diff --git a/manifests/0000_10_config-operator_00_networkpolicy_config-operator.yaml b/manifests/0000_10_config-operator_00_networkpolicy_config-operator.yaml
new file mode 100644
index 000000000..c8387d40f
--- /dev/null
+++ b/manifests/0000_10_config-operator_00_networkpolicy_config-operator.yaml
@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: config-operator-networkpolicy
+  namespace: openshift-config-operator
+spec:
+  podSelector:
+    matchLabels:
+      app: openshift-config-operator
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # allow metrics scraping from anywhere
+  - ports:
+    - protocol: TCP
+      port: 8443
+  egress:
+  # allow egress to DNS
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+      podSelector:
+        matchLabels:
+          dns.operator.openshift.io/daemonset-dns: default
+    ports:
+    - protocol: TCP
+      port: 5353
+    - protocol: UDP
+      port: 5353
+  # allow all egress traffic
+  # required for egress to kube-apiserver pods
+  - {}
diff --git a/manifests/0000_10_config-operator_00_networkpolicy_default-deny-all.yaml b/manifests/0000_10_config-operator_00_networkpolicy_default-deny-all.yaml
new file mode 100644
index 000000000..b25eabb6f
--- /dev/null
+++ b/manifests/0000_10_config-operator_00_networkpolicy_default-deny-all.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+   include.release.openshift.io/hypershift: "true"
+   include.release.openshift.io/ibm-cloud-managed: "true"
+   include.release.openshift.io/self-managed-high-availability: "true"
+   include.release.openshift.io/single-node-developer: "true"
+ name: default-deny-all
+ namespace: openshift-config-operator
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress
diff --git a/manifests/0000_10_config-operator_01_openshift-config-managed-ns_networkpolicy_default-deny-all.yaml b/manifests/0000_10_config-operator_01_openshift-config-managed-ns_networkpolicy_default-deny-all.yaml
new file mode 100644
index 000000000..91208d127
--- /dev/null
+++ b/manifests/0000_10_config-operator_01_openshift-config-managed-ns_networkpolicy_default-deny-all.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+   include.release.openshift.io/hypershift: "true"
+   include.release.openshift.io/ibm-cloud-managed: "true"
+   include.release.openshift.io/self-managed-high-availability: "true"
+   include.release.openshift.io/single-node-developer: "true"
+ name: default-deny-all
+ namespace: openshift-config-managed
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress
diff --git a/manifests/0000_10_config-operator_01_openshift-config-ns_networkpolicy_default-deny-all.yaml b/manifests/0000_10_config-operator_01_openshift-config-ns_networkpolicy_default-deny-all.yaml
new file mode 100644
index 000000000..89c80c326
--- /dev/null
+++ b/manifests/0000_10_config-operator_01_openshift-config-ns_networkpolicy_default-deny-all.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: default-deny-all
+  namespace: openshift-config
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress