diff --git a/bindata/cloud-network-config-controller/self-hosted/networkpolicies.yaml b/bindata/cloud-network-config-controller/self-hosted/networkpolicies.yaml
new file mode 100644
index 0000000000..19ca5a143f
--- /dev/null
+++ b/bindata/cloud-network-config-controller/self-hosted/networkpolicies.yaml
@@ -0,0 +1,32 @@
+# The openshift-cloud-network-config-controller namespace is created
+# via the CNO manifests, but we can't create a default-deny policy
+# there and an allow policy here, because the two policies won't be
+# applied at the same time. So we create both of them here.
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny
+  namespace: openshift-cloud-network-config-controller
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress: []
+  egress: []
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: cloud-network-config-controller
+  namespace: openshift-cloud-network-config-controller
+spec:
+  podSelector:
+    matchLabels:
+      app: cloud-network-config-controller
+  policyTypes:
+    - Egress
+  egress:
+    # CNCC needs access to apiserver and cloud APIs, possibly via a proxy... for now we
+    # just allow all egress.
+    - {}
diff --git a/manifests/0000_70_cluster-network-operator_00_namespace.yaml b/manifests/0000_70_cluster-network-operator_00_namespace.yaml
index 6c07a7838b..78b7260074 100644
--- a/manifests/0000_70_cluster-network-operator_00_namespace.yaml
+++ b/manifests/0000_70_cluster-network-operator_00_namespace.yaml
@@ -21,6 +21,10 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: default-deny
   namespace: openshift-network-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/single-node-developer: "true"
 spec:
   podSelector: {}
   policyTypes: