diff --git a/build/config/kernel-container.fragment b/build/config/kernel-container.fragment
index 9a03999..a8bfde0 100644
--- a/build/config/kernel-container.fragment
+++ b/build/config/kernel-container.fragment
@@ -62,9 +62,9 @@ CONFIG_NF_TABLES_IPV6=y
 CONFIG_NF_TABLES_INET=y
 CONFIG_NF_TABLES_NETDEV=y
 
-# nftables expression modules used by KubeSolo's masquerade ruleset and
-# kube-proxy's nft-compat path. Listed in modules.list / modules-arm64.list
-# so init loads them at boot.
+# nftables expression modules used by KubeSolo's masquerade ruleset, the
+# kube-proxy nft backend (Kubernetes 1.34+), and the xtables compat path.
+# Listed in modules.list / modules-arm64.list so init loads them at boot.
 CONFIG_NFT_NAT=m
 CONFIG_NFT_MASQ=m
 CONFIG_NFT_CT=m
@@ -75,6 +75,18 @@ CONFIG_NFT_COMPAT=m
 CONFIG_NFT_FIB=m
 CONFIG_NFT_FIB_IPV4=m
 CONFIG_NFT_FIB_IPV6=m
+# numgen drives kube-proxy's random / round-robin endpoint LB:
+#   `numgen random mod N vmap { ... }` in service rules.
+# Without it kube-proxy's nft sync fails with ENOENT on every service.
+CONFIG_NFT_NUMGEN=m
+# hash drives consistent-hash LB (sessionAffinity=ClientIP, etc.).
+CONFIG_NFT_HASH=m
+# objref / limit / log are used by various policy expressions kube-proxy and
+# CNI plugins emit. Including them pre-empts a future "could not process
+# rule" debug loop.
+CONFIG_NFT_OBJREF=m
+CONFIG_NFT_LIMIT=m
+CONFIG_NFT_LOG=m
 
 # IPv4 NAT bits NFT_MASQ depends on. Auto-selected on most kernels but we
 # pin them explicitly so olddefconfig doesn't strip them when the fragment