diff --git a/CHANGELOG.md b/CHANGELOG.md
index f10b5cf..33c7519 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v3.1.1-5] - 2024-12-10
+### Added
+- [#18] NetworkPolicy to allow only internal ingress traffic
+  - Dependent Dogus and Components must bring their own NetworkPolicy to access Loki
+- [#18] Ingress Network Policy for MinIO so that Loki can access it
+
 ## [v3.1.1-4] - 2024-11-13
 ### Changed
 - [#16] Disable sidecar to load rules from ConfigMaps/Secrets.
diff --git a/Makefile b/Makefile
index 195c5be..8c20e73 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 ARTIFACT_ID=k8s-loki
 MAKEFILES_VERSION=9.3.2
-VERSION=3.1.1-4
+VERSION=3.1.1-5
 
 .DEFAULT_GOAL:=help
 
diff --git a/k8s/helm/templates/networkpolicies.yaml b/k8s/helm/templates/networkpolicies.yaml
new file mode 100644
index 0000000..e717fc6
--- /dev/null
+++ b/k8s/helm/templates/networkpolicies.yaml
@@ -0,0 +1,57 @@
+{{- if .Values.networkPolicies.enabled }}
+# This NetworkPolicy allows ingress to MinIO pods from Loki.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "k8s-loki-minio-ingress"
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app: ces
+    app.kubernetes.io/name: k8s-loki
+spec:
+  podSelector:
+    matchLabels:
+      app: ces
+      app.kubernetes.io/name: k8s-minio
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: ces
+              app.kubernetes.io/name: k8s-loki
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $.Release.Namespace }}
+      ports:
+        - protocol: TCP
+          port: 9000
+---
+# This NetworkPolicy only allows internal ingress between Loki pods and denies all other ingress.
+# Dependent Dogus and Components must bring their own NetworkPolicy to access Loki.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "k8s-loki-internal-ingress"
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app: ces
+    app.kubernetes.io/name: k8s-loki
+spec:
+  podSelector:
+    matchLabels:
+      app: ces
+      app.kubernetes.io/name: k8s-loki
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: ces
+              app.kubernetes.io/name: k8s-loki
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $.Release.Namespace }}
+{{- end}}
\ No newline at end of file
diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml
index 773cd42..eb136a1 100644
--- a/k8s/helm/values.yaml
+++ b/k8s/helm/values.yaml
@@ -1,4 +1,6 @@
 lokiGatewaySecretName: "k8s-loki-gateway-secret"
+networkPolicies:
+  enabled: true
 
 loki:
   imagePullSecrets: