diff --git a/everyrow-mcp/deploy/chart/templates/networkpolicy.yaml b/everyrow-mcp/deploy/chart/templates/networkpolicy.yaml
index c3f5a820..093ffcd5 100644
--- a/everyrow-mcp/deploy/chart/templates/networkpolicy.yaml
+++ b/everyrow-mcp/deploy/chart/templates/networkpolicy.yaml
@@ -64,7 +64,7 @@ spec:
           protocol: UDP
         - port: 53
           protocol: TCP
-    # Redis (Sentinel — external/cross-namespace IPs)
+    # Redis (master + Sentinel — cross-namespace IPs)
     {{- range .Values.networkPolicy.redisCIDRs }}
     - to:
         - ipBlock:
@@ -72,6 +72,8 @@ spec:
       ports:
         - port: {{ $.Values.networkPolicy.redisPort | default 6379 }}
           protocol: TCP
+        - port: {{ $.Values.networkPolicy.redisSentinelPort | default 26379 }}
+          protocol: TCP
     {{- end }}
     # External HTTPS (EveryRow API, Supabase, Google Sheets)
     - to:
diff --git a/everyrow-mcp/deploy/chart/values.yaml b/everyrow-mcp/deploy/chart/values.yaml
index 195329eb..56c6b711 100644
--- a/everyrow-mcp/deploy/chart/values.yaml
+++ b/everyrow-mcp/deploy/chart/values.yaml
@@ -52,6 +52,7 @@ networkPolicy:
   enabled: true
   gatewayNamespace: gke-managed-system
   redisPort: 6379
+  redisSentinelPort: 26379
   redisCIDRs:
     - 10.0.0.0/8  # TODO: narrow to actual Redis Sentinel IPs