diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argo-cd/Chart.yaml
index 6e920a41..1d0ca731 100644
--- a/charts/kubezero-argo-cd/Chart.yaml
+++ b/charts/kubezero-argo-cd/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
 name: kubezero-argo-cd
-version: 0.3.2
+version: 0.3.3
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
diff --git a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml
new file mode 100644
index 00000000..c5e6a088
--- /dev/null
+++ b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml
@@ -0,0 +1,23 @@
+{{- if index .Values "argo-cd" "istio" "enabled" }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: argocd-allow-only
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  rules:
+  {{- if index .Values "argo-cd" "istio" "ipBlocks" }}
+  - from:
+    - source:
+        ipBlocks:
+        {{- with index .Values "argo-cd" "istio" "ipBlocks" }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+  {{- end }}
+    to:
+    - operation:
+        hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
+{{- end }}
diff --git a/charts/kubezero-argo-cd/values.yaml b/charts/kubezero-argo-cd/values.yaml
index 39e382be..749a5f27 100644
--- a/charts/kubezero-argo-cd/values.yaml
+++ b/charts/kubezero-argo-cd/values.yaml
@@ -71,3 +71,4 @@ argo-cd:
     enabled: false
     # argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
     gateway: ingressgateway.istio-system.svc.cluster.local
+    ipBlocks: []
diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml
index bf72adb0..3a36ca4e 100644
--- a/deploy/templates/values.yaml
+++ b/deploy/templates/values.yaml
@@ -93,5 +93,5 @@ argo-cd:
   {{- if and ( not .Values.bootstrap ) .Values.istio.enabled }}
   istio:
     enabled: {{ index .Values "argo-cd" "istio" "enabled" }}
-    gateway: private-ingressgateway.istio-system.svc.cluster.local
+    gateway: {{ index .Values "argo-cd" "istio" "gateway" }}
   {{- end }}
diff --git a/deploy/values.yaml b/deploy/values.yaml
index 705c1419..dceb6f71 100644
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@@ -28,3 +28,4 @@ prometheus:
 
 argo-cd:
   server: {}
+  gateway: private-ingressgateway.istio-system.svc.cluster.local