diff --git a/ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml b/ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml
index 6f3af43e95793..fc9f225944af7 100644
--- a/ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml
+++ b/ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml
@@ -21,10 +21,10 @@ operator:
   bundles:
   - dockerfile_path: bundle.Dockerfile
   substitutions:
-  - pullspec: quay.io/openshift/origin-ingress-node-firewall:4.13
-    with: pipeline:ingress-node-firewall
-  - pullspec: quay.io/openshift/origin-ingress-node-firewall-daemon:4.13
+  - pullspec: quay.io/openshift/origin-ingress-node-firewall:latest
     with: pipeline:ingress-node-firewall
+  - pullspec: quay.io/openshift/origin-ingress-node-firewall-daemon:latest
+    with: pipeline:ingress-node-firewall-daemon
 promotion:
   to:
   - name: "5.0"
@@ -72,6 +72,23 @@ tests:
         IP_STACK=v4v6
         NETWORK_TYPE=OVNKubernetes
     workflow: baremetalds-ingress-node-firewall-e2e
+- always_run: false
+  as: e2e-aws-ovn-infw-extension
+  optional: true
+  steps:
+    cluster_profile: aws-5
+    env:
+      OO_CHANNEL: alpha
+      OO_INSTALL_NAMESPACE: openshift-ingress-node-firewall
+      OO_PACKAGE: ingress-node-firewall
+      OO_TARGET_NAMESPACES: '!all'
+    observers:
+      enable:
+      - observers-resource-watch
+    test:
+    - ref: optional-operators-subscribe
+    - ref: infw-extension
+    workflow: openshift-e2e-aws-ovn
 - as: verify-deps
   steps:
     env:
diff --git a/ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml b/ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml
index 379df95cbefb7..18123c72546b2 100644
--- a/ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml
+++ b/ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml
@@ -58,6 +58,92 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )ci-index,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build10
+    context: ci/prow/e2e-aws-ovn-infw-extension
+    decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - .ci-operator.yaml
+      - Dockerfile.daemon.openshift
+      - Dockerfile.openshift
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: aws-5
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-ingress-node-firewall-master-e2e-aws-ovn-infw-extension
+    optional: true
+    rerun_command: /test e2e-aws-ovn-infw-extension
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-aws-ovn-infw-extension
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-aws-ovn-infw-extension,?($|\s.*)
   - agent: kubernetes
     always_run: true
     branches:
diff --git a/ci-operator/step-registry/baremetalds/ingress-node-firewall-e2e/baremetalds-ingress-node-firewall-e2e-workflow.yaml b/ci-operator/step-registry/baremetalds/ingress-node-firewall-e2e/baremetalds-ingress-node-firewall-e2e-workflow.yaml
index 80702fd94a9ee..6e75a410b9a6f 100644
--- a/ci-operator/step-registry/baremetalds/ingress-node-firewall-e2e/baremetalds-ingress-node-firewall-e2e-workflow.yaml
+++ b/ci-operator/step-registry/baremetalds/ingress-node-firewall-e2e/baremetalds-ingress-node-firewall-e2e-workflow.yaml
@@ -5,6 +5,9 @@ workflow:
       - chain: baremetalds-ofcir-pre
     test:
       - ref: baremetalds-ingress-node-firewall-e2e-test
+      - ref: infw-extension
+    env:
+      INFW_TEST_SUITE: "openshift/ingress-node-firewall/all"
     post:
       - chain: baremetalds-ofcir-post
   documentation: |-
diff --git a/ci-operator/step-registry/infw-extension/OWNERS b/ci-operator/step-registry/infw-extension/OWNERS
new file mode 100644
index 0000000000000..0c9bdab16ae6f
--- /dev/null
+++ b/ci-operator/step-registry/infw-extension/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+  - anusaxen
+reviewers:
+  - anusaxen
diff --git a/ci-operator/step-registry/infw-extension/infw-extension-commands.sh b/ci-operator/step-registry/infw-extension/infw-extension-commands.sh
new file mode 100644
index 0000000000000..8db685bf2a130
--- /dev/null
+++ b/ci-operator/step-registry/infw-extension/infw-extension-commands.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+export PATH=/usr/libexec/origin:$PATH
+export HOME=/tmp/home
+mkdir -p "${HOME}"
+
+echo "Setting up ingress-node-firewall extension testing"
+echo "Extension image: ${EXTENSION_IMAGE}"
+
+# Create the TestExtensionAdmission CR
+echo "Creating TestExtensionAdmission CR..."
+openshift-tests extension-admission create infw-extensions \
+  --permit=test-extensions/*
+
+# Create namespace and ImageStream
+echo "Creating test-extensions namespace and ImageStream..."
+cat <<EOF | oc apply -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-extensions
+---
+apiVersion: image.openshift.io/v1
+kind: ImageStream
+metadata:
+  name: ingress-node-firewall-tests
+  namespace: test-extensions
+spec:
+  lookupPolicy:
+    local: false
+  tags:
+    - name: latest
+      annotations:
+        testextension.redhat.io/component: "ingress-node-firewall"
+        testextension.redhat.io/binary: "/usr/bin/ingress-node-firewall-tests.gz"
+      from:
+        kind: DockerImage
+        name: ${EXTENSION_IMAGE}
+      importPolicy:
+        scheduled: false
+      referencePolicy:
+        type: Source
+EOF
+
+# Verify setup
+echo "Verifying extension setup..."
+oc get testextensionadmission infw-extensions -o yaml
+oc get imagestreamtag ingress-node-firewall-tests:latest -n test-extensions -o jsonpath='{.metadata.annotations}' | python3 -m json.tool || true
+
+echo "Ingress Node Firewall extension setup complete!"
+
+# Run the extension tests
+SUITE="${INFW_TEST_SUITE:-openshift/ingress-node-firewall/aws}"
+echo "Running ingress-node-firewall extension tests (suite: ${SUITE})..."
+openshift-tests run "${SUITE}" \
+    --junit-dir="${ARTIFACT_DIR}/junit"
diff --git a/ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json b/ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json
new file mode 100644
index 0000000000000..57ecb5be991c9
--- /dev/null
+++ b/ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json
@@ -0,0 +1,5 @@
+{
+  "owners": [
+    "anusaxen"
+  ]
+}
diff --git a/ci-operator/step-registry/infw-extension/infw-extension-ref.yaml b/ci-operator/step-registry/infw-extension/infw-extension-ref.yaml
new file mode 100644
index 0000000000000..3a6fd9726569d
--- /dev/null
+++ b/ci-operator/step-registry/infw-extension/infw-extension-ref.yaml
@@ -0,0 +1,24 @@
+ref:
+  as: infw-extension
+  from: tests
+  commands: infw-extension-commands.sh
+  timeout: 3600s
+  dependencies:
+  - name: "pipeline:ingress-node-firewall"
+    env: EXTENSION_IMAGE
+  env:
+  - name: INFW_TEST_SUITE
+    default: "openshift/ingress-node-firewall/aws"
+    documentation: |-
+      The test suite to run. Defaults to the aws suite which excludes Baremetal-labeled tests.
+      Set to "openshift/ingress-node-firewall/all" for baremetal profiles.
+  resources:
+    requests:
+      cpu: "3"
+      memory: 600Mi
+    limits:
+      memory: 10Gi
+  documentation: |-
+    Sets up and runs the ingress-node-firewall out-of-payload extension tests.
+    Creates a TestExtensionAdmission CR and ImageStream with testextension.redhat.io
+    annotations pointing to the ingress-node-firewall image built by ci-operator.