diff --git a/k8s/awoooi-prod/04-configmap.yaml b/k8s/awoooi-prod/04-configmap.yaml
index 3d08cc03..8c1a8ab1 100644
--- a/k8s/awoooi-prod/04-configmap.yaml
+++ b/k8s/awoooi-prod/04-configmap.yaml
@@ -91,3 +91,9 @@ data:
   SENTRY_PROJECT_API: "awoooi-api"
   SENTRY_PROJECT_WEB: "awoooi-web"
   # Note: SENTRY_DSN 在 Secrets 中配置 (含認證 token)
+
+  # 2026-04-06 Claude Code: Sprint 3 — ansible:// 白名單 (Security Fix A2)
+  ANSIBLE_PLAYBOOK_WHITELIST: "restart_docker_service.yml,vacuum_postgres.yml,clear_redis_cache.yml"
+  ANSIBLE_CONTROL_NODE_HOST: "192.168.0.188"
+  ANSIBLE_CONTROL_NODE_USER: "ollama"
+  ANSIBLE_PLAYBOOKS_PATH: "~/openclaw-v5/ansible/playbooks"
diff --git a/k8s/awoooi-prod/04-repair-known-hosts-template.yaml b/k8s/awoooi-prod/04-repair-known-hosts-template.yaml
new file mode 100644
index 00000000..ea76d042
--- /dev/null
+++ b/k8s/awoooi-prod/04-repair-known-hosts-template.yaml
@@ -0,0 +1,28 @@
+# k8s/awoooi-prod/04-repair-known-hosts-template.yaml
+# known_hosts Secret Template — 不含實際主機指紋 (需手動建立)
+# 2026-04-06 Claude Code: Sprint 3 Security Fix A1
+#
+# 建立方式:
+#   ssh-keyscan -H 192.168.0.110 > /tmp/known_hosts
+#   ssh-keyscan -H 192.168.0.188 >> /tmp/known_hosts
+#   kubectl create secret generic awoooi-repair-known-hosts \
+#     -n awoooi-prod \
+#     --from-file=known_hosts=/tmp/known_hosts
+#
+# 驗證:
+#   kubectl get secret awoooi-repair-known-hosts -n awoooi-prod
+#
+# 安全說明:
+#   - known_hosts 存 K8s Secret，掛載至 /etc/repair-ssh/known_hosts
+#   - SSH 命令使用 -o UserKnownHostsFile=/etc/repair-ssh/known_hosts
+#   - 移除 -o StrictHostKeyChecking=no (安全漏洞)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: awoooi-repair-known-hosts
+  namespace: awoooi-prod
+  annotations:
+    awoooi.io/secret-type: "ssh-known-hosts"
+    awoooi.io/created: "2026-04-06"
+type: Opaque
+# data: 不在版控中 — 使用上方 ssh-keyscan 指令建立
diff --git a/k8s/awoooi-prod/06-deployment-api.yaml b/k8s/awoooi-prod/06-deployment-api.yaml
index 8da3a315..581fd52b 100644
--- a/k8s/awoooi-prod/06-deployment-api.yaml
+++ b/k8s/awoooi-prod/06-deployment-api.yaml
@@ -55,6 +55,11 @@ spec:
             - name: repair-ssh-key
               mountPath: /etc/repair-ssh
               readOnly: true
+            # 2026-04-06 Claude Code: Sprint 3 Security Fix A1 — known_hosts
+            - name: repair-known-hosts
+              mountPath: /etc/repair-ssh/known_hosts
+              subPath: known_hosts
+              readOnly: true
           resources:
             requests:
               cpu: "200m"
@@ -103,6 +108,10 @@ spec:
           secret:
             secretName: awoooi-repair-ssh-key
             defaultMode: 0400  # 八進位 0400 = 十進位 256 = r-------- (owner read-only)
+        # 2026-04-06 Claude Code: Sprint 3 Security Fix A1
+        - name: repair-known-hosts
+          secret:
+            secretName: awoooi-repair-known-hosts
 
 ---
 apiVersion: v1