diff --git a/build/config/kernel-container.fragment b/build/config/kernel-container.fragment
index 62830a1..9a03999 100644
--- a/build/config/kernel-container.fragment
+++ b/build/config/kernel-container.fragment
@@ -53,6 +53,34 @@ CONFIG_NF_TABLES=m
 CONFIG_VETH=m
 CONFIG_VXLAN=m
 
+# nftables address-family handlers. These are BOOL Kconfigs (not tristate)
+# so they have to be built into the kernel — there's no module to modprobe
+# at runtime. Without them, `nft add table ip ...` returns EOPNOTSUPP and
+# KubeSolo v1.1.4+'s pod-masquerade setup fails at boot.
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NF_TABLES_IPV6=y
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+
+# nftables expression modules used by KubeSolo's masquerade ruleset and
+# kube-proxy's nft-compat path. Listed in modules.list / modules-arm64.list
+# so init loads them at boot.
+CONFIG_NFT_NAT=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_REDIR=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_COMPAT=m
+CONFIG_NFT_FIB=m
+CONFIG_NFT_FIB_IPV4=m
+CONFIG_NFT_FIB_IPV6=m
+
+# IPv4 NAT bits NFT_MASQ depends on. Auto-selected on most kernels but we
+# pin them explicitly so olddefconfig doesn't strip them when the fragment
+# is applied on top of a minimal defconfig.
+CONFIG_NF_NAT_MASQUERADE=y
+
 # Security: AppArmor + Audit
 CONFIG_AUDIT=y
 CONFIG_AUDITSYSCALL=y