diff --git a/apps/k8s01/iot/kustomization.yaml b/apps/k8s01/iot/kustomization.yaml
index c9f20ea9a546295f9a1eb727dd7f474ebcd3cdc0..91333f526f590165bd2887ff664c5f7574d8682b 100644
--- a/apps/k8s01/iot/kustomization.yaml
+++ b/apps/k8s01/iot/kustomization.yaml
@@ -12,3 +12,4 @@ resources:
 
 components:
  - ../../../shared/components/oauth2-proxy
+ - ../../../shared/components/ingress-local-only
diff --git a/apps/k8s01/iot/rainer.yaml b/apps/k8s01/iot/rainer.yaml
index 0def1e859718959f8b1efd039bd53950b3319ba5..576f6e4a05721dda2d91198e7d309bcc4714cc31 100644
--- a/apps/k8s01/iot/rainer.yaml
+++ b/apps/k8s01/iot/rainer.yaml
@@ -73,11 +73,6 @@ metadata:
         forecastle.stakater.com/appName: Rainer
         forecastle.stakater.com/icon: https://raw.githubusercontent.com/Hypfer/Valetudo/master/assets/logo/valetudo_logo_small.svg
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:jKiHDoG05AspEOjtaHqDMJSR7JJWWxtIdg==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:u3D0MZQR/yVynTH1cu4KwQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:3G7+SR2q+HdMPliQoNGpSh58WMyV59+S1L/mP8qdF80=,iv:zH6hLjLhtaCL95lxSSGJVMr+QyDHEhvb1FlBU/lbRys=,tag:svh+JpKtlULUll8uvvxCtg==,type:str]
diff --git a/apps/k8s01/iot/shelly-ht-monitor.yaml b/apps/k8s01/iot/shelly-ht-monitor.yaml
index 6b42ae5425950effdf18c9a152ba9aead6adc56d..5ca770ff3bf35b27e70ab34e13e569d310c65779 100644
--- a/apps/k8s01/iot/shelly-ht-monitor.yaml
+++ b/apps/k8s01/iot/shelly-ht-monitor.yaml
@@ -67,6 +67,8 @@ metadata:
     labels:
         app.kubernetes.io/name: shelly-ht-monitor
     annotations:
+        oauth2-proxy.kustomize.si-infra.de/exclude-ingress: "true"
+        ingress-local-only.kustomize.si-infra.de/exclude-ingress: "true"
         nginx.ingress.kubernetes.io/ssl-redirect: "false"
         nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.30.0/24,192.168.100.0/25
 spec:
diff --git a/apps/k8s01/iot/shelly.yaml b/apps/k8s01/iot/shelly.yaml
index ee143c767f570f1056816a73a525a561b8a88933..ad7c2d1f543cdd6116641935bef12d197644cf25 100644
--- a/apps/k8s01/iot/shelly.yaml
+++ b/apps/k8s01/iot/shelly.yaml
@@ -72,11 +72,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Shelly01
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:WLRfTaemCevolULjn9I4egrdYXWoIkax7CRYNBUqfL4=,iv:b1ieQDnKhv/f7vh2VCfE6QeBcUOvN9Muejbfx0fKdL4=,tag:Hb+Tvi29/eL/KsLMUX7FEg==,type:str]
@@ -220,11 +215,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Shelly02
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:UsrvSRvxxOh916pFlCvXu+c1vf3+7uWn/neX7koz7cA=,iv:LwYhAqCc/lTnzyuf0eWK6DGDM+VDpGkHQ8KQJtyylms=,tag:A7uXbSok1RY3wSQrRO8Pjg==,type:str]
@@ -368,11 +358,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Shelly03
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:p/xRNccIALlca8OhT5v0zuGBfmy+756nIe+i45gMt4k=,iv:YGfsPpwpUg09kWGqcumP3A+fXGp8agzJ1QvqHihD1o0=,tag:NRNVo+A1AIrW7bkPT44xPA==,type:str]
@@ -516,11 +501,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Shelly04
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:Sn0wxRvKQ9cr5nyCEyBg5oDuh6CmZuuWqY4SVfchilg=,iv:GbPWSO79oy9zDqCE4HkAVvz9Ka2bU/Kobi2GkQmIBlE=,tag:U8JMFrqoU3dXwbNQCLO4pw==,type:str]
@@ -664,11 +644,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Humidity & Temprature 01
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:dys6Cxmfwb0PVxULV3qUKlsISkcJ6VKh8ea86A==,iv:KywdcfWqytxLZ+YiudSilQbmVXyw0RtwTxh1Y72ePPQ=,tag:aU8iKSzG5CJhVGS0iNEQuw==,type:str]
@@ -812,11 +787,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Humidity & Temprature 02
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:AFaV2uMokW2I/uqaYlz5VWGEIByXuOMZHxLvJw==,iv:RKMMco7G0yWYQ1DJTljRbCix1bIqPi/MhwOA1K79lIA=,tag:WJaAj26+fn7gY6dAVa5pqQ==,type:str]
diff --git a/shared/components/ingress-local-only/ingress.yaml b/shared/components/ingress-local-only/ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..239a15fbcbbf4de1a68d341c77f6432573a4f0e1
--- /dev/null
+++ b/shared/components/ingress-local-only/ingress.yaml
@@ -0,0 +1,6 @@
+- op: add
+  path: /metadata/annotations/nginx.ingress.kubernetes.io~1whitelist-source-range
+  value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
+- op: add
+  path: /metadata/annotations/forecastle.stakater.com~1network-restricted
+  value: "true"
\ No newline at end of file
diff --git a/shared/components/ingress-local-only/kustomization.yaml b/shared/components/ingress-local-only/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ecafbbc77c34a4e1cca7e416ccee3897347eacae
--- /dev/null
+++ b/shared/components/ingress-local-only/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - path: ingress.yaml
+    target:
+      group: networking.k8s.io
+      version: v1
+      kind: Ingress
+      annotationSelector: "ingress-local-only.kustomize.si-infra.de/exclude-ingress!=true"
\ No newline at end of file