diff --git a/client/templates/mysql-deployment.yaml b/client/templates/mysql-deployment.yaml
index a7a660e..f0ec3a2 100644
--- a/client/templates/mysql-deployment.yaml
+++ b/client/templates/mysql-deployment.yaml
@@ -104,23 +104,30 @@ spec:
         # routinely needs >1s to even spawn, which kubelet reports as a probe
         # failure and kills the container. 5s is generous enough to survive
         # transient CPU pressure but still catch a real hang within ~25s.
+        #
+        # Probe over TCP (-h 127.0.0.1), NOT the unix socket (-h localhost):
+        # the mysql-client image writes its socket to /var/lib/mysql/mysql.sock,
+        # not the client default /var/run/mysqld/mysqld.sock, so a socket-based
+        # `mysqladmin ping` can't reach a perfectly healthy mysqld — the startup
+        # probe then exhausts and the kubelet kill-loops the DB. TCP is immune to
+        # where the image places the socket. Do not change back to `localhost`.
         startupProbe:
           exec:
-            command: ["mysqladmin", "ping", "-h", "localhost"]
+            command: ["mysqladmin", "ping", "-h", "127.0.0.1"]
           initialDelaySeconds: 10
           periodSeconds: 5
           timeoutSeconds: 5
           failureThreshold: 24
         livenessProbe:
           exec:
-            command: ["mysqladmin", "ping", "-h", "localhost"]
+            command: ["mysqladmin", "ping", "-h", "127.0.0.1"]
           initialDelaySeconds: 0
           periodSeconds: 10
           timeoutSeconds: 5
           failureThreshold: 5
         readinessProbe:
           exec:
-            command: ["mysqladmin", "ping", "-h", "localhost"]
+            command: ["mysqladmin", "ping", "-h", "127.0.0.1"]
           initialDelaySeconds: 0
           periodSeconds: 5
           timeoutSeconds: 3
diff --git a/client/tests/mysql_test.yaml b/client/tests/mysql_test.yaml
index ad6398d..eb5e29a 100644
--- a/client/tests/mysql_test.yaml
+++ b/client/tests/mysql_test.yaml
@@ -140,3 +140,41 @@ tests:
       - equal:
           path: spec.selector.app
           value: mysql-client
+
+  # --- Regression guards (backend#767): the kill-loop was a healthy mysqld
+  # killed by a probe pointed at the wrong socket. Lock the probe to TCP so a
+  # future edit (or an image socket-path change) can't reintroduce it. ---
+  - it: all three probes must use TCP (127.0.0.1), never the unix socket (-h localhost)
+    template: templates/mysql-deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].startupProbe.exec.command
+          content: "127.0.0.1"
+      - contains:
+          path: spec.template.spec.containers[0].livenessProbe.exec.command
+          content: "127.0.0.1"
+      - contains:
+          path: spec.template.spec.containers[0].readinessProbe.exec.command
+          content: "127.0.0.1"
+      - notContains:
+          path: spec.template.spec.containers[0].startupProbe.exec.command
+          content: "localhost"
+      - notContains:
+          path: spec.template.spec.containers[0].livenessProbe.exec.command
+          content: "localhost"
+      - notContains:
+          path: spec.template.spec.containers[0].readinessProbe.exec.command
+          content: "localhost"
+  - it: mysqld keeps its writable scratch mounts under readOnlyRootFilesystem (socket/pid dir + tmp)
+    template: templates/mysql-deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: mysql-run
+            mountPath: /var/run/mysqld
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: mysql-tmp
+            mountPath: /tmp