diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index 6f51790..e14c556 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -15,6 +15,11 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: gsc-shell-api
+        # KEYCLOAK_DISCOVERY_URL points at the in-cluster service, but the
+        # discovery doc returns jwks_uri = https://auth.gosec.cloud/...
+        # (the canonical issuer claim). JWKS fetch needs public egress.
+        # allow-web-proxy GlobalNetworkPolicy gates on this label.
+        egress-internet: "true"
     spec:
       containers:
         - name: api
@@ -26,6 +31,15 @@ spec:
           env:
             - name: PORT
               value: "8080"
+            # Route public-internet calls (notably JWKS at auth.gosec.cloud)
+            # through the in-cluster Squid proxy. Go's http.ProxyFromEnvironment
+            # picks these up automatically — no code change needed.
+            - name: HTTP_PROXY
+              value: "http://web-proxy.web-proxy.svc.cluster.local:3128"
+            - name: HTTPS_PROXY
+              value: "http://web-proxy.web-proxy.svc.cluster.local:3128"
+            - name: NO_PROXY
+              value: "localhost,127.0.0.1,.cluster.local,.svc,.gosec.internal"
             - name: KEYCLOAK_ISSUER
               value: "https://auth.gosec.cloud/realms/gosecCloud"
             # Discovery hits Keycloak via in-cluster service (pods can't reach