diff --git a/data/kube-secondary-dns/secondarydns.yaml b/data/kube-secondary-dns/secondarydns.yaml
index 9acd09496..607ffa942 100644
--- a/data/kube-secondary-dns/secondarydns.yaml
+++ b/data/kube-secondary-dns/secondarydns.yaml
@@ -186,3 +186,19 @@ spec:
       nodeSelector: {{ toYaml .Placement.NodeSelector | nindent 8 }}
       affinity: {{ toYaml .Placement.Affinity | nindent 8 }}
       tolerations: {{ toYaml .Placement.Tolerations | nindent 8 }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-to-secondary-dns
+  namespace: '{{ .Namespace }}'
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: secondary-dns
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: UDP
+          port: dns
diff --git a/hack/components/bump-kube-secondary-dns.sh b/hack/components/bump-kube-secondary-dns.sh
index a901da93e..bf0142481 100755
--- a/hack/components/bump-kube-secondary-dns.sh
+++ b/hack/components/bump-kube-secondary-dns.sh
@@ -41,6 +41,9 @@ function __parametize_by_object() {
         yaml-utils::update_param ${f} metadata.namespace '{{ .Namespace }}'
         yaml-utils::remove_single_quotes_from_yaml ${f}
         ;;
+      ./NetworkPolicy_allow-ingress-to-secondary-dns.yaml)
+        yaml-utils::update_param ${f} metadata.namespace '{{ .Namespace }}'
+        ;;
     esac
   done
 }
@@ -79,7 +82,9 @@ echo 'Adjust kube-secondary-dns to CNAO'
       ClusterRole_secondary.yaml \
       ClusterRoleBinding_secondary.yaml \
       ServiceAccount_secondary.yaml \
-      Deployment_secondary-dns.yaml > secondarydns.yaml
+      Deployment_secondary-dns.yaml \
+      NetworkPolicy_allow-ingress-to-secondary-dns.yaml \
+        > secondarydns.yaml
 )
 
 echo 'copy manifests'