diff --git a/kiss/manager/src/current.rs b/kiss/manager/src/current.rs
index 55c28389..864d8c65 100644
--- a/kiss/manager/src/current.rs
+++ b/kiss/manager/src/current.rs
@@ -168,6 +168,7 @@ impl Handler {
             namespace: Some(Self::NAMESPACE.into()),
             labels: Some(
                 vec![
+                    ("kissService".into(), "true".into()),
                     ("serviceType".into(), Self::UPGRADE_SERVICE_TYPE.into()),
                     ("sourceVersion".into(), current.to_string()),
                     ("targetVersion".into(), latest.to_string()),
diff --git a/templates/kiss/namespace.yaml b/templates/kiss/namespace.yaml
index 50fa39d5..68059799 100644
--- a/templates/kiss/namespace.yaml
+++ b/templates/kiss/namespace.yaml
@@ -64,6 +64,24 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
+metadata:
+  name: allow-netai-cloud-upgrade-kiss
+  namespace: kiss
+spec:
+  podSelector:
+    matchLabels:
+      serviceType: netai-cloud-upgrade-kiss
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.32.0.0/12
+        - ipBlock:
+            cidr: 10.112.0.0/12
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
 metadata:
   name: allow-proxy
   namespace: kiss
@@ -84,6 +102,5 @@ spec:
             cidr: 0.0.0.0/0 # allow all outbound but no internal access
             except:
               - 10.0.0.0/8
-              - 127.0.0.0/8
               - 172.16.0.0/12
               - 192.168.0.0/16