diff --git a/sso-mfa/k8s/privacyidea/deployment.yaml b/sso-mfa/k8s/privacyidea/deployment.yaml
index a1505d4..7c110fd 100644
--- a/sso-mfa/k8s/privacyidea/deployment.yaml
+++ b/sso-mfa/k8s/privacyidea/deployment.yaml
@@ -70,6 +70,11 @@ spec:
           env:
             - name: PRIVACYIDEA_CONFIGFILE
               value: /etc/privacyidea/pi.cfg
+            # gpappsoft entrypoint passes these to gunicorn as the bind address/port.
+            - name: PI_ADDRESS
+              value: "0.0.0.0"
+            - name: PI_PORT
+              value: "8080"
           # Sensitive values from Secret (PI_SECRET_KEY, PI_PEPPER, PI_SQLALCHEMY_DATABASE_URI)
           envFrom:
             - secretRef:
@@ -104,8 +109,9 @@ spec:
             periodSeconds: 15
             failureThreshold: 3
           readinessProbe:
-            httpGet:
-              path: /token/
+            # /token/ returns 401 for unauthenticated GET; use tcpSocket instead.
+            # Switch to httpGet /healthz or similar once confirmed in the image.
+            tcpSocket:
               port: 8080
             initialDelaySeconds: 0
             periodSeconds: 10