diff --git a/apps/monitoring/noc-monitoring.yaml b/apps/monitoring/noc-monitoring.yaml
index 972d2cf..0d578d4 100644
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -3833,6 +3833,33 @@ spec:
       ports:
         - port: 80
           protocol: TCP
+    # FlowerCore.RemoteDesktop /metrics scrape via the fc-desktop
+    # ClusterIP Service (remotedesktop-web:8080). Also covers the
+    # Traefik VIP hairpin path since after kube-proxy DNAT, the egress
+    # destination is the backend pod IP on the service port (see
+    # feedback_netpol_dnat_backend_port).
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-desktop
+      ports:
+        - port: 8080
+          protocol: TCP
+    # Traefik backend ports — needed for in-cluster egress to public
+    # iamworkin.lan hostnames that CoreDNS wildcard resolves to the
+    # LoadBalancer VIP. Post-DNAT destination is a Traefik pod on 8080/8443.
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+      ports:
+        - port: 8080
+          protocol: TCP
+        - port: 8443
+          protocol: TCP
     # IRC (irc-notify → UnrealIRCd in irc namespace via K8s DNS)
     - to:
         - namespaceSelector: