diff --git a/k8s/candide-vm.yaml b/k8s/candide-vm.yaml
index 78ee1f77..8a42075c 100644
--- a/k8s/candide-vm.yaml
+++ b/k8s/candide-vm.yaml
@@ -25,3 +25,14 @@ spec:
             limits:
               cpu: "0.5"
               memory: 200Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-egress
+spec:
+  podSelector:
+    matchLabels:
+      app: candide-vm
+  policyTypes:
+    - Egress