diff --git a/bindata/cloud-network-config-controller/managed/networkpolicy.yaml b/bindata/cloud-network-config-controller/managed/networkpolicy.yaml
new file mode 100644
index 0000000000..ed7bbc841b
--- /dev/null
+++ b/bindata/cloud-network-config-controller/managed/networkpolicy.yaml
@@ -0,0 +1,15 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: cloud-network-config-controller
+  namespace: {{.HostedClusterNamespace}}
+spec:
+  podSelector:
+    matchLabels:
+      app: cloud-network-config-controller
+  policyTypes:
+    - Egress
+  egress:
+    # CNCC needs access to apiserver and cloud APIs, possibly via a proxy... for now we
+    # just allow all egress.
+    - {}
diff --git a/bindata/cloud-network-config-controller/self-hosted/networkpolicy.yaml b/bindata/cloud-network-config-controller/self-hosted/networkpolicy.yaml
new file mode 100644
index 0000000000..b8f38ac524
--- /dev/null
+++ b/bindata/cloud-network-config-controller/self-hosted/networkpolicy.yaml
@@ -0,0 +1,15 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: cloud-network-config-controller
+  namespace: openshift-cloud-network-config-controller
+spec:
+  podSelector:
+    matchLabels:
+      app: cloud-network-config-controller
+  policyTypes:
+    - Egress
+  egress:
+    # CNCC needs access to apiserver and cloud APIs, possibly via a proxy... for now we
+    # just allow all egress.
+    - {}
diff --git a/bindata/network/node-identity/managed/node-identity-networkpolicy.yaml b/bindata/network/node-identity/managed/node-identity-networkpolicy.yaml
new file mode 100644
index 0000000000..c437e95cdb
--- /dev/null
+++ b/bindata/network/node-identity/managed/node-identity-networkpolicy.yaml
@@ -0,0 +1,19 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: network-node-identity
+  namespace: {{.HostedClusterNamespace}}
+spec:
+  podSelector:
+    matchLabels:
+      app: network-node-identity
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow to webhook
+    - ports:
+      - port: {{.NetworkNodeIdentityPort}}
+  egress:
+    # Allow to apiserver
+    - {}
diff --git a/bindata/network/ovn-kubernetes/managed/networkpolicy.yaml b/bindata/network/ovn-kubernetes/managed/networkpolicy.yaml
new file mode 100644
index 0000000000..851d1569ae
--- /dev/null
+++ b/bindata/network/ovn-kubernetes/managed/networkpolicy.yaml
@@ -0,0 +1,19 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: ovn-kubernetes
+  namespace: {{.HostedClusterNamespace}}
+spec:
+  podSelector:
+    matchLabels:
+      app: ovnkube-control-plane
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow ingress to metrics
+    - ports:
+        - port: 9108
+  egress:
+    # Allow egress to apiserver, and to ovnkube-node's egressip-node-healthcheck-port
+    - {}
diff --git a/manifests/0000_70_cluster-network-operator_00_namespace.yaml b/manifests/0000_70_cluster-network-operator_00_namespace.yaml
index 6c07a7838b..ad83655939 100644
--- a/manifests/0000_70_cluster-network-operator_00_namespace.yaml
+++ b/manifests/0000_70_cluster-network-operator_00_namespace.yaml
@@ -15,16 +15,3 @@ metadata:
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
     openshift.io/cluster-monitoring: "true"
----
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
-  name: default-deny
-  namespace: openshift-network-operator
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress: []
-  egress: []
diff --git a/manifests/0000_70_cluster-network-operator_02_networkpolicy.yaml b/manifests/0000_70_cluster-network-operator_02_networkpolicy.yaml
new file mode 100644
index 0000000000..e019c79bbd
--- /dev/null
+++ b/manifests/0000_70_cluster-network-operator_02_networkpolicy.yaml
@@ -0,0 +1,12 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny
+  namespace: openshift-network-operator
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress: []
+  egress: []
diff --git a/manifests/01-cncc-namespace.yaml b/manifests/01-cncc-namespace.yaml
index 7fbecc4819..3dc5f52c40 100644
--- a/manifests/01-cncc-namespace.yaml
+++ b/manifests/01-cncc-namespace.yaml
@@ -14,3 +14,16 @@ metadata:
     openshift.io/node-selector: ""
     openshift.io/description: "OpenShift cloud network config controller namespace - a controller used to manage cloud-level network configuration"
     workload.openshift.io/allowed: "management"
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny
+  namespace: openshift-cloud-network-config-controller
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress: []
+  egress: []