diff --git a/clusters/noble/apps/kyverno/values.yaml b/clusters/noble/apps/kyverno/values.yaml
index 45df72c..8020f5d 100644
--- a/clusters/noble/apps/kyverno/values.yaml
+++ b/clusters/noble/apps/kyverno/values.yaml
@@ -10,7 +10,12 @@
 #
 # Raise Kubernetes client QPS/burst so under API/etcd load Kyverno does not hit
 # "client rate limiter Wait" / flaky kyverno-health lease (defaults are very low).
+# Two replicas: webhook Service keeps endpoints during rolling restarts (avoids
+# apiserver "connection refused" to kyverno-svc:443 while a single pod cycles).
 admissionController:
+  replicas: 2
+  # Insulate Kyverno API traffic via APF (helps when etcd/apiserver are busy).
+  apiPriorityAndFairness: true
   container:
     extraArgs:
       clientRateLimitQPS: 30