diff --git a/.changelog/4333.txt b/.changelog/4333.txt
new file mode 100644
index 0000000000..bf9ff0167a
--- /dev/null
+++ b/.changelog/4333.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set.
+```
diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index 58af556837..840f953497 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -2727,6 +2727,7 @@ connectInject:
   # By default, we exclude kube-system since usually users won't
   # want those pods injected and local-path-storage and openebs so that
   # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs.
+  # We also exclude gmp-system and gke-managed-cim namespaces that are used by GKE for managing the cluster.
   # Note that this exclusion is only supported in Kubernetes v1.21.1+.
   #
   # Example:
@@ -2741,7 +2742,7 @@ connectInject:
     matchExpressions:
       - key: "kubernetes.io/metadata.name"
         operator: "NotIn"
-        values: ["kube-system","local-path-storage","openebs"]
+        values: ["kube-system","local-path-storage","openebs","gmp-system","gke-managed-cim"]
 
   # List of k8s namespaces to allow Connect sidecar
   # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,