diff --git a/CHANGELOG.md b/CHANGELOG.md
index e17bca969c..8643d3dce7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,10 @@ IMPROVEMENTS:
 * Helm
   * API Gateway: Allow controller to read Kubernetes namespaces in order to determine if route is allowed for gateway. [[GH-1092](https://github.com/hashicorp/consul-k8s/pull/1092)]
 
+BUG FIXES:
+* Helm
+  * Fix PodSecurityPolicies for clients/mesh gateways when hostNetwork is used. [[GH-1090](https://github.com/hashicorp/consul-k8s/pull/1090)]
+
 ## 0.41.1 (February 24, 2022)
 
 BUG FIXES:
diff --git a/charts/consul/templates/client-podsecuritypolicy.yaml b/charts/consul/templates/client-podsecuritypolicy.yaml
index 15950f75fd..0121bdf586 100644
--- a/charts/consul/templates/client-podsecuritypolicy.yaml
+++ b/charts/consul/templates/client-podsecuritypolicy.yaml
@@ -49,10 +49,14 @@ spec:
   - min: 8502
     max: 8502
   {{- end }}
-  {{- if .Values.client.exposeGossipPorts }}
+  {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }}
   - min: 8301
     max: 8301
   {{- end }}
+  {{- if .Values.client.hostNetwork }}
+  - min: 8600
+    max: 8600
+  {{- end }}
   hostIPC: false
   hostPID: false
   runAsUser:
diff --git a/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
index 5257b79ed4..b5bbb2fa03 100644
--- a/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
+++ b/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
@@ -30,6 +30,14 @@ spec:
   {{- else }}
   hostNetwork: false
   {{- end }}
+  hostPorts:
+  {{- if .Values.meshGateway.hostPort }}
+  - min: {{ .Values.meshGateway.hostPort }}
+    max: {{ .Values.meshGateway.hostPort }}
+  {{- else if .Values.meshGateway.hostNetwork }}
+  - min: {{ .Values.meshGateway.containerPort }}
+    max: {{ .Values.meshGateway.containerPort }}
+  {{- end }}
   hostIPC: false
   hostPID: false
   runAsUser:
diff --git a/charts/consul/test/unit/client-podsecuritypolicy.bats b/charts/consul/test/unit/client-podsecuritypolicy.bats
index 701bd3a850..a37d4ec147 100644
--- a/charts/consul/test/unit/client-podsecuritypolicy.bats
+++ b/charts/consul/test/unit/client-podsecuritypolicy.bats
@@ -140,7 +140,21 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "client/PodSecurityPolicy: hostPorts when hostNetwork=true" {
+  # hostPorts must be allowed because when Kube sets all container ports as host ports when hostNetwork is true.
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/client-podsecuritypolicy.yaml  \
+      --set 'global.enablePodSecurityPolicies=true' \
+      --set 'client.hostNetwork=true' \
+      . | tee /dev/stderr |
+      yq -c '.spec.hostPorts' | tee /dev/stderr)
+  [ "${actual}" = '[{"min":8500,"max":8500},{"min":8502,"max":8502},{"min":8301,"max":8301},{"min":8600,"max":8600}]' ]
+}
+
+#--------------------------------------------------------------------
 # client.hostNetwork = false
+
 @test "client/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true and default hostNetwork=false" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/charts/consul/test/unit/mesh-gateway-podsecuritypolicy.bats b/charts/consul/test/unit/mesh-gateway-podsecuritypolicy.bats
index 66e71d97bb..22565c9b02 100644
--- a/charts/consul/test/unit/mesh-gateway-podsecuritypolicy.bats
+++ b/charts/consul/test/unit/mesh-gateway-podsecuritypolicy.bats
@@ -45,3 +45,29 @@ load _helpers
       yq '.spec.hostNetwork' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+@test "meshGateway/PodSecurityPolicy: hostPorts are allowed when setting hostPort" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/mesh-gateway-podsecuritypolicy.yaml  \
+      --set 'meshGateway.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      --set 'meshGateway.hostPort=9999' \
+      . | tee /dev/stderr |
+      yq -c '.spec.hostPorts' | tee /dev/stderr)
+  [ "${actual}" = '[{"min":9999,"max":9999}]' ]
+}
+
+@test "meshGateway/PodSecurityPolicy: hostPorts are allowed when hostNetwork=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/mesh-gateway-podsecuritypolicy.yaml  \
+      --set 'meshGateway.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      --set 'meshGateway.hostNetwork=true' \
+      . | tee /dev/stderr |
+      yq -c '.spec.hostPorts' | tee /dev/stderr)
+  [ "${actual}" = '[{"min":8443,"max":8443}]' ]
+}