diff --git a/.vscode/settings.json b/.vscode/settings.json
index ab9d76b..d1e70a7 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,8 @@
 {
     "cSpell.words": [
+        "networkpolicies",
+        "poddisruptionbudgets",
+        "serviceaccounts",
         "valkey"
     ]
 }
\ No newline at end of file
diff --git a/deploy/infra/cd-service-account-rbac.yaml b/deploy/infra/cd-service-account-rbac.yaml
deleted file mode 100644
index 7bd4ec8..0000000
--- a/deploy/infra/cd-service-account-rbac.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: git-limbosolutions-com
-  name: continuous-deploy
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"]
-  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
-
-- apiGroups: ["apps"]
-  resources: ["deployments", "statefulsets"]
-  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
-
-- apiGroups: ["batch"]
-  resources: ["cronjobs", "jobs"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
-- apiGroups: ["networking.k8s.io"]
-  resources: ["networkpolicies", "ingresses"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
-- apiGroups: ["policy"]
-  resources: ["poddisruptionbudgets"]
-  verbs: ["get", "list", "watch", "update", "patch"]
-
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: continuous-deploy
-  namespace:  git-limbosolutions-com
-subjects:
-- kind: ServiceAccount
-  name: continuous-deploy
-  namespace: git-limbosolutions-com
-roleRef:
-  kind: Role
-  name: continuous-deploy
-  apiGroup: rbac.authorization.k8s.io
-
diff --git a/deploy/infra/cd-service-account-token.yaml b/deploy/infra/cd-service-account-token.yaml
deleted file mode 100644
index 727c6d8..0000000
--- a/deploy/infra/cd-service-account-token.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: continuous-deploy
-  annotations:
-    kubernetes.io/service-account.name: continuous-deploy
-type: kubernetes.io/service-account-token
\ No newline at end of file
diff --git a/deploy/infra/cd-service-account.yaml b/deploy/infra/cd-service-account.yaml
index c30eedf..d788d08 100644
--- a/deploy/infra/cd-service-account.yaml
+++ b/deploy/infra/cd-service-account.yaml
@@ -3,4 +3,60 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: continuous-deploy
-  namespace: git-limbosolutions-com
\ No newline at end of file
+  namespace: git-limbosolutions-com
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: continuous-deploy
+  annotations:
+    kubernetes.io/service-account.name: continuous-deploy
+type: kubernetes.io/service-account-token
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: git-limbosolutions-com
+  name: continuous-deploy
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"]
+  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
+
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets"]
+  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
+
+- apiGroups: ["batch"]
+  resources: ["cronjobs", "jobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies", "ingresses"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+- apiGroups: ["policy"]
+  resources: ["poddisruptionbudgets"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: continuous-deploy
+  namespace:  git-limbosolutions-com
+subjects:
+- kind: ServiceAccount
+  name: continuous-deploy
+  namespace: git-limbosolutions-com
+roleRef:
+  kind: Role
+  name: continuous-deploy
+  apiGroup: rbac.authorization.k8s.io
+
diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml
index ac112a2..09d1092 100644
--- a/deploy/infra/kustomization.yaml
+++ b/deploy/infra/kustomization.yaml
@@ -3,6 +3,5 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - cd-service-account.yaml
-  - cd-service-account-token.yaml
-  - cd-service-account-rbac.yaml
+  - network-policy-egress.yaml
 
diff --git a/deploy/infra/network-policy-egress.yaml b/deploy/infra/network-policy-egress.yaml
new file mode 100644
index 0000000..4490df1
--- /dev/null
+++ b/deploy/infra/network-policy-egress.yaml
@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: git-limbosolutions-com-egress
+  namespace: git-limbosolutions-com
+spec:
+  podSelector: {}   # apply to all pods in the namespace
+  policyTypes:
+    - Egress
+  egress:
+      # Allow DNS to kube-system
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: UDP
+          port: 53
+
+    # allow namespace communication
+    - to: 
+        - namespaceSelector: 
+            matchLabels: 
+              kubernetes.io/metadata.name: git-limbosolutions-com
+          podSelector: {}
+
+    # allow backup server
+    - to:
+        - ipBlock:
+            cidr: 192.168.0.251/32
+    
+    # Allow all egress EXCEPT private networks
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # first allow everything
+            except: # remove local network (so it means blocking, cidr is allowing everything )
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+              - 169.254.0.0/16
+              - 127.0.0.0/8
+              - 224.0.0.0/4
+              - 240.0.0.0/4