diff --git a/.gitignore b/.gitignore
index 16dd32e1..9cc1c60a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,12 @@
 config.toml
 *.swp
 .DS_Store
+
+# Secrets — never commit real credentials
+.env
+.env.*
+*.pem
+*.key
+**/secrets/
+kubeconfig
+kubeconfig.*
diff --git a/charts/openab/templates/deployment.yaml b/charts/openab/templates/deployment.yaml
index f1ab9b0b..9b684036 100644
--- a/charts/openab/templates/deployment.yaml
+++ b/charts/openab/templates/deployment.yaml
@@ -25,6 +25,9 @@ spec:
       labels:
         {{- include "openab.selectorLabels" $d | nindent 8 }}
     spec:
+      {{- if $.Values.serviceAccount.create }}
+      serviceAccountName: {{ include "openab.agentFullname" $d }}
+      {{- end }}
       {{- with $.Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/openab/templates/networkpolicy.yaml b/charts/openab/templates/networkpolicy.yaml
new file mode 100644
index 00000000..7bd66fee
--- /dev/null
+++ b/charts/openab/templates/networkpolicy.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.networkPolicy.enabled }}
+{{- range $name, $cfg := .Values.agents }}
+{{- if ne (include "openab.agentEnabled" $cfg) "false" }}
+{{- $d := dict "ctx" $ "agent" $name "cfg" $cfg }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "openab.selectorLabels" $d | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress: []
+  egress:
+    - ports:
+        - port: 443
+          protocol: TCP
+    - ports:
+        - port: 53
+          protocol: TCP
+        - port: 53
+          protocol: UDP
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openab/templates/serviceaccount.yaml b/charts/openab/templates/serviceaccount.yaml
new file mode 100644
index 00000000..f43d0c46
--- /dev/null
+++ b/charts/openab/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+{{- range $name, $cfg := .Values.agents }}
+{{- if ne (include "openab.agentEnabled" $cfg) "false" }}
+{{- $d := dict "ctx" $ "agent" $name "cfg" $cfg }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+automountServiceAccountToken: false
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openab/values.yaml b/charts/openab/values.yaml
index 1f7c2134..c91d8ac5 100644
--- a/charts/openab/values.yaml
+++ b/charts/openab/values.yaml
@@ -1,3 +1,9 @@
+networkPolicy:
+  enabled: true
+
+serviceAccount:
+  create: true
+
 image:
   repository: ghcr.io/openabdev/openab
   # tag defaults to .Chart.AppVersion