diff --git a/apps/forgejo/network-policy.yaml b/apps/forgejo/network-policy.yaml
index dbc79f0..a64962b 100644
--- a/apps/forgejo/network-policy.yaml
+++ b/apps/forgejo/network-policy.yaml
@@ -1,18 +1,4 @@
 # ----------------------------------------------------
-# Default deny (namespace baseline)
-# ----------------------------------------------------
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: default-deny
-  namespace: forgejo
-spec:
-  endpointSelector: {}
-  ingress: []
-  egress: []
-
----
-# ----------------------------------------------------
 # Ingress only from Gateway API
 # ----------------------------------------------------
 apiVersion: cilium.io/v2
@@ -32,33 +18,6 @@ spec:
         - ports:
             - port: "3000"
               protocol: TCP
-
----
-# ----------------------------------------------------
-# DNS (cluster DNS only)
-# ----------------------------------------------------
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-dns
-  namespace: forgejo
-spec:
-  endpointSelector:
-    matchLabels:
-      app: forgejo
-  egress:
-    - toEndpoints:
-        - matchLabels:
-            k8s:io.kubernetes.pod.namespace: kube-system
-            k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: ANY
-          rules:
-            dns:
-              - matchPattern: "*"
-
 # ---
 # # ----------------------------------------------------
 # # CI runner access (in-cluster service)
diff --git a/apps/navidrome/network-policy.yaml b/apps/navidrome/network-policy.yaml
index 12d359f..fe75eba 100644
--- a/apps/navidrome/network-policy.yaml
+++ b/apps/navidrome/network-policy.yaml
@@ -1,18 +1,4 @@
 # ----------------------------------------------------
-# Default deny (namespace baseline)
-# ----------------------------------------------------
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: default-deny
-  namespace: navidrome
-spec:
-  endpointSelector: {}
-  ingress: []
-  egress: []
-
----
-# ----------------------------------------------------
 # Ingress only from Gateway API
 # ----------------------------------------------------
 apiVersion: cilium.io/v2
@@ -33,32 +19,6 @@ spec:
             - port: "4533"
               protocol: TCP
 
----
-# ----------------------------------------------------
-# DNS (required)
-# ----------------------------------------------------
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-dns
-  namespace: navidrome
-spec:
-  endpointSelector:
-    matchLabels:
-      app: navidrome
-  egress:
-    - toEndpoints:
-        - matchLabels:
-            k8s:io.kubernetes.pod.namespace: kube-system
-            k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: ANY
-          rules:
-            dns:
-              - matchPattern: "*"
-
 ---
 # ----------------------------------------------------
 # Spotify API access (album art, metadata)