diff --git a/infrastructure/metallb/kustomization.yaml b/infrastructure/metallb/kustomization.yaml
index 224a24515b08ca399f464a83c155c04b50e38dd6..58fd710f5c5fd422c34e176cdd4da699865e72cd 100644
--- a/infrastructure/metallb/kustomization.yaml
+++ b/infrastructure/metallb/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
   - release.yaml
   - ../../shared/networkpolicies/allow-from-same-namespace.yaml
   - ../../shared/networkpolicies/allow-from-monitoring.yaml
+  - ../../shared/networkpolicies/allow-from-kube-system.yaml
 patchesStrategicMerge:
   - networkpolicy.yaml
 configMapGenerator:
diff --git a/infrastructure/metallb/networkpolicy.yaml b/infrastructure/metallb/networkpolicy.yaml
index 11f859b7faba56a738fbb971c9c6fb4fc6955e26..3344f55a2de525e3291db492580541b8448b3c43 100644
--- a/infrastructure/metallb/networkpolicy.yaml
+++ b/infrastructure/metallb/networkpolicy.yaml
@@ -8,3 +8,14 @@ spec:
     matchLabels:
       app.kubernetes.io/instance: metallb
       app.kubernetes.io/name: metallb
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-kube-system
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: metallb
+      app.kubernetes.io/name: metallb
+      app.kubernetes.io/component: controller
diff --git a/shared/networkpolicies/allow-from-kube-system.yaml b/shared/networkpolicies/allow-from-kube-system.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..476ceaee0c97e7b96b78196c3f9a8274bb59ca6c
--- /dev/null
+++ b/shared/networkpolicies/allow-from-kube-system.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-kube-system
+spec:
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+  - from:
+    - ipBlock:
+        cidr: 192.168.100.0/24 # Kubernetes hosts
+    - ipBlock:
+        cidr: 10.96.0.1/32 # KubeAPI