diff --git a/argocd-helm-charts/fluent-bit/templates/netpol-fluentbit.yaml b/argocd-helm-charts/fluent-bit/templates/netpol-fluentbit.yaml
new file mode 100644
index 000000000..6648e24a2
--- /dev/null
+++ b/argocd-helm-charts/fluent-bit/templates/netpol-fluentbit.yaml
@@ -0,0 +1,36 @@
+{{ if .Values.networkpolicies }}
+apiVersion: crd.projectcalico.org/v1
+kind: NetworkPolicy
+metadata:
+  name: default.fluentbit
+  namespace: logging
+spec:
+  order: 100
+  selector:
+    app.kubernetes.io/name == 'fluent-bit'
+  types:
+  - Egress
+  egress:
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 5555
+  # Connect to kube2iam, and allow filebeat to get k8s node metadata
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 8181
+      - 443
+      selector: kubernetes.io/role in { 'node', 'master' }
+      namespaceSelector: global()
+  # Allow access to EC2 metadata endpoint
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 443
+      nets:
+      - 169.254.169.254/32
+{{ end }}
diff --git a/argocd-helm-charts/fluent-bit/values.yaml b/argocd-helm-charts/fluent-bit/values.yaml
index d881b9bb3..74e89dae1 100644
--- a/argocd-helm-charts/fluent-bit/values.yaml
+++ b/argocd-helm-charts/fluent-bit/values.yaml
@@ -1,3 +1,4 @@
+networkpolicies: false
 fluent-bit:
   image:
     pullPolicy: IfNotPresent