diff --git a/k8s/overlays/on-premise/kustomization.yaml b/k8s/overlays/on-premise/kustomization.yaml
index f0e5a46..b526219 100644
--- a/k8s/overlays/on-premise/kustomization.yaml
+++ b/k8s/overlays/on-premise/kustomization.yaml
@@ -19,10 +19,15 @@ resources:
   - ../../base
   - ingress.yaml
 
-# NOTE: mysql-pv.yaml and mysql-pvc-patch.yaml are only needed on clusters
-# without a default StorageClass. This cluster uses 'local-path' (dynamic
-# provisioner), so the base PVC works as-is and must NOT be patched after
-# it is already bound.
+patches:
+  # This patch explicitly sets storageClassName: local-path to match the live
+  # PVC in the cluster. Without it, the base PVC (no storageClassName = nil)
+  # diffs against the existing "local-path" value and kubectl apply tries to
+  # mutate a bound PVC, which Kubernetes forbids.
+  - path: mysql-pvc-patch.yaml
+    target:
+      kind: PersistentVolumeClaim
+      name: mysql-data-pvc
 
 images:
   - name: scrum-frontend
diff --git a/k8s/overlays/on-premise/mysql-pvc-patch.yaml b/k8s/overlays/on-premise/mysql-pvc-patch.yaml
index 592d580..498a650 100644
--- a/k8s/overlays/on-premise/mysql-pvc-patch.yaml
+++ b/k8s/overlays/on-premise/mysql-pvc-patch.yaml
@@ -3,8 +3,10 @@ kind: PersistentVolumeClaim
 metadata:
   name: mysql-data-pvc
 spec:
-  storageClassName: manual
-  volumeName: mysql-pv
+  # Must explicitly match the storageClassName already on the live PVC.
+  # Without this, kubectl apply diffs nil (base has no field) vs "local-path"
+  # (cluster) and tries to mutate a bound PVC — which Kubernetes forbids.
+  storageClassName: local-path
   accessModes:
     - ReadWriteOnce
   resources: