Revert "ci1: expose WinRM/RDP/SSH ports on masquerade interface for Phase 2 bootstrap"

The port additions caused the new VMI to stick at phase=Scheduled with
reason=GuestNotRunning. The guest-console-log sidecar exited 1 and
qemu never started. Reverting to the working 9-day-stable shape until
the port-add path is verified in a non-production VM.

Phase 2 (Windows runner install + registration) needs an operator-
interactive virtctl-vnc session against the rebuilt VM, OR a separate
investigation of why this port-add tipped over the VM.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/kubevirt-vms/ci1.yaml

@@ -77,23 +77,9 @@ spec:
           interfaces:
             # Pod-network fallback for CI runner outbound traffic. Switch to
             # prod-vlan57 once the bridge/NAD lane is ready for L2 access.
-            #
-            # Ports exposed for runner bootstrap (Phase 2 access): WinRM HTTP
-            # (5985) for PowerShell remoting from kubectl port-forward, RDP
-            # (3389) for full desktop via virtctl/Guacamole, SSH (22) for
-            # OpenSSH-Server-based future automation. Outbound CI runner
-            # traffic does not need any of these — they exist so the operator
-            # can install + register the GitHub Actions runner inside the VM.
             - name: default
               masquerade: {}
               model: virtio
-              ports:
-                - name: winrm-http
-                  port: 5985
-                - name: rdp
-                  port: 3389
-                - name: ssh
-                  port: 22
         machine:
           type: q35
       networks: