diff --git a/contrib/networkpolicies/kserve.yaml b/contrib/networkpolicies/kserve.yaml
new file mode 100644
index 000000000..9ce467f47
--- /dev/null
+++ b/contrib/networkpolicies/kserve.yaml
@@ -0,0 +1,21 @@
+
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: kserve
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: control-plane
+        operator: In
+        values:
+          - kserve-controller-manager # mutating webhook
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 9443
+  policyTypes:
+    - Ingress
diff --git a/contrib/networkpolicies/kustomization.yaml b/contrib/networkpolicies/kustomization.yaml
index 48ba33a7d..4a566f06a 100644
--- a/contrib/networkpolicies/kustomization.yaml
+++ b/contrib/networkpolicies/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
   - kfserving-models-web-app.yaml
   - kfserving.yaml
   - kserve-models-web-app.yaml
+  - kserve.yaml
   - metadata-grpc-server.yaml
   - minio.yaml
   - ml-pipeline-ui.yaml