diff --git a/assets/templates/diskmaker-discovery-daemonset.yaml b/assets/templates/diskmaker-discovery-daemonset.yaml
index 387c7d61e..1b993f389 100644
--- a/assets/templates/diskmaker-discovery-daemonset.yaml
+++ b/assets/templates/diskmaker-discovery-daemonset.yaml
@@ -15,6 +15,9 @@ spec:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: diskmaker-discovery
+        openshift.storage.network-policy.dns: allow
+        openshift.storage.network-policy.api-server: allow
+        openshift.storage.network-policy.diskmaker-metrics: allow
     spec:
       containers:
       - args:
diff --git a/assets/templates/diskmaker-manager-daemonset.yaml b/assets/templates/diskmaker-manager-daemonset.yaml
index ac5613d1c..cd9e792bd 100644
--- a/assets/templates/diskmaker-manager-daemonset.yaml
+++ b/assets/templates/diskmaker-manager-daemonset.yaml
@@ -15,6 +15,9 @@ spec:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: diskmaker-manager
+        openshift.storage.network-policy.dns: allow
+        openshift.storage.network-policy.api-server: allow
+        openshift.storage.network-policy.diskmaker-metrics: allow
     spec:
       containers:
       - args:
diff --git a/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml b/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml
index 09e74544e..e541a8daf 100644
--- a/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml
+++ b/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml
@@ -433,6 +433,9 @@ spec:
                   target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
                 labels:
                   name: local-storage-operator
+                  openshift.storage.network-policy.dns: allow
+                  openshift.storage.network-policy.api-server: allow
+                  openshift.storage.network-policy.operator-metrics: allow
               spec:
                 serviceAccountName: local-storage-operator
                 priorityClassName: openshift-user-critical
diff --git a/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml b/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml
new file mode 100644
index 000000000..86f4830ec
--- /dev/null
+++ b/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-egress-to-api-server
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+ podSelector:
+   matchLabels:
+     openshift.storage.network-policy.api-server: allow
+ egress:
+ - ports:
+   - protocol: TCP
+     port: 6443
+ policyTypes:
+ - Egress
diff --git a/config/manifests/stable/network-policy-allow-egress-to-dns.yaml b/config/manifests/stable/network-policy-allow-egress-to-dns.yaml
new file mode 100644
index 000000000..69f9ca02a
--- /dev/null
+++ b/config/manifests/stable/network-policy-allow-egress-to-dns.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-egress-to-dns
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+ podSelector:
+   matchLabels:
+     openshift.storage.network-policy.dns: allow
+ egress:
+ - to:
+   - namespaceSelector:
+       matchLabels:
+         kubernetes.io/metadata.name: openshift-dns
+     podSelector:
+       matchLabels:
+         dns.operator.openshift.io/daemonset-dns: default
+   ports:
+   - protocol: TCP
+     port: dns-tcp
+   - protocol: UDP
+     port: dns
+ policyTypes:
+ - Egress
diff --git a/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml b/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml
new file mode 100644
index 000000000..5d260e330
--- /dev/null
+++ b/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-ingress-to-diskmaker-metrics
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+ podSelector:
+   matchLabels:
+     openshift.storage.network-policy.diskmaker-metrics: allow
+ ingress:
+ - ports:
+   - protocol: TCP
+     port: 8383
+   - protocol: TCP
+     port: 9393
+ policyTypes:
+ - Ingress
diff --git a/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml b/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml
new file mode 100644
index 000000000..914e17e11
--- /dev/null
+++ b/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-ingress-to-operator-metrics
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+ podSelector:
+   matchLabels:
+     openshift.storage.network-policy.operator-metrics: allow
+ ingress:
+ - ports:
+   - protocol: TCP
+     port: 8080
+   - protocol: TCP
+     port: 8081
+ policyTypes:
+ - Ingress
diff --git a/config/manifests/stable/network-policy-default-deny-all.yaml b/config/manifests/stable/network-policy-default-deny-all.yaml
new file mode 100644
index 000000000..27c519940
--- /dev/null
+++ b/config/manifests/stable/network-policy-default-deny-all.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: default-deny-all
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress