diff --git a/proxy/squid.conf b/proxy/squid.conf
index 0cf94da..4deb96d 100644
--- a/proxy/squid.conf
+++ b/proxy/squid.conf
@@ -24,20 +24,17 @@ acl Safe_ports port 443
 acl Safe_ports port 6443  # Kubernetes API server
 acl CONNECT    method CONNECT
 
-# Kubernetes API server — allow CONNECT tunnels to any cluster endpoint on :6443
-acl kubectl_api port 6443
-
 # ─── Egress allowlist ─────────────────────────────────────────────────────────
 # Add domains here as needed. Leading dot matches all subdomains.
 acl allowed_sites dstdomain api.anthropic.com
 acl allowed_sites dstdomain statsig.anthropic.com
 acl allowed_sites dstdomain platform.claude.com
-acl allowed_sites dstdomain localhost
-acl allowed_sites dstdomain .local
 # MCP servers
 acl allowed_sites dstdomain api.github.com
 acl allowed_sites dstdomain .gitlab.com
 acl allowed_sites dstdomain .atlassian.net
+# Kubernetes API server — add your cluster's hostname here when using --kube
+# acl allowed_sites dstdomain k8s.example.com
 
 # ─── Access rules ─────────────────────────────────────────────────────────────
 # Block requests to non-standard ports
@@ -49,9 +46,6 @@ http_access deny CONNECT !SSL_ports
 # Allow HTTPS tunnels only to allowlisted destinations
 http_access allow CONNECT allowed_sites
 
-# Allow kubectl to reach any Kubernetes API server on the standard port
-http_access allow CONNECT kubectl_api
-
 # Allow plain HTTP only to allowlisted destinations
 http_access allow allowed_sites