diff --git a/components/manifests/overlays/mpp-openshift/ambient-cp-token-netpol.yaml b/components/manifests/overlays/mpp-openshift/ambient-cp-token-netpol.yaml
new file mode 100644
index 000000000..aa11c728d
--- /dev/null
+++ b/components/manifests/overlays/mpp-openshift/ambient-cp-token-netpol.yaml
@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-runner-token-fetch
+  namespace: ambient-code--runtime-int
+  labels:
+    app: ambient-control-plane
+spec:
+  podSelector:
+    matchLabels:
+      app: ambient-control-plane
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          tenant.paas.redhat.com/tenant: ambient-code
+    ports:
+    - protocol: TCP
+      port: 8080
+  policyTypes:
+  - Ingress
diff --git a/components/manifests/overlays/mpp-openshift/kustomization.yaml b/components/manifests/overlays/mpp-openshift/kustomization.yaml
index 5f38a1c27..de7217cf3 100644
--- a/components/manifests/overlays/mpp-openshift/kustomization.yaml
+++ b/components/manifests/overlays/mpp-openshift/kustomization.yaml
@@ -9,6 +9,7 @@ resources:
 - ambient-api-server.yaml
 - ambient-control-plane.yaml
 - ambient-control-plane-svc.yaml
+- ambient-cp-token-netpol.yaml
 - ambient-api-server-route.yaml
 - ambient-control-plane-sa.yaml
 - tenant-rbac/