diff --git a/cluster/apps/media/kustomization.yaml b/cluster/apps/media/kustomization.yaml
index 6a6014c..9ce2937 100644
--- a/cluster/apps/media/kustomization.yaml
+++ b/cluster/apps/media/kustomization.yaml
@@ -3,4 +3,5 @@ kind: Kustomization
 resources:
 - ./namespace.yaml
 - ./sonarr
-- ./radarr
\ No newline at end of file
+- ./radarr
+- ./network_policy.yaml
\ No newline at end of file
diff --git a/cluster/apps/media/network_policy.yaml b/cluster/apps/media/network_policy.yaml
new file mode 100644
index 0000000..38fedf5
--- /dev/null
+++ b/cluster/apps/media/network_policy.yaml
@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-most-allow-some
+  namespace: media
+spec:
+  # Apply to all pods in this namespace
+  podSelector: {} 
+  ingress:
+  - from:
+    # Allow all pods in this namespace
+    - podSelector: {}
+
+    # Allow all pods with this label
+    - podSelector:
+      matchLabels:
+        needsMedia: true
\ No newline at end of file