diff --git a/forgejo/network-policy.yaml b/forgejo/network-policy.yaml
new file mode 100644
index 0000000..b67cb45
--- /dev/null
+++ b/forgejo/network-policy.yaml
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress-to-forgejo
+  namespace: forgejo
+spec:
+  description: "Accept incoming traffic from the native mesh proxy"
+  endpointSelector:
+    matchLabels:
+      app: forgejo
+  ingress:
+    - fromEntities:
+        - ingress
+      toPorts:
+        - ports:
+            - port: "3000"
+              protocol: TCP