diff --git a/k8s/core/authentik/kustomization.yaml b/k8s/core/authentik/kustomization.yaml
index 1671ef9..2260306 100644
--- a/k8s/core/authentik/kustomization.yaml
+++ b/k8s/core/authentik/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
   - app.yaml
   - external-secrets.yaml
   - https-middleware.yaml
+  - outpost-selector-fix.yaml
 # - worker-restart.yaml
 
 helmCharts:
diff --git a/k8s/core/authentik/outpost-selector-fix.yaml b/k8s/core/authentik/outpost-selector-fix.yaml
new file mode 100644
index 0000000..e4d0deb
--- /dev/null
+++ b/k8s/core/authentik/outpost-selector-fix.yaml
@@ -0,0 +1,81 @@
+## Workaround for authentik bug: embedded outpost controller creates
+## a Service with selectors that don't match the pod labels it sets.
+## Remove this after upgrading to a version with the fix.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "patch"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+subjects:
+  - kind: ServiceAccount
+    name: outpost-selector-fix
+    namespace: authentik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: outpost-selector-fix
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+spec:
+  schedule: "*/5 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  concurrencyPolicy: Replace
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 300
+      template:
+        spec:
+          serviceAccountName: outpost-selector-fix
+          restartPolicy: OnFailure
+          containers:
+            - name: fix
+              image: bitnami/kubectl:latest
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  SVC="ak-outpost-authentik-embedded-outpost"
+                  # check if endpoints are populated
+                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
+                  if [ -n "$ADDRS" ]; then
+                    echo "Endpoints OK ($ADDRS), nothing to fix"
+                    exit 0
+                  fi
+                  echo "No endpoints for $SVC, patching selector..."
+                  kubectl patch svc "$SVC" -n authentik --type=json -p '[
+                    {"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
+                    {"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
+                  ]'
+                  echo "Patched. Verifying..."
+                  sleep 2
+                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
+                  if [ -n "$ADDRS" ]; then
+                    echo "Fix confirmed, endpoints: $ADDRS"
+                  else
+                    echo "WARNING: still no endpoints after patch"
+                    exit 1
+                  fi