diff --git a/overrides/values-ztwim-network-policy.yaml b/overrides/values-ztwim-network-policy.yaml
new file mode 100644
index 00000000..eb831f06
--- /dev/null
+++ b/overrides/values-ztwim-network-policy.yaml
@@ -0,0 +1,103 @@
+defaultDenyNetworkPolicy:
+  enabled: true
+
+networkPolicy:
+  spireServer:
+    enabled: true
+    ingress:
+      # gRPC API — from spire-agents (hostNetwork, node IPs — port-only rule required)
+      - ports:
+        - protocol: TCP
+          port: 8081
+      # Federation bundle endpoint — from OCP router
+      - ports:
+        - protocol: TCP
+          port: 8443
+        from:
+        - namespaceSelector:
+            matchLabels:
+              policy-group.network.openshift.io/ingress: ""
+      # Controller-manager webhook — from K8s API (node IPs after DNAT — port-only rule)
+      - ports:
+        - protocol: TCP
+          port: 9443
+      # Prometheus metrics
+      - ports:
+        - protocol: TCP
+          port: 9402
+    egress:
+      # DNS resolution via CoreDNS
+      - ports:
+        - protocol: UDP
+          port: 5353
+        - protocol: TCP
+          port: 5353
+        to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+      # Kubernetes API server — k8s_psat token validation, k8sbundle notifier
+      - ports:
+        - protocol: TCP
+          port: 6443
+
+  oidcDiscoveryProvider:
+    enabled: true
+    ingress:
+      # HTTPS — from OCP router (reencrypt route for JWKS/OIDC discovery)
+      # Consumed by Vault (JWT auth) and Keycloak (SPIFFE IdP) via external route
+      - ports:
+        - protocol: TCP
+          port: 8443
+        from:
+        - namespaceSelector:
+            matchLabels:
+              policy-group.network.openshift.io/ingress: ""
+    egress:
+      # DNS resolution via CoreDNS
+      - ports:
+        - protocol: UDP
+          port: 5353
+        - protocol: TCP
+          port: 5353
+        to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+
+  csiDriver:
+    enabled: true
+    egress:
+      # DNS resolution via CoreDNS
+      - ports:
+        - protocol: UDP
+          port: 5353
+        - protocol: TCP
+          port: 5353
+        to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+
+  operator:
+    enabled: true
+    ingress:
+      # Metrics
+      - ports:
+        - protocol: TCP
+          port: 8443
+    egress:
+      # DNS resolution via CoreDNS
+      - ports:
+        - protocol: UDP
+          port: 5353
+        - protocol: TCP
+          port: 5353
+        to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+      # Kubernetes API server — manages SPIRE CRs, watches resources
+      - ports:
+        - protocol: TCP
+          port: 6443
diff --git a/values-hub.yaml b/values-hub.yaml
index 5d689756..bdb17089 100644
--- a/values-hub.yaml
+++ b/values-hub.yaml
@@ -470,6 +470,8 @@ clusterGroup:
       argoProject: hub
       chart: ztwim
       chartVersion: 0.1.*
+      extraValueFiles:
+        - /overrides/values-ztwim-network-policy.yaml
       annotations:
         argocd.argoproj.io/sync-wave: "30"
       overrides: