diff --git a/k8s/bases/infrastructure/cluster-policies/kustomization.yaml b/k8s/bases/infrastructure/cluster-policies/kustomization.yaml
index 488ec818d..d69e420f9 100644
--- a/k8s/bases/infrastructure/cluster-policies/kustomization.yaml
+++ b/k8s/bases/infrastructure/cluster-policies/kustomization.yaml
@@ -95,7 +95,7 @@ patches:
       - op: replace
         path: /spec/rules/0/mutate/patchStrategicMerge/spec/template/spec/+(affinity)/+(podAntiAffinity)/+(preferredDuringSchedulingIgnoredDuringExecution)/0/podAffinityTerm/labelSelector/matchExpressions/0/values/0
         value: "{{request.object.spec.template.metadata.labels.\"app.kubernetes.io/name\"}}"
-  # --- Topology spread: remove label gate, add StatefulSet, hostname key, ScheduleAnyway, exclude kube-system ---
+  # --- Topology spread: remove label gate, add StatefulSet, hostname key, DoNotSchedule, exclude kube-system ---
   - target:
       kind: ClusterPolicy
       name: spread-pods
@@ -125,7 +125,16 @@ patches:
         value: "kubernetes.io/hostname"
       - op: replace
         path: /spec/rules/0/mutate/patchStrategicMerge/spec/template/spec/+(topologySpreadConstraints)/0/whenUnsatisfiable
-        value: "ScheduleAnyway"
+        value: "DoNotSchedule"
+      # Scope skew per ReplicaSet revision so rolling updates don't deadlock under
+      # DoNotSchedule (surge pods of the new revision would otherwise count against
+      # the old revision's skew). Requires k8s >=1.27 (GA in 1.34). For StatefulSets
+      # the pod-template-hash key is absent, so k8s ignores it and falls back to the
+      # labelSelector — fine, since StatefulSet updates roll one pod at a time.
+      - op: add
+        path: /spec/rules/0/mutate/patchStrategicMerge/spec/template/spec/+(topologySpreadConstraints)/0/matchLabelKeys
+        value:
+          - pod-template-hash
       - op: replace
         path: /spec/rules/0/mutate/patchStrategicMerge/spec/template/spec/+(topologySpreadConstraints)/0/labelSelector
         value: