diff --git a/cmd/k8s-operator/deploy/chart/templates/operator.yaml b/cmd/k8s-operator/deploy/chart/templates/operator.yaml
index c147e92d3..ccffa8dad 100644
--- a/cmd/k8s-operator/deploy/chart/templates/operator.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/operator.yaml
@@ -1,4 +1,2 @@
-  - name: OPERATOR_DEFAULT_LOAD_BALANCER
-    value: {{ .Values.defaultLoadBalancer | quote }}
-  - name: PROXY_EPHEMERAL_KEYS
-    value: {{ .Values.ephemeralKeys | quote }} 
\ No newline at end of file
+- name: PROXY_EPHEMERAL_KEYS
+  value: {{ .Values.operatorConfig.ephemeralKeys | quote }} 
\ No newline at end of file
diff --git a/cmd/k8s-operator/deploy/chart/values.yaml b/cmd/k8s-operator/deploy/chart/values.yaml
index e950410ae..11eb49c88 100644
--- a/cmd/k8s-operator/deploy/chart/values.yaml
+++ b/cmd/k8s-operator/deploy/chart/values.yaml
@@ -71,6 +71,12 @@ operatorConfig:
   #   value: "value1"
   # - name: EXTRA_VAR2
   #   value: "value2"
+  
+  # If true, use ephemeral device authentication keys for all proxies by default.
+  # Ephemeral devices are automatically deleted from your tailnet when they
+  # disconnect, helping keep your tailnet clean.
+  # This can be overridden per proxy by setting spec.ephemeral in the ProxyClass.
+  ephemeralKeys: false
 
 # In the case that you already have a tailscale ingressclass in your cluster (or vcluster), you can disable the creation here
 ingressClass:
@@ -111,12 +117,3 @@ apiServerProxyConfig:
   mode: "false" # "true", "false", "noauth"
 
 imagePullSecrets: []
-
-# If true, the operator will consider LoadBalancer Services with no 
-# loadBalancerClass field set as Tailscale Services.
-defaultLoadBalancer: false
-
-# If true, use ephemeral device authentication keys for all proxies.
-# Ephemeral devices are automatically deleted from your tailnet when they
-# disconnect, helping keep your tailnet clean.
-ephemeralKeys: false
diff --git a/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml b/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
index f89e38453..c689ed796 100644
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
@@ -58,6 +58,13 @@ spec:
                 https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
               type: object
               properties:
+                ephemeral:
+                  description: |-
+                    Set Ephemeral to true to make the proxy authenticate as an ephemeral device.
+                    Ephemeral devices are automatically deleted from your tailnet when they
+                    disconnect, helping keep your tailnet clean.
+                    Defaults to false.
+                  type: boolean
                 metrics:
                   description: |-
                     Configuration for proxy metrics. Metrics are currently not supported
diff --git a/cmd/k8s-operator/sts.go b/cmd/k8s-operator/sts.go
index ed4f07564..b71b11b33 100644
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -377,7 +377,12 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		if len(tags) == 0 {
 			tags = a.defaultTags
 		}
-		authKey, err = newAuthKey(ctx, a.tsClient, tags, a.proxyUseEphemeralKeys)
+		// Determine if we should use ephemeral keys based on ProxyClass first, falling back to operator config
+		ephemeral := a.proxyUseEphemeralKeys
+		if stsC.ProxyClass != nil {
+			ephemeral = stsC.ProxyClass.Spec.Ephemeral
+		}
+		authKey, err = newAuthKey(ctx, a.tsClient, tags, ephemeral)
 		if err != nil {
 			return "", "", nil, err
 		}
@@ -962,8 +967,17 @@ func tailscaledConfig(stsC *tailscaleSTSConfig, newAuthkey string, oldSecret *co
 			conf.AppConnector.Advertise = true
 		}
 	}
-	if shouldAcceptRoutes(stsC.ProxyClass) {
-		conf.AcceptRoutes = "true"
+	
+	// Apply ProxyClass settings if available
+	if stsC.ProxyClass != nil {
+		// Set AcceptRoutes if specified in ProxyClass
+		if shouldAcceptRoutes(stsC.ProxyClass) {
+			conf.AcceptRoutes = "true"
+		}
+		
+		// For ephemeral devices, we set this in the auth key when created
+		// The ephemeral setting is handled at auth key creation time in the newAuthKey function
+		// We don't need to set it directly in the config
 	}
 
 	if newAuthkey != "" {
diff --git a/k8s-operator/apis/v1alpha1/types_proxyclass.go b/k8s-operator/apis/v1alpha1/types_proxyclass.go
index 3fde0b37a..c08fe51ac 100644
--- a/k8s-operator/apis/v1alpha1/types_proxyclass.go
+++ b/k8s-operator/apis/v1alpha1/types_proxyclass.go
@@ -81,6 +81,12 @@ type ProxyClassSpec struct {
 	// renewed.
 	// +optional
 	UseLetsEncryptStagingEnvironment bool `json:"useLetsEncryptStagingEnvironment,omitempty"`
+	// Set Ephemeral to true to make the proxy authenticate as an ephemeral device.
+	// Ephemeral devices are automatically deleted from your tailnet when they
+	// disconnect, helping keep your tailnet clean.
+	// Defaults to false.
+	// +optional
+	Ephemeral bool `json:"ephemeral,omitempty"`
 }
 
 type TailscaleConfig struct {