diff --git a/README.md b/README.md
index d35065b..2181f61 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,6 @@
 
 FORKED FROM https://github.com/hotheadhacker/no-as-a-service
 
-
 ## local modifications
 
 - answer on / instead of /no
@@ -10,6 +9,8 @@ FORKED FROM https://github.com/hotheadhacker/no-as-a-service
 - add Dockerfile to build this sh*t
 - kustomization in [deploy](deploy) directory (use your own registry)
 
+the deploy runs non root, no caps, read only file system, network policy and sh*t ftw
+
 ## intro
 
 <p align="center">
diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
index 17ae0c9..926c4d8 100644
--- a/deploy/kustomization.yaml
+++ b/deploy/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
 - deploy.yaml
 - service.yaml
 - ingress.yaml
+- netpol.yaml
 images:
 - name: noaas
   newName: <my-harbor-url>/library/no-as-a-service
diff --git a/deploy/netpol.yaml b/deploy/netpol.yaml
new file mode 100644
index 0000000..7886a5e
--- /dev/null
+++ b/deploy/netpol.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: noaas
+spec:
+  policyTypes:
+  - Ingress
+  - Egress
+  podSelector:
+    matchLabels:
+      app: noaas
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ingress-nginx
+    ports:
+    - protocol: TCP
+      port: 3000