diff --git a/docs/k8s-migration.md b/docs/k8s-migration.md
index bf0bdb8..c448a3d 100644
--- a/docs/k8s-migration.md
+++ b/docs/k8s-migration.md
@@ -84,23 +84,30 @@ This applies to all mcquack LaunchAgents (zot, devpi, kiwix, borgmatic, metrics
 - `pulumi/policy.hujson`
 
 **Changes:**
-Add new tags and ACL rules:
-```hujson
-// In tagOwners section
-"tag:registry": ["autogroup:admin"],
-"tag:k8s":      ["autogroup:admin"],
 
-// In acls section - add registry access
+1. Add new tags to `tagOwners` section (around line 104, after `"tag:feed"`):
+```hujson
+"tag:registry": ["autogroup:admin", "tag:blumeops"],
+"tag:k8s":      ["autogroup:admin", "tag:blumeops"],
+```
+
+2. Add registry grant to `grants` section (around line 48, after the `tag:pg` grant):
+```hujson
 {
-  "action": "accept",
-  "src":    ["autogroup:member"],
-  "dst":    ["tag:registry:443"],
+	"src": ["autogroup:member"],
+	"dst": ["tag:registry"],
+	"ip":  ["tcp:443"],
 },
 ```
 
+3. Add test case to `tests` section (update Erich's accept list around line 111):
+```hujson
+"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"],
+```
+
 **Testing:**
 ```bash
-mise run tailnet-preview   # Review changes
+mise run tailnet-preview   # Review changes - should show new tags and grants
 mise run tailnet-up        # Apply changes
 ```