diff --git a/proxy/squid.conf b/proxy/squid.conf
index cac6ff8..55fba0d 100644
--- a/proxy/squid.conf
+++ b/proxy/squid.conf
@@ -18,10 +18,15 @@ coredump_dir /var/cache/squid
 
 # ─── ACL Definitions ──────────────────────────────────────────────────────────
 acl SSL_ports  port 443
+acl SSL_ports  port 6443  # Kubernetes API server
 acl Safe_ports port 80
 acl Safe_ports port 443
+acl Safe_ports port 6443  # Kubernetes API server
 acl CONNECT    method CONNECT
 
+# Kubernetes API server — allow CONNECT tunnels to any cluster endpoint on :6443
+acl kubectl_api port 6443
+
 # ─── Egress allowlist ─────────────────────────────────────────────────────────
 # Add domains here as needed. Leading dot matches all subdomains.
 acl allowed_sites dstdomain api.anthropic.com
@@ -43,6 +48,9 @@ http_access deny CONNECT !SSL_ports
 # Allow HTTPS tunnels only to allowlisted destinations
 http_access allow CONNECT allowed_sites
 
+# Allow kubectl to reach any Kubernetes API server on the standard port
+http_access allow CONNECT kubectl_api
+
 # Allow plain HTTP only to allowlisted destinations
 http_access allow allowed_sites