diff --git a/infrastructure/loki/loki.yaml b/infrastructure/loki/loki.yaml
index 504e124bd8805c3f19a6c6477712483fb5e95518..7e5523ebc00760bdccb808f2e24b4108ee887ba6 100644
--- a/infrastructure/loki/loki.yaml
+++ b/infrastructure/loki/loki.yaml
@@ -62,28 +62,7 @@ data:
         grafanaAgent:
           installOperator: false
     networkPolicy:
-      enabled: true
-      metrics:
-        namespaceSelector:
-          matchLabels:
-            monitoring.shivering-isles.com/network-access-required: "true"
-        podSelector:
-          matchLabels:
-            app.kubernetes.io/name: prometheus
-      ingress:
-        namespaceSelector:
-            matchLabels:
-              ingress.shivering-isles.com/network-access-required: "true"
-      alertmanager:
-        namespaceSelector:
-          matchLabels:
-            monitoring.shivering-isles.com/network-access-required: "true"
-        podSelector:
-          matchLabels:
-            app.kubernetes.io/name: alertmanager
-      externalStorage:
-        ports:
-          - 9000
+      enabled: false
     minio:
       enabled: true
       mode: standalone
@@ -118,15 +97,60 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-from-job
+  name: allow-ingress-to-loki
 spec:
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          ingress.shivering-isles.com/network-access-required: "true"
+    ports:
+    - port: http
+      protocol: TCP
+  podSelector:
+    matchExpressions:
+    - key: app.kubernetes.io/component
+      operator: In
+      values:
+      - gateway
+    matchLabels:
+      app.kubernetes.io/instance: loki
+      app.kubernetes.io/name: loki
   policyTypes:
-  - Egress
-  egress:
-  - {}
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-loki-metrics
+  namespace: loki-system
+spec:
+  ingress:
+  - ports:
+    - port: http-metrics
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki
+      app.kubernetes.io/name: loki
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-loki-minio
+  namespace: loki-system
+spec:
+  ingress:
+  - ports:
+    - port: 9000
+      protocol: TCP
   podSelector:
     matchLabels:
-      app: minio-job
+      release: loki
+  policyTypes:
+  - Ingress
 ---
 apiVersion: v1
 kind: ConfigMap
diff --git a/infrastructure/loki/promtail.yaml b/infrastructure/loki/promtail.yaml
index dab6957a09720873577ba5cca667dc2fdab985ab..3e92aba12860d49f7702d9add732de5e2d35a45f 100644
--- a/infrastructure/loki/promtail.yaml
+++ b/infrastructure/loki/promtail.yaml
@@ -41,14 +41,7 @@ data:
     serviceMonitor:
       enabled: true
     networkPolicy:
-      enabled: true
-      metrics:
-        namespaceSelector:
-          matchLabels:
-            monitoring.shivering-isles.com/network-access-required: "true"
-        podSelector:
-          matchLabels:
-            app.kubernetes.io/name: prometheus
+      enabled: false
     # Required for journald collection
     containerSecurityContext:
       privileged: true
@@ -95,3 +88,18 @@ data:
       - name: machine-id
         mountPath: /etc/machine-id
         readOnly: true
+---
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-monitoring-promtail
+spec:
+  ingress:
+  - ports:
+    - port: http-metrics
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: promtail
+      app.kubernetes.io/name: promtail