diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argo-cd/Chart.yaml
index cb87309..4d5129a 100644
--- a/charts/kubezero-argo-cd/Chart.yaml
+++ b/charts/kubezero-argo-cd/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
 name: kubezero-argo-cd
-version: 0.3.5
+version: 0.3.6
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
diff --git a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml
index e0a21d4..e9522f1 100644
--- a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml
+++ b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml
@@ -1,25 +1,24 @@
 {{- if index .Values "argo-cd" "istio" "enabled" }}
+{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-  name: argocd-allow-only
+  name: argocd-deny-not-in-ipblocks
   namespace: istio-system
 spec:
   selector:
     matchLabels:
       app: istio-ingressgateway
+  action: DENY
   rules:
-  {{- if index .Values "argo-cd" "istio" "ipBlocks" }}
   - from:
     - source:
-        ipBlocks:
+        notIpBlocks:
         {{- with index .Values "argo-cd" "istio" "ipBlocks" }}
         {{- . | toYaml | nindent 8 }}
         {{- end }}
     to:
     - operation:
         hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
-  {{- else }}
-  - {}
-  {{- end }}
+{{- end }}
 {{- end }}