diff --git a/Makefile b/Makefile
index 4c43a4d..0fd77eb 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.30.0
+ENVTEST_K8S_VERSION = 1.31.0
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -158,9 +158,9 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.4.2
-CONTROLLER_TOOLS_VERSION ?= v0.15.0
-ENVTEST_VERSION ?= release-0.18
+KUSTOMIZE_VERSION ?= v5.4.3
+CONTROLLER_TOOLS_VERSION ?= v0.16.1
+ENVTEST_VERSION ?= release-0.19
 GOLANGCI_LINT_VERSION ?= v1.61.0
 
 .PHONY: kustomize
diff --git a/cmd/main.go b/cmd/main.go
index 55b0faf..c7bcca9 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -103,7 +103,7 @@ func main() {
 
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:
-	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/server
 	// - https://book.kubebuilder.io/reference/metrics.html
 	metricsServerOptions := metricsserver.Options{
 		BindAddress:   metricsAddr,
@@ -121,7 +121,7 @@ func main() {
 		// FilterProvider is used to protect the metrics endpoint with authn/authz.
 		// These configurations ensure that only authorized users and service accounts
 		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization
 		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
 	}
 
diff --git a/config/crd/bases/googlecloudpubsuboperator.quipper.github.io_subscriptions.yaml b/config/crd/bases/googlecloudpubsuboperator.quipper.github.io_subscriptions.yaml
index 20c09a9..c44a904 100644
--- a/config/crd/bases/googlecloudpubsuboperator.quipper.github.io_subscriptions.yaml
+++ b/config/crd/bases/googlecloudpubsuboperator.quipper.github.io_subscriptions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: subscriptions.googlecloudpubsuboperator.quipper.github.io
 spec:
   group: googlecloudpubsuboperator.quipper.github.io
diff --git a/config/crd/bases/googlecloudpubsuboperator.quipper.github.io_topics.yaml b/config/crd/bases/googlecloudpubsuboperator.quipper.github.io_topics.yaml
index 564ea9f..6965e97 100644
--- a/config/crd/bases/googlecloudpubsuboperator.quipper.github.io_topics.yaml
+++ b/config/crd/bases/googlecloudpubsuboperator.quipper.github.io_topics.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: topics.googlecloudpubsuboperator.quipper.github.io
 spec:
   group: googlecloudpubsuboperator.quipper.github.io
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index ad65340..623946b 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -27,6 +27,11 @@ resources:
 #- ../prometheus
 # [METRICS] Expose the controller manager metrics service.
 - metrics_service.yaml
+# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy.
+# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics.
+# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
+# be able to communicate with the Webhook Server.
+#- ../network-policy
 
 # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager
 patches:
diff --git a/config/network-policy/allow-metrics-traffic.yaml b/config/network-policy/allow-metrics-traffic.yaml
new file mode 100644
index 0000000..65f38bf
--- /dev/null
+++ b/config/network-policy/allow-metrics-traffic.yaml
@@ -0,0 +1,26 @@
+# This NetworkPolicy allows ingress traffic
+# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those
+# namespaces are able to gathering data from the metrics endpoint.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: kubebuilder-updates
+    app.kubernetes.io/managed-by: kustomize
+  name: allow-metrics-traffic
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Ingress
+  ingress:
+    # This allows ingress traffic from any namespace with the label metrics: enabled
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            metrics: enabled  # Only from namespaces with this label
+      ports:
+        - port: 8443
+          protocol: TCP
diff --git a/config/network-policy/kustomization.yaml b/config/network-policy/kustomization.yaml
new file mode 100644
index 0000000..ec0fb5e
--- /dev/null
+++ b/config/network-policy/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- allow-metrics-traffic.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index dfd611c..ccf72de 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -15,31 +15,6 @@ rules:
   - googlecloudpubsuboperator.quipper.github.io
   resources:
   - subscriptions
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - googlecloudpubsuboperator.quipper.github.io
-  resources:
-  - subscriptions/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - googlecloudpubsuboperator.quipper.github.io
-  resources:
-  - subscriptions/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - googlecloudpubsuboperator.quipper.github.io
-  resources:
   - topics
   verbs:
   - create
@@ -52,12 +27,14 @@ rules:
 - apiGroups:
   - googlecloudpubsuboperator.quipper.github.io
   resources:
+  - subscriptions/finalizers
   - topics/finalizers
   verbs:
   - update
 - apiGroups:
   - googlecloudpubsuboperator.quipper.github.io
   resources:
+  - subscriptions/status
   - topics/status
   verbs:
   - get
diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go
index d915152..4d8897a 100644
--- a/internal/controller/suite_test.go
+++ b/internal/controller/suite_test.go
@@ -73,7 +73,7 @@ var _ = BeforeSuite(func() {
 		// Note that you must have the required binaries setup under the bin directory to perform
 		// the tests directly. When we run make test it will be setup and used automatically.
 		BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s",
-			fmt.Sprintf("1.30.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
+			fmt.Sprintf("1.31.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
 	}
 
 	ctx, cancel := context.WithCancel(context.TODO())