diff --git a/helm/minio/README.md b/helm/minio/README.md
index 8ee4de938..a1d5c99f8 100644
--- a/helm/minio/README.md
+++ b/helm/minio/README.md
@@ -112,6 +112,8 @@ the DefaultDeny namespace annotation. Note: this will enforce policy for *all* p
 kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
 ```
 
+When using `Cilium` as a CNI in your cluster, please edit the `flavor` field to `cilium`.
+
 With NetworkPolicy enabled, traffic will be limited to just port 9000.
 
 For more precise policy, set `networkPolicy.allowExternal=true`. This will
diff --git a/helm/minio/templates/ciliumnetworkpolicy.yaml b/helm/minio/templates/ciliumnetworkpolicy.yaml
new file mode 100644
index 000000000..01a14d35a
--- /dev/null
+++ b/helm/minio/templates/ciliumnetworkpolicy.yaml
@@ -0,0 +1,33 @@
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
+kind: CiliumNetworkPolicy
+apiVersion: cilium.io/v2
+metadata:
+  name: {{ template "minio.fullname" . }}
+  labels:
+    app: {{ template "minio.name" . }}
+    chart: {{ template "minio.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app: {{ template "minio.name" . }}
+      release: {{ .Release.Name }}
+  ingress:
+  - toPorts:
+    - ports:
+      - port: {{ .Values.minioAPIPort }}
+        protocol: TCP
+      - port: {{ .Values.minioConsolePort }}
+        protocol: TCP
+    {{- if not .Values.networkPolicy.allowExternal }}
+    fromEndpoints:
+    - matchLabels:
+        {{ template "minio.name" . }}-client: "true"
+    {{- end }}
+  egress:
+  {{- range $entity := .Values.networkPolicy.egressEntities }}
+  - toEntities:
+    - {{ $entity }}
+  {{- end }}
+{{- end }}
diff --git a/helm/minio/templates/networkpolicy.yaml b/helm/minio/templates/networkpolicy.yaml
index 7ebc2aa73..b9c077171 100644
--- a/helm/minio/templates/networkpolicy.yaml
+++ b/helm/minio/templates/networkpolicy.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.networkPolicy.enabled }}
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
 kind: NetworkPolicy
 apiVersion: {{ template "minio.networkPolicy.apiVersion" . }}
 metadata:
diff --git a/helm/minio/values.yaml b/helm/minio/values.yaml
index 88545f437..31bee3c46 100644
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@@ -498,7 +498,13 @@ oidc:
 
 networkPolicy:
   enabled: false
+  # Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
+  # or Cilium Network Policies (flavor: cilium)
+  flavor: kubernetes
   allowExternal: true
+  # only when using flavor: cilium
+  egressEntities:
+   - kube-apiserver
 
 ## PodDisruptionBudget settings
 ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/