diff --git a/templates/default-deny-network-policy.yaml b/templates/default-deny-network-policy.yaml
new file mode 100644
index 0000000..6793640
--- /dev/null
+++ b/templates/default-deny-network-policy.yaml
@@ -0,0 +1,12 @@
+{{- if eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true" }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-in-namespace-{{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+{{- end }}
diff --git a/values.yaml b/values.yaml
index f90621f..123ed23 100644
--- a/values.yaml
+++ b/values.yaml
@@ -7,6 +7,15 @@ global:
   # -- The DNS entry for the cluster the chart is being rendered on with the apps. prefix
   localClusterDomain: apps.foo.cluster.com
 
+# -- Default-deny NetworkPolicy for the vault namespace
+# When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and
+# egress for pods without an explicit allow policy. Patterns that need zero-trust
+# network isolation should enable this and provide per-pod allow rules via
+# vault.server.networkPolicy.
+# @default -- false
+defaultDenyNetworkPolicy:
+  enabled: false
+
 # -- A number of settings passed down to the vault subchart
 # @default -- depends on the individual settings
 vault: