diff --git a/overrides/values-vault-network-policy.yaml b/overrides/values-vault-network-policy.yaml
new file mode 100644
index 00000000..ddd9aeba
--- /dev/null
+++ b/overrides/values-vault-network-policy.yaml
@@ -0,0 +1,72 @@
+defaultDenyNetworkPolicy:
+  enabled: true
+
+vault:
+  server:
+    networkPolicy:
+      enabled: true
+      ingress:
+        # OCP router — vault Route (reencrypt TLS, UI and API)
+        # Router pods use hostNetwork:true — requires OVN-K policy-group label
+        - ports:
+          - protocol: TCP
+            port: 8200
+          from:
+          - namespaceSelector:
+              matchLabels:
+                policy-group.network.openshift.io/ingress: ""
+        # qtodo namespace — spiffe-vault-client sidecar authenticates via SPIFFE JWT
+        - ports:
+          - protocol: TCP
+            port: 8200
+          from:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: qtodo
+        # Vault cluster replication port — HA readiness
+        - ports:
+          - protocol: TCP
+            port: 8201
+          from:
+          - podSelector:
+              matchLabels:
+                app.kubernetes.io/name: vault
+                component: server
+      egress:
+        # DNS resolution via CoreDNS — OCP uses port 5353
+        - ports:
+          - protocol: UDP
+            port: 5353
+          - protocol: TCP
+            port: 5353
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: openshift-dns
+        # SPIRE OIDC discovery provider — Vault JWT auth fetches JWKS
+        # Service port 443 -> pod port 8443, both included for OVN-K DNAT
+        - ports:
+          - protocol: TCP
+            port: 443
+          - protocol: TCP
+            port: 8443
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zero-trust-workload-identity-manager
+        # Vault cluster replication — outbound to peer Vault pods (HA readiness)
+        - ports:
+          - protocol: TCP
+            port: 8201
+          to:
+          - podSelector:
+              matchLabels:
+                app.kubernetes.io/name: vault
+                component: server
+        # Kubernetes API server — TokenReview for ESO service account validation
+        # ClusterIP service is 172.x:443, DNAT to node IPs on 6443
+        - ports:
+          - protocol: TCP
+            port: 443
+          - protocol: TCP
+            port: 6443
diff --git a/values-hub.yaml b/values-hub.yaml
index dae08bf8..a356f03d 100644
--- a/values-hub.yaml
+++ b/values-hub.yaml
@@ -320,6 +320,8 @@ clusterGroup:
       project: hub
       chart: hashicorp-vault
       chartVersion: 0.1.*
+      extraValueFiles:
+        - /overrides/values-vault-network-policy.yaml
       annotations:
         argocd.argoproj.io/sync-wave: "25"
       # Custom Vault policies for least-privilege access