diff --git a/apps/kubevirt-vms/ci1.yaml b/apps/kubevirt-vms/ci1.yaml
index 5708ab5..87c381c 100644
--- a/apps/kubevirt-vms/ci1.yaml
+++ b/apps/kubevirt-vms/ci1.yaml
@@ -77,9 +77,23 @@ spec:
           interfaces:
             # Pod-network fallback for CI runner outbound traffic. Switch to
             # prod-vlan57 once the bridge/NAD lane is ready for L2 access.
+            #
+            # Ports exposed for runner bootstrap (Phase 2 access): WinRM HTTP
+            # (5985) for PowerShell remoting from kubectl port-forward, RDP
+            # (3389) for full desktop via virtctl/Guacamole, SSH (22) for
+            # OpenSSH-Server-based future automation. Outbound CI runner
+            # traffic does not need any of these — they exist so the operator
+            # can install + register the GitHub Actions runner inside the VM.
             - name: default
               masquerade: {}
               model: virtio
+              ports:
+                - name: winrm-http
+                  port: 5985
+                - name: rdp
+                  port: 3389
+                - name: ssh
+                  port: 22
         machine:
           type: q35
       networks: