diff --git a/deploy/helm/coderag/Chart.yaml b/deploy/helm/coderag/Chart.yaml
index 428dacc..4205e90 100644
--- a/deploy/helm/coderag/Chart.yaml
+++ b/deploy/helm/coderag/Chart.yaml
@@ -7,7 +7,7 @@ description: >-
 type: application
 
 # Chart version — bump on every chart change (independent of the app version).
-version: 0.1.0
+version: 0.1.1
 
 # Version of CodeRAG this chart deploys by default. No versioned container images
 # are published yet, so the default image tag is the rolling `:beta` channel; pin
diff --git a/deploy/helm/coderag/templates/_helpers.tpl b/deploy/helm/coderag/templates/_helpers.tpl
index 209e8ba..4774aab 100644
--- a/deploy/helm/coderag/templates/_helpers.tpl
+++ b/deploy/helm/coderag/templates/_helpers.tpl
@@ -154,6 +154,8 @@ mode = "clone" (init container) | "sync" (sidecar loop).
   imagePullPolicy: {{ $ctx.Values.image.pullPolicy }}
   securityContext:
     {{- toYaml $ctx.Values.securityContext | nindent 4 }}
+  resources:
+    {{- toYaml $ws.git.resources | nindent 4 }}
   env:
     - name: HOME
       value: /tmp
@@ -203,6 +205,25 @@ mode = "clone" (init container) | "sync" (sidecar loop).
         git -C "$DEST" pull --ff-only -- || echo "[git-sync] pull failed (continuing)"
       done
     {{- end }}
+  {{- if eq .mode "sync" }}
+  # Lightweight liveness/readiness for the long-running sync sidecar: it is healthy
+  # once the workspace has been cloned (the clone init container guarantees this
+  # before the sidecar starts). These also satisfy admission policies that require a
+  # probe on every container (e.g. Kyverno require-probes). The short-lived "clone"
+  # init container takes no probes.
+  livenessProbe:
+    exec:
+      command: ["/bin/sh", "-c", "test -d \"$DEST/.git\""]
+    initialDelaySeconds: 10
+    periodSeconds: 30
+    timeoutSeconds: 5
+  readinessProbe:
+    exec:
+      command: ["/bin/sh", "-c", "test -d \"$DEST/.git\""]
+    initialDelaySeconds: 5
+    periodSeconds: 30
+    timeoutSeconds: 5
+  {{- end }}
   volumeMounts:
     - name: workspace
       mountPath: {{ $ws.mountPath }}
diff --git a/deploy/helm/coderag/values.yaml b/deploy/helm/coderag/values.yaml
index 0c65a96..bd68e18 100644
--- a/deploy/helm/coderag/values.yaml
+++ b/deploy/helm/coderag/values.yaml
@@ -50,6 +50,16 @@ workspace:
     # Digest-pinned for supply-chain integrity (re-resolve with
     # `docker buildx imagetools inspect alpine/git:2.45.2`).
     image: alpine/git:2.45.2@sha256:16ad8e788e1d3b0c30f18da8dde5c0ace3b187445a62d8af893b003ca1e70592
+    # -- Resource requests/limits for the git clone init container and the sync
+    # sidecar. Set by default so the sidecar satisfies clusters that mandate
+    # resources on every container (e.g. Kyverno require-resources / LimitRange).
+    resources:
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        cpu: 100m
+        memory: 64Mi
     # -- Optional: keep the workspace fresh with a sidecar that `git pull`s on an interval.
     sync:
       enabled: false