diff --git a/templates/netpol-redis.yaml b/templates/netpol-redis.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..634ccf04aba60b785ae7c904c44bfdc549b8d728
--- /dev/null
+++ b/templates/netpol-redis.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.redis.enabled }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "kops-registry.name" . }}-redis
+  labels:
+{{- include "kops-registry.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: redis
+      app.kubernetes.io/name: redis
+  ingress:
+  - fromEndpoints:
+      - matchLabels:
+          redis-client: "true"
+      - matchLabels:
+          app.kubernetes.io/instance: redis
+          app.kubernetes.io/name: redis
+      - matchLabels:
+          app.kubernetes.io/component: core
+          app.kubernetes.io/name: harbor
+      - matchLabels:
+          reserved: host
+    toPorts:
+      - ports:
+          - port: "6379"
+            protocol: TCP
+      - ports:
+          - port: "26379"
+            protocol: TCP
+  - fromEndpoints:
+      - matchLabels:
+          reserved: all
+    toPorts:
+      - ports:
+          - port: "9121"
+            protocol: TCP
+  egress:
+  - toEndpoints:
+      - matchLabels:
+          app.kubernetes.io/instance: redis
+          app.kubernetes.io/name: redis
+    toPorts:
+      - ports:
+          - port: "6379"
+            protocol: TCP
+          - port: "26379"
+            protocol: TCP
+  - toEndpoints:
+      - matchLabels:
+          app.kubernetes.io/instance: redis
+          app.kubernetes.io/name: redis
+    toPorts:
+      - ports:
+          - port: "53"
+            protocol: UDP
+{{- end }}
diff --git a/values.yaml b/values.yaml
index ae0ca2e2b4506f2b8e8d2f5eb56ec0a38455689b..3b15ef159101ed03165bbc71a2b0af30dc70b006 100644
--- a/values.yaml
+++ b/values.yaml
@@ -271,25 +271,7 @@ redis:
     enabled: false
     sentinel: false
   networkPolicy:
-    enabled: true
-    allowExternal: false
-    allowExternalEgress: false
-    extraIngress:
-      - ports:
-        - port: 6379
-          from:
-            - podSelector:
-              - matchLabels:
-                  app.kubernetes.io/component: core
-                  app.kubernetes.io/name: harbor
-        - port: 26379
-          from:
-            - podSelector:
-              - matchLabels:
-                  app.kubernetes.io/component: core
-                  app.kubernetes.io/name: harbor
-    metrics:
-      allowExternal: true
+    enabled: false # see ./templates/netpol-redis.yaml for cilium based policy.
   persistence:
     enabled: false
   master: