diff --git a/packages/apps/tenant/templates/networkpolicy.yaml b/packages/apps/tenant/templates/networkpolicy.yaml
index 709b5a19..8b26e75a 100644
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -112,6 +112,18 @@ spec:
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-dashboard
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+      - matchLabels:
+          io.kubernetes.pod.namespace: cozy-dashboard
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
 metadata:
   name: allow-to-ingress
   namespace: {{ include "tenant.name" . }}
diff --git a/packages/extra/ingress/README.md b/packages/extra/ingress/README.md
index f924a78a..0d00844c 100644
--- a/packages/extra/ingress/README.md
+++ b/packages/extra/ingress/README.md
@@ -10,3 +10,5 @@
 | `externalIPs`    | List of externalIPs for service.                                  | `[]`    |
 | `whitelist`      | List of client networks                                           | `[]`    |
 | `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
+| `dashboard`      | Should ingress serve Cozystack service dashboard                  | `false` |
+
diff --git a/packages/extra/ingress/templates/dashboard.yaml b/packages/extra/ingress/templates/dashboard.yaml
new file mode 100644
index 00000000..940fdefe
--- /dev/null
+++ b/packages/extra/ingress/templates/dashboard.yaml
@@ -0,0 +1,29 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- if .Values.dashboard }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    acme.cert-manager.io/http01-ingress-class: tenant-root
+  name: dashboard-{{ .Release.Namespace }}
+  namespace: cozy-dashboard
+spec:
+  ingressClassName: {{ .Release.Namespace }}
+  rules:
+  - host: dashboard.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: dashboard
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - dashboard.{{ $host }}
+    secretName: dashboard-{{ .Release.Namespace }}-tls
+{{- end }}
diff --git a/packages/extra/ingress/values.schema.json b/packages/extra/ingress/values.schema.json
index c956bac3..e669d70e 100644
--- a/packages/extra/ingress/values.schema.json
+++ b/packages/extra/ingress/values.schema.json
@@ -25,6 +25,11 @@
             "type": "boolean",
             "description": "Restoring original visitor IPs when Cloudflare proxied is enabled",
             "default": false
+        },
+        "dashboard": {
+            "type": "boolean",
+            "description": "Should ingress serve Cozystack service dashboard",
+            "default": false
         }
     }
 }
\ No newline at end of file
diff --git a/packages/extra/ingress/values.yaml b/packages/extra/ingress/values.yaml
index 669698f1..b05d6bb5 100644
--- a/packages/extra/ingress/values.yaml
+++ b/packages/extra/ingress/values.yaml
@@ -24,3 +24,6 @@ whitelist: []
 
 ## @param clouflareProxy Restoring original visitor IPs when Cloudflare proxied is enabled
 clouflareProxy: false
+
+## @param dashboard Should ingress serve Cozystack service dashboard
+dashboard: false