diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson
index 4ce2ab0..1705975 100644
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@@ -59,6 +59,14 @@
 			"dst": ["tag:nas"],
 			"ip":  ["*"],
 		},
+
+		// --- Kubernetes workloads ---
+		// k8s workloads (e.g., Woodpecker CI) can push/pull from registry
+		{
+			"src": ["tag:k8s"],
+			"dst": ["tag:registry"],
+			"ip":  ["tcp:443"],
+		},
 	],
 
 	// ============== SSH Access ==============
@@ -103,6 +111,7 @@
 		"tag:feed": ["autogroup:admin", "tag:blumeops"],
 		"tag:registry": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
+		"tag:k8s": ["autogroup:admin", "tag:blumeops"],
 	},
 
 	// ============== ACL Tests ==============
@@ -123,5 +132,10 @@
 			"src":    "tag:homelab",
 			"accept": ["tag:homelab:22", "tag:nas:445"],
 		},
+		// K8s workloads can reach registry
+		{
+			"src":    "tag:k8s",
+			"accept": ["tag:registry:443"],
+		},
 	],
 }