diff --git a/pkg/component/worker/nllb/envoy.go b/pkg/component/worker/nllb/envoy.go
index 8e3d3d382bc2..b70d258f9466 100644
--- a/pkg/component/worker/nllb/envoy.go
+++ b/pkg/component/worker/nllb/envoy.go
@@ -264,6 +264,19 @@ func makePodManifest(params *envoyParams, podParams *envoyPodParams) corev1.Pod
 		},
 		Spec: corev1.PodSpec{
 			HostNetwork: true,
+			// The Envoy Pod is the worker's load-balanced path to the control
+			// plane, so it must outlive ordinary workloads during graceful node
+			// shutdown and be protected from node-pressure eviction.
+			//
+			// PriorityClassName satisfies the kube-apiserver Priority admission
+			// controller, which validates the mirror Pod the kubelet registers
+			// for this static Pod. The numeric Priority is also set so the local
+			// kubelet (which does not resolve PriorityClassName for static Pods)
+			// uses it for shutdown/eviction ordering. The two must agree:
+			// admission computes the integer from the class name and rejects the
+			// mirror Pod if an explicit, mismatched Priority is provided.
+			PriorityClassName: "system-node-critical",
+			Priority:          ptr.To(int32(2000001000)),
 			SecurityContext: &corev1.PodSecurityContext{
 				RunAsNonRoot: ptr.To(true),
 			},
diff --git a/pkg/component/worker/nllb/traefik.go b/pkg/component/worker/nllb/traefik.go
index 35d913287a2d..bfc0c751a276 100644
--- a/pkg/component/worker/nllb/traefik.go
+++ b/pkg/component/worker/nllb/traefik.go
@@ -236,6 +236,19 @@ func makeTraefikPodManifest(podParams *traefikPodParams, installConfig *traefikI
 		},
 		Spec: corev1.PodSpec{
 			HostNetwork: true,
+			// The Traefik Pod is the worker's load-balanced path to the control
+			// plane, so it must outlive ordinary workloads during graceful node
+			// shutdown and be protected from node-pressure eviction.
+			//
+			// PriorityClassName satisfies the kube-apiserver Priority admission
+			// controller, which validates the mirror Pod the kubelet registers
+			// for this static Pod. The numeric Priority is also set so the local
+			// kubelet (which does not resolve PriorityClassName for static Pods)
+			// uses it for shutdown/eviction ordering. The two must agree:
+			// admission computes the integer from the class name and rejects the
+			// mirror Pod if an explicit, mismatched Priority is provided.
+			PriorityClassName: "system-node-critical",
+			Priority:          ptr.To(int32(2000001000)),
 			SecurityContext: &corev1.PodSecurityContext{
 				RunAsNonRoot: ptr.To(true),
 				// https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/