diff --git a/build/config/modules-arm64.list b/build/config/modules-arm64.list
index cc280e2..92ae51f 100644
--- a/build/config/modules-arm64.list
+++ b/build/config/modules-arm64.list
@@ -56,6 +56,15 @@ nft_fib
 nft_fib_ipv4
 nft_fib_ipv6
 
+# nft expressions used by the Kubernetes 1.34+ nftables kube-proxy backend.
+# Loading these at boot (stage 30) is mandatory because stage 85 sets
+# kernel.modules_disabled=1, which would otherwise block kube-proxy from
+# auto-loading them on first rule install.
+nft_numgen     # numgen random/inc mod N vmap — Service endpoint LB
+nft_hash       # hash — consistent-hash LB for sessionAffinity=ClientIP
+nft_limit      # rate-limit expression
+nft_log        # log expression
+
 # Reject targets (used by kube-proxy iptables-restore rules)
 nf_reject_ipv4
 nf_reject_ipv6
diff --git a/build/config/modules.list b/build/config/modules.list
index 86a4608..983728b 100644
--- a/build/config/modules.list
+++ b/build/config/modules.list
@@ -54,6 +54,13 @@ nft_fib
 nft_fib_ipv4
 nft_fib_ipv6
 
+# nft expressions used by the Kubernetes 1.34+ nftables kube-proxy backend.
+# Must be loaded at stage 30 because stage 85 sets modules_disabled=1.
+nft_numgen     # numgen random/inc mod N vmap — Service endpoint LB
+nft_hash       # hash — consistent-hash LB for sessionAffinity=ClientIP
+nft_limit      # rate-limit expression
+nft_log        # log expression
+
 # Reject targets (used by kube-proxy iptables-restore rules)
 nf_reject_ipv4
 nf_reject_ipv6