diff --git a/chart/templates/twistlock/values.yaml b/chart/templates/twistlock/values.yaml
index 5b84d55610b04fcf6f8c6c02af0742e62617c8e6..efa83276dd2d5058712e637bc7f9ef6bce4561ab 100644
--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -23,6 +23,7 @@ networkPolicies:
     {{- $gateway := default "public" .Values.twistlock.ingress.gateway }}
     {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
     {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+  nodeCidr: {{ .Values.networkPolicies.nodeCidr }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 0a59b616bffcab87453eb75782061673cdd4152e..2ece7227fb107a3e6c80adaac6016086f04e2466 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -101,6 +101,10 @@ networkPolicies:
   # Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints)
   # Used by package NetworkPolicies to allow Kube API access
   controlPlaneCidr: 0.0.0.0/0
+  # -- Node CIDR, defaults to allowing "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" networks.
+  # use `kubectl get nodes -owide` and review the `INTERNAL-IP` column to derive CIDR range.
+  # Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)
+  nodeCidr: ""
 
 # ----------------------------------------------------------------------------------------------------------------------
 # Istio
@@ -443,7 +447,7 @@ twistlock:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
     path: "./chart"
-    tag: "0.0.8-bb.1"
+    tag: "0.0.9-bb.0"
 
   # -- Flux reconciliation overrides specifically for the Twistlock Package
   flux: {}