+  - toFQDNs:
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'
diff --git a/resources/oceanbox-cluster/network-policies/idp/allow-itp-smtpgw.yaml b/resources/oceanbox-cluster/network-policies/idp/allow-itp-smtpgw.yaml
new file mode 100644
index 00000000..8ae74f56
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/idp/allow-itp-smtpgw.yaml
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-itp-smtp
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: keycloak
+  egress:
+  - toFQDNs:
+    - matchName: smtpgw.itpartner.no
diff --git a/resources/oceanbox-cluster/network-policies/idp/allow-keycloak.yaml b/resources/oceanbox-cluster/network-policies/idp/allow-keycloak.yaml
new file mode 100644
index 00000000..58f5cb9c
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/idp/allow-keycloak.yaml
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-keycloak
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: dex
+  egress:
+  - toFQDNs:
+    - matchName: auth.srv.oceanbox.io
diff --git a/resources/oceanbox-cluster/network-policies/jaeger/allow-api-server.yaml b/resources/oceanbox-cluster/network-policies/jaeger/allow-api-server.yaml
new file mode 100644
index 00000000..c124879f
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/jaeger/allow-api-server.yaml
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: jaeger
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
diff --git a/resources/oceanbox-cluster/network-policies/jaeger/allow-remote-node.yaml b/resources/oceanbox-cluster/network-policies/jaeger/allow-remote-node.yaml
new file mode 100644
index 00000000..68681b0d
--- /dev/null
+++ b/resources/oceanbox-cluster/network-policies/jaeger/allow-remote-node.yaml
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: jaeger
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "9443"
+        protocol: TCP
+      - port: "443"
+        protocol: TCP