diff --git a/apps/k8s01/mastodon/kustomization.yaml b/apps/k8s01/mastodon/kustomization.yaml
index 8a51612ed696ba0becbc79b27796289fa62d55c6..3942762c3ab0c47c5b045fea6494bd0e6bab1484 100644
--- a/apps/k8s01/mastodon/kustomization.yaml
+++ b/apps/k8s01/mastodon/kustomization.yaml
@@ -6,5 +6,11 @@ resources:
   - certificate.yaml
   - mastodon-values.yaml
   - slo.yaml
+  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+  - ../../../shared/networkpolicies/allow-to-same-namespace.yaml
+  - ../../../shared/networkpolicies/allow-to-public-web.yaml
+  - ../../../shared/networkpolicies/allow-to-kubedns.yaml
 patchesStrategicMerge:
   - database-override.yaml
+  - networkpolicy.yaml
diff --git a/apps/k8s01/mastodon/networkpolicy.yaml b/apps/k8s01/mastodon/networkpolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a76579f1e147b3184b55f57942614769ff31a7e3
--- /dev/null
+++ b/apps/k8s01/mastodon/networkpolicy.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mastodon
diff --git a/shared/networkpolicies/allow-to-same-namespace.yaml b/shared/networkpolicies/allow-to-same-namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..94b30d961bb5a9b1bea8a94c36d6bcd040a446d3
--- /dev/null
+++ b/shared/networkpolicies/allow-to-same-namespace.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-same-namespace
+spec:
+  podSelector: {}
+  egress:
+    - to:
+      - podSelector: {}
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP