diff --git a/Jenkinsfile b/Jenkinsfile
index 52e3bb8..0dcf68f 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -114,8 +114,22 @@ pipeline {
             steps {
                 withKubeConfig([credentialsId: "${K8S_CRED_ID}"]) {
                     sh """
-                        # MetalLB is already installed on this cluster (metallb-speaker-*
-                        # and metallb-controller-* pods). Just apply the IP pool config.
+                        # MetalLB is already installed on this cluster.
+                        # Wait for the controller to be ready — the webhook runs inside it.
+                        kubectl rollout status deployment/controller -n metallb-system --timeout=120s
+
+                        # If the webhook service has no ready endpoints (e.g. stale ClusterIP
+                        # from a previously applied metallb-native.yaml whose pods were removed),
+                        # delete the broken ValidatingWebhookConfiguration so the apply can
+                        # proceed without being blocked by an unreachable webhook.
+                        READY_ADDRS=\$(kubectl get endpoints metallb-webhook-service \\
+                            -n metallb-system \\
+                            -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null || echo "")
+                        if [ -z "\$READY_ADDRS" ]; then
+                            echo "WARNING: metallb-webhook-service has no ready endpoints — removing stale webhook config."
+                            kubectl delete validatingwebhookconfiguration metallb-webhook-configuration 2>/dev/null || true
+                        fi
+
                         kubectl apply -f k8s/overlays/on-premise/metallb/
 
                         echo "MetalLB pod state:"