diff --git a/cluster/kube/cluster.jsonnet b/cluster/kube/cluster.jsonnet
index 49e1c5af..9a2abdb6 100644
--- a/cluster/kube/cluster.jsonnet
+++ b/cluster/kube/cluster.jsonnet
@@ -145,6 +145,8 @@ local Cluster(short, realm) = {
         policies.AllowNamespaceInsecure("matrix"),
         policies.AllowNamespaceInsecure("registry"),
         policies.AllowNamespaceInsecure("internet"),
+        # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
+        policies.AllowNamespaceInsecure("implr-vpn"),
     ],
 
     // Allow all service accounts (thus all controllers) to create secure pods.