diff --git a/install/installer/pkg/components/image-builder-mk3/networkpolicy.go b/install/installer/pkg/components/image-builder-mk3/networkpolicy.go
index 292caea862136b..798e27ef5cc12c 100644
--- a/install/installer/pkg/components/image-builder-mk3/networkpolicy.go
+++ b/install/installer/pkg/components/image-builder-mk3/networkpolicy.go
@@ -16,38 +16,25 @@ import (
 func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
 	labels := common.DefaultLabels(Component)
 
-	return []runtime.Object{&networkingv1.NetworkPolicy{
-		TypeMeta: common.TypeMetaNetworkPolicy,
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      Component,
-			Namespace: ctx.Namespace,
-			Labels:    labels,
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: metav1.LabelSelector{MatchLabels: labels},
-			PolicyTypes: []networkingv1.PolicyType{"Ingress", "Egress"},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{{
-				From: []networkingv1.NetworkPolicyPeer{{
-					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
-						"component": server.Component,
+	return []runtime.Object{
+		&networkingv1.NetworkPolicy{
+			TypeMeta: common.TypeMetaNetworkPolicy,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: ctx.Namespace,
+				Labels:    labels,
+			},
+			Spec: networkingv1.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{MatchLabels: labels},
+				PolicyTypes: []networkingv1.PolicyType{"Ingress"},
+				Ingress: []networkingv1.NetworkPolicyIngressRule{{
+					From: []networkingv1.NetworkPolicyPeer{{
+						PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
+							"component": server.Component,
+						}},
 					}},
 				}},
-			}},
-			Egress: []networkingv1.NetworkPolicyEgressRule{
-				{
-					To: []networkingv1.NetworkPolicyPeer{{
-						IPBlock: &networkingv1.IPBlock{
-							CIDR: "0.0.0.0/0",
-							Except: []string{
-								// Google Compute engine special, reserved VM metadata IP
-								"169.254.169.254/32",
-							},
-						},
-					}},
-				},
-				common.AllowKubeDnsEgressRule(),
-				common.AllowWSManagerEgressRule(),
 			},
 		},
-	}}, nil
+	}, nil
 }
diff --git a/install/installer/pkg/components/workspace/networkpolicy.go b/install/installer/pkg/components/workspace/networkpolicy.go
index 876c78991a0540..15f36b7f79c244 100644
--- a/install/installer/pkg/components/workspace/networkpolicy.go
+++ b/install/installer/pkg/components/workspace/networkpolicy.go
@@ -101,6 +101,7 @@ func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
 						},
 					},
 				},
+				common.AllowKubeDnsEgressRule(),
 			},
 		},
 	}}, nil