diff --git a/cmd/k8s-operator/deploy/chart/templates/dns-config.yaml b/cmd/k8s-operator/deploy/chart/templates/dns-config.yaml
deleted file mode 100644
index e74948062505a..0000000000000
--- a/cmd/k8s-operator/deploy/chart/templates/dns-config.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-{{ if .Values.dnsConfig.enabled }}
-apiVersion: tailscale.com/v1alpha1
-kind: DNSConfig
-metadata:
-  name: dnsconfig
-  namespace: {{ .Release.Namespace }}
-spec:
-  domain: {{ .Values.dnsConfig.domain | quote }}
-  nameserver:
-    image:
-      repo: {{ .Values.dnsConfig.image.repo | quote }}
-      tag: {{ .Values.dnsConfig.image.tag | default .Chart.AppVersion }}
-{{ end }}
diff --git a/cmd/k8s-operator/deploy/chart/values.yaml b/cmd/k8s-operator/deploy/chart/values.yaml
index 4cfbdee2dab6a..e6f4cada44de7 100644
--- a/cmd/k8s-operator/deploy/chart/values.yaml
+++ b/cmd/k8s-operator/deploy/chart/values.yaml
@@ -90,15 +90,3 @@ apiServerProxyConfig:
   mode: "false" # "true", "false", "noauth"
 
 imagePullSecrets: []
-
-# dnsConfig allows to deploy the k8s-nameserver which allows to use magicDNS
-# names.
-dnsConfig:
-  enabled: false
-  image:
-    repo: "tailscale/k8s-nameserver"
-    ## tag can be used to overwrite the tag of the container image to be used.
-    ## By default the appVersion will be used. 
-    tag: ""
-  ## domain allows to customize the magicDNS domain.
-  domain: "ts.net"
diff --git a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
index fd6093b00d8a3..aa4a32d6b1dda 100644
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
@@ -103,6 +103,13 @@ spec:
                         tag:
                           description: Tag defaults to unstable.
                           type: string
+                podLabels:
+                  description: |-
+                    PodLabels are the labels which will be attached to the nameserver
+                    pod. They can be used to define network policies.
+                  type: object
+                  additionalProperties:
+                    type: string
             status:
               description: |-
                 Status describes the status of the DNSConfig. This is set
diff --git a/cmd/k8s-operator/deploy/manifests/operator.yaml b/cmd/k8s-operator/deploy/manifests/operator.yaml
index 9777d328502ed..7d86072d07594 100644
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -348,6 +348,13 @@ spec:
                                                 type: string
                                         type: object
                                 type: object
+                            podLabels:
+                                additionalProperties:
+                                    type: string
+                                description: |-
+                                    PodLabels are the labels which will be attached to the nameserver
+                                    pod. They can be used to define network policies.
+                                type: object
                         required:
                             - nameserver
                         type: object
diff --git a/cmd/k8s-operator/nameserver.go b/cmd/k8s-operator/nameserver.go
index 02f5912a15e4e..5c8ea1e439424 100644
--- a/cmd/k8s-operator/nameserver.go
+++ b/cmd/k8s-operator/nameserver.go
@@ -163,11 +163,12 @@ func nameserverResourceLabels(name, namespace string) map[string]string {
 }
 
 func (a *NameserverReconciler) maybeProvision(ctx context.Context, tsDNSCfg *tsapi.DNSConfig, logger *zap.SugaredLogger) error {
-	labels := nameserverResourceLabels(tsDNSCfg.Name, a.tsNamespace)
+	resourceLabels := nameserverResourceLabels(tsDNSCfg.Name, a.tsNamespace)
 	dCfg := &deployConfig{
 		ownerRefs: []metav1.OwnerReference{*metav1.NewControllerRef(tsDNSCfg, tsapi.SchemeGroupVersion.WithKind("DNSConfig"))},
 		namespace: a.tsNamespace,
-		labels:    labels,
+		labels:    resourceLabels,
+		podLabels: tsDNSCfg.Spec.PodLabels,
 		imageRepo: defaultNameserverImageRepo,
 		imageTag:  defaultNameserverImageTag,
 	}
@@ -208,6 +209,7 @@ type deployConfig struct {
 	imageRepo string
 	imageTag  string
 	labels    map[string]string
+	podLabels map[string]string
 	ownerRefs []metav1.OwnerReference
 	namespace string
 	domain    string
@@ -237,6 +239,13 @@ var (
 			d.ObjectMeta.Namespace = cfg.namespace
 			d.ObjectMeta.Labels = cfg.labels
 			d.ObjectMeta.OwnerReferences = cfg.ownerRefs
+			if d.Spec.Template.Labels == nil {
+				d.Spec.Template.Labels = make(map[string]string)
+			}
+			for key, value := range cfg.podLabels {
+				d.Spec.Template.Labels[key] = value
+			}
+
 			updateF := func(oldD *appsv1.Deployment) {
 				oldD.Spec = d.Spec
 			}
diff --git a/k8s-operator/api.md b/k8s-operator/api.md
index 913d5b9bf9fe4..80f1fd7a959aa 100644
--- a/k8s-operator/api.md
+++ b/k8s-operator/api.md
@@ -212,6 +212,7 @@ _Appears in:_
 | --- | --- | --- | --- |
 | `nameserver` _[Nameserver](#nameserver)_ | Configuration for a nameserver that can resolve ts.net DNS names<br />associated with in-cluster proxies for Tailscale egress Services and<br />Tailscale Ingresses. The operator will always deploy this nameserver<br />when a DNSConfig is applied. |  |  |
 | `domain` _string_ | Domain is the domain for which DNS entries will be resolved. If left<br />empty, the default of the k8s-nameserver will be used. |  |  |
+| `podLabels` _object (keys:string, values:string)_ | PodLabels are the labels which will be attached to the nameserver<br />pod. They can be used to define network policies. |  |  |
 
 
 #### DNSConfigStatus
diff --git a/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go b/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
index d58214511b7d7..03e4ef957080e 100644
--- a/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
+++ b/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
@@ -79,6 +79,10 @@ type DNSConfigSpec struct {
 	// empty, the default of the k8s-nameserver will be used.
 	// +optional
 	Domain string `json:"domain"`
+	// PodLabels are the labels which will be attached to the nameserver
+	// pod. They can be used to define network policies.
+	// +optional
+	PodLabels map[string]string `json:"podLabels,omitempty"`
 }
 
 type Nameserver struct {
diff --git a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
index ba4ff40e46dd5..b861cc013a819 100644
--- a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
@@ -217,6 +217,13 @@ func (in *DNSConfigSpec) DeepCopyInto(out *DNSConfigSpec) {
 		*out = new(Nameserver)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.PodLabels != nil {
+		in, out := &in.PodLabels, &out.PodLabels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSConfigSpec.