diff --git a/infrastructure/monitoring/calico-networkpolicy.yaml b/infrastructure/monitoring/calico-networkpolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..82fac54b69afe96b2b5460555ac3108bee8cbb52
--- /dev/null
+++ b/infrastructure/monitoring/calico-networkpolicy.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: allow-controlplane
+  namespace: monitoring-system
+spec:
+  selector: app.kubernetes.io/instance == 'kube-prometheus-stack'
+  ingress:
+  - action: Allow
+    protocol: TCP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane)
+      namespaceSelector: global()
+    destination:
+      ports:
+      - 10250
\ No newline at end of file
diff --git a/infrastructure/monitoring/kustomization.yaml b/infrastructure/monitoring/kustomization.yaml
index 7304bc07dc4dc83b0163a75dc62bbfa83a5f5d4e..23a6e8c3bc3040bac594754a319bd3147817bef8 100644
--- a/infrastructure/monitoring/kustomization.yaml
+++ b/infrastructure/monitoring/kustomization.yaml
@@ -9,6 +9,7 @@ resources:
   - json-exporter-monitor.yaml
   - ../../shared/networkpolicies/allow-from-same-namespace.yaml
   - ../../shared/networkpolicies/allow-from-ingress.yaml
+  - calico-networkpolicy.yaml
 patchesStrategicMerge:
   - networkpolicy.yaml
 configMapGenerator: