diff --git a/k8s/awoooi-prod/02-network-policy.yaml b/k8s/awoooi-prod/02-network-policy.yaml
index a9924f3c..91fab952 100644
--- a/k8s/awoooi-prod/02-network-policy.yaml
+++ b/k8s/awoooi-prod/02-network-policy.yaml
@@ -179,13 +179,17 @@ spec:
           port: 443
     - to:
         - ipBlock:
-            cidr: 192.168.0.120/32  # K3s Master 實際 API Server 端點
+            cidr: 192.168.0.120/32  # K3s Master 實際 API Server 端點 + ArgoCD NodePort
       ports:
         - protocol: TCP
           port: 6443
+        # ArgoCD MCP NodePort (2026-04-11): ClusterIP DNAT 跨 namespace 不穩定，改用 NodePort
+        - protocol: TCP
+          port: 30443
 
     # 允許訪問 ArgoCD MCP（MCP Phase 3，2026-04-11）
-    # ArgoCD Server 在 argocd namespace，Pod 需要訪問其 HTTP/HTTPS API
+    # ArgoCD Server Pod 在 argocd namespace (10.42.0.252)，但 DNS 解析到 ClusterIP (10.43.16.201)
+    # 必須同時允許 namespace+pod selector（Pod IP）和 ClusterIP
     - to:
         - namespaceSelector:
             matchLabels:
@@ -193,11 +197,11 @@ spec:
           podSelector:
             matchLabels:
               app.kubernetes.io/name: argocd-server
+        - ipBlock:
+            cidr: 10.43.16.201/32  # argocd-server ClusterIP
       ports:
         - protocol: TCP
-          port: 80
-        - protocol: TCP
-          port: 443
+          port: 8080
 
     # 允許訪問 192.168.0.121 K3s Worker (mon1)
     # 2026-04-09 新增: NodePort 32334(API)/32335(Web) 在 121 上，host probe 需要
diff --git a/k8s/awoooi-prod/04-configmap.yaml b/k8s/awoooi-prod/04-configmap.yaml
index 22220310..dd8962e8 100644
--- a/k8s/awoooi-prod/04-configmap.yaml
+++ b/k8s/awoooi-prod/04-configmap.yaml
@@ -110,7 +110,7 @@ data:
   # MCP Phase 3 (2026-04-11 Claude Sonnet 4.6): ArgoCD + Sentry MCP 啟用
   # ARGOCD_API_TOKEN 在 Secrets 中配置
   ARGOCD_MCP_ENABLED: "true"
-  ARGOCD_URL: "https://192.168.0.125:30443"
+  ARGOCD_URL: "https://192.168.0.120:30443"
   SENTRY_MCP_ENABLED: "true"
   # Prometheus server 在 110:9090 (非 188)
   PROMETHEUS_URL: "http://192.168.0.110:9090"