diff --git a/apps/base/forte-drop/forte-drop-pdb.yaml b/apps/base/forte-drop/forte-drop-pdb.yaml
new file mode 100644
index 0000000..85c07e3
--- /dev/null
+++ b/apps/base/forte-drop/forte-drop-pdb.yaml
@@ -0,0 +1,24 @@
+# Keep at least 1 web pod up during voluntary disruptions (node drain, upgrade).
+# Pairs with replicaCount: 2 so a drain can evict one pod while the other serves.
+#
+# Selector verified against live forteapp-chart deployments (mcp10x, argocd-mcp):
+# the chart's pod selector is {app.kubernetes.io/instance, app.kubernetes.io/name,
+# component: app} where instance/name == the ArgoCD Application (Helm release) name.
+# Using all three labels also disambiguates the web pods from the forte-drop-mcp
+# deployment that shares the forte-drop namespace (its instance/name == forte-drop-mcp).
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: forte-drop-web
+  namespace: forte-drop
+  labels:
+    app.kubernetes.io/name: forte-drop
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: forte-drop
+      app.kubernetes.io/name: forte-drop
+      component: app
diff --git a/apps/base/forte-drop/kustomization.yaml b/apps/base/forte-drop/kustomization.yaml
index feda2e9..99bffbb 100644
--- a/apps/base/forte-drop/kustomization.yaml
+++ b/apps/base/forte-drop/kustomization.yaml
@@ -3,5 +3,6 @@ kind: Kustomization
 resources:
 - forte-drop.yaml
 - keycloak-client-forte-drop.yaml
+- forte-drop-pdb.yaml
 # - forte-drop-secrets-sealed.yaml          # added in follow-up commit
 # - auth-oidc-sealed.yaml                   # added in follow-up commit (after Keycloak registrar creates client_secret)