diff --git a/stacks/fire-planner/main.tf b/stacks/fire-planner/main.tf
index fa056e9f..cdc895a0 100644
--- a/stacks/fire-planner/main.tf
+++ b/stacks/fire-planner/main.tf
@@ -33,6 +33,8 @@ resource "kubernetes_namespace" "fire_planner" {
       # for headless verification (NetworkPolicy in chrome-service ns admits
       # any namespace carrying this label).
       "chrome-service.viktorbarzin.me/client" = "true"
+      # Opt into Keel auto-update (inject-keel-annotations ClusterPolicy).
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -311,7 +313,12 @@ resource "kubernetes_deployment" "fire_planner" {
   }
 
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
 
   depends_on = [
diff --git a/stacks/job-hunter/main.tf b/stacks/job-hunter/main.tf
index 46f208ff..679a4d16 100644
--- a/stacks/job-hunter/main.tf
+++ b/stacks/job-hunter/main.tf
@@ -21,6 +21,8 @@ resource "kubernetes_namespace" "job_hunter" {
     labels = {
       tier              = local.tiers.aux
       "istio-injection" = "disabled"
+      # Opt into Keel auto-update (inject-keel-annotations ClusterPolicy).
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -264,7 +266,12 @@ resource "kubernetes_deployment" "job_hunter" {
   }
 
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
 
   depends_on = [
diff --git a/stacks/payslip-ingest/main.tf b/stacks/payslip-ingest/main.tf
index 5782092f..dc3c5af2 100644
--- a/stacks/payslip-ingest/main.tf
+++ b/stacks/payslip-ingest/main.tf
@@ -23,6 +23,8 @@ resource "kubernetes_namespace" "payslip_ingest" {
     labels = {
       tier              = local.tiers.aux
       "istio-injection" = "disabled"
+      # Opt into Keel auto-update (inject-keel-annotations ClusterPolicy).
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -296,7 +298,12 @@ resource "kubernetes_deployment" "payslip_ingest" {
   }
 
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
 
   depends_on = [
diff --git a/stacks/recruiter-responder/main.tf b/stacks/recruiter-responder/main.tf
index f7aafd51..482ae15f 100644
--- a/stacks/recruiter-responder/main.tf
+++ b/stacks/recruiter-responder/main.tf
@@ -25,6 +25,8 @@ resource "kubernetes_namespace" "recruiter_responder" {
     labels = {
       tier              = local.tiers.aux
       "istio-injection" = "disabled"
+      # Opt into Keel auto-update (inject-keel-annotations ClusterPolicy).
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -286,7 +288,12 @@ resource "kubernetes_deployment" "recruiter_responder" {
   }
 
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
 
   depends_on = [