diff --git a/apps/fc-signalcontrol/fc-signalcontrol.yaml b/apps/fc-signalcontrol/fc-signalcontrol.yaml
index 7f8a97f..3e59c2f 100644
--- a/apps/fc-signalcontrol/fc-signalcontrol.yaml
+++ b/apps/fc-signalcontrol/fc-signalcontrol.yaml
@@ -13,7 +13,8 @@ metadata:
   name: signalcontrol-data
   namespace: fc-signalcontrol
   labels:
-    app: signalcontrol-web
+    app.kubernetes.io/name: signalcontrol-web
+    app.kubernetes.io/part-of: flowercore
 spec:
   accessModes:
     - ReadWriteOnce
@@ -28,34 +29,45 @@ metadata:
   name: signalcontrol-web
   namespace: fc-signalcontrol
   labels:
-    app: signalcontrol-web
+    app.kubernetes.io/name: signalcontrol-web
+    app.kubernetes.io/part-of: flowercore
 spec:
   replicas: 1
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app: signalcontrol-web
+      app.kubernetes.io/name: signalcontrol-web
   template:
     metadata:
       labels:
-        app: signalcontrol-web
+        app.kubernetes.io/name: signalcontrol-web
+        app.kubernetes.io/part-of: flowercore
     spec:
       containers:
         - name: signalcontrol-web
-          image: localhost/fc-signalcontrol-web:v202604132015
+          image: localhost/fc-signalcontrol-web:latest
           imagePullPolicy: Never
           ports:
-            - containerPort: 8080
+            - containerPort: 5000
               name: http
           env:
             - name: ASPNETCORE_ENVIRONMENT
               value: Production
             - name: ASPNETCORE_URLS
-              value: "http://+:8080"
+              value: "http://+:5000"
+            - name: ConnectionStrings__Default
+              value: Data Source=/data/signalcontrol.db
+            - name: Logging__LogLevel__Default
+              value: Information
+            - name: Auth__ApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: signalcontrol-auth
+                  key: Auth__ApiKey
           volumeMounts:
             - name: data
-              mountPath: /app/data
+              mountPath: /data
           resources:
             requests:
               memory: "128Mi"
@@ -63,19 +75,24 @@ spec:
             limits:
               memory: "512Mi"
               cpu: "500m"
-          # Note: app's ApiKeyAuthenticationMiddleware blocks /health → 404. Until
-          # /health is moved before that middleware (or marked anonymous), use
-          # tcpSocket probes that just check the listener is accepting.
           livenessProbe:
-            tcpSocket:
-              port: 8080
+            httpGet:
+              path: /health
+              port: http
             initialDelaySeconds: 30
             periodSeconds: 30
+            timeoutSeconds: 5
           readinessProbe:
-            tcpSocket:
-              port: 8080
+            httpGet:
+              path: /health
+              port: http
             initialDelaySeconds: 10
             periodSeconds: 10
+            failureThreshold: 6
+            timeoutSeconds: 5
+      securityContext:
+        fsGroup: 4200
+        fsGroupChangePolicy: OnRootMismatch
       volumes:
         - name: data
           persistentVolumeClaim:
@@ -86,12 +103,15 @@ kind: Service
 metadata:
   name: signalcontrol-web
   namespace: fc-signalcontrol
+  labels:
+    app.kubernetes.io/name: signalcontrol-web
+    app.kubernetes.io/part-of: flowercore
 spec:
   selector:
-    app: signalcontrol-web
+    app.kubernetes.io/name: signalcontrol-web
   ports:
     - port: 80
-      targetPort: 8080
+      targetPort: http
       name: http
 ---
 apiVersion: cert-manager.io/v1