diff --git a/components/manifests/base/kustomization.yaml b/components/manifests/base/kustomization.yaml
index 226d5d126..9b5b6a9e8 100644
--- a/components/manifests/base/kustomization.yaml
+++ b/components/manifests/base/kustomization.yaml
@@ -10,6 +10,7 @@ resources:
 - platform
 - ambient-control-plane-service.yml
 - ambient-control-plane-token-svc.yaml
+- runner-networkpolicy.yaml
 
 # Default images (can be overridden by overlays)
 images:
diff --git a/components/manifests/base/runner-networkpolicy.yaml b/components/manifests/base/runner-networkpolicy.yaml
new file mode 100644
index 000000000..5ba3395a1
--- /dev/null
+++ b/components/manifests/base/runner-networkpolicy.yaml
@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-runner-namespaces
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          app: ambient-code-runner