diff --git a/tenants/demo/00-namespace-quota-netpol.yaml b/tenants/demo/00-namespace-quota-netpol.yaml
index 1ba8194..eb31abe 100644
--- a/tenants/demo/00-namespace-quota-netpol.yaml
+++ b/tenants/demo/00-namespace-quota-netpol.yaml
@@ -52,4 +52,12 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: kube-system
   egress:
-    - {}
+    - to:                                        # intra-namespace (postgres, keycloak)
+        - podSelector: {}
+    - to:                                        # DNS (CoreDNS em kube-system)
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - { protocol: UDP, port: 53 }
+        - { protocol: TCP, port: 53 }
diff --git a/tenants/piloto/00-namespace-quota-netpol.yaml b/tenants/piloto/00-namespace-quota-netpol.yaml
index f23431f..ad90c1c 100644
--- a/tenants/piloto/00-namespace-quota-netpol.yaml
+++ b/tenants/piloto/00-namespace-quota-netpol.yaml
@@ -56,4 +56,12 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: kube-system   # Traefik (ingress)
   egress:
-    - {}                                         # egress liberado (DNS, Postgres, internet)
+    - to:                                        # intra-namespace (postgres, keycloak)
+        - podSelector: {}
+    - to:                                        # DNS (CoreDNS em kube-system)
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - { protocol: UDP, port: 53 }
+        - { protocol: TCP, port: 53 }