Tighten RemoteDesktop network policies

README.md

@@ -103,6 +103,7 @@ curl -sk -X DELETE https://dns.iamworkin.lan/api/v1/servers/<serverId>/zones/iam
 - **Public read-only hosts**: if a public host fronts a service that also exposes admin writes internally, add a Traefik route match like `Host(...) && (Method(GET) || Method(HEAD))` on the public edge instead of trusting the app to reject unsafe methods.
 - **Public read-write allowlist hosts**: if a public host accepts a tightly bounded write surface (e.g. bootstrap-JWT POST), pin the allowlist as `(Method(GET) || Method(HEAD) || Method(POST) || Method(OPTIONS))`. PUT/PATCH/DELETE must still 404 at the route. Track A's `updatecenter.iamworkin.lan` / `updates.iamworkin.lan` are the canonical example. The lint test enforces this invariant.
 - **Traefik VIP netpols**: when a `NetworkPolicy` allows `10.0.56.200`, also allow the post-DNAT backend ports (`8443` for TLS plus `8080` or `8000` for HTTP) or Calico will drop the rewritten flow.
+- **RemoteDesktop isolation**: `apps/fc-desktop/network-policies.yaml` intentionally keeps desktop pod egress to named CoreDNS, `intranet-web:5300/TCP`, and noc1 step-ca `10.0.56.10:9000/9443` only. Guacamole display egress is owned separately by `apps/guacamole/guacamole.yaml` through `guacd-desktop-egress` on `5901/TCP`.
 - **Auth-safe probes**: services behind API-key or global auth middleware should prefer `tcpSocket` probes unless `/health` is explicitly exempted before the middleware runs.
 - **ArgoCD must use internal Gitea URL**: `http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git`, not the external HTTPS URL (step-ca cert isn't trusted by ArgoCD). The `ApplicationSet` and any hand-created `Application` must both use the internal URL.
 

apps/fc-desktop/network-policies.yaml

@@ -20,9 +20,12 @@
 # 1) desktop-isolation — Browser Lab session pods.
 #
 # Locks down pods labeled `app.kubernetes.io/name=remote-desktop` (every
-# session pod regardless of template). Allows guacd ingress for the VNC/RDP
+# session pod regardless of template). Allows guacd ingress for the display
-# display lane and remotedesktop-web's pre-handoff probing. Egress: NFS to
+# lane and remotedesktop-web's pre-handoff probing. Egress is deliberately
-# Synology, DNS, Traefik (cluster + LB VIP), Intranet (Browser Lab home).
+# narrow: named CoreDNS, direct Intranet web, and noc1 step-ca only. There is
+# no broad Traefik/VIP or internet egress from desktop sessions. If a future
+# Browser Lab path needs a public-style host, prefer an explicit Service rule
+# or include the post-DNAT backend port per the Traefik VIP lint.
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -65,51 +68,22 @@ spec:
         - port: 5901
           protocol: TCP
   egress:
-    # NFS to Synology
+    # CoreDNS only. The old to: [] DNS rule accidentally allowed any DNS
+    # listener in any namespace or routed network.
     - to:
-        - ipBlock:
-            cidr: 10.0.58.3/32
-      ports:
-        - port: 2049
-          protocol: TCP
-        - port: 2049
-          protocol: UDP
-        - port: 111
-          protocol: TCP
-        - port: 111
-          protocol: UDP
-    - to:
-        - ipBlock:
-            cidr: 10.0.58.3/32
-      ports:
-        - port: 445
-          protocol: TCP
-    - to: []
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
-    - to:
-        - ipBlock:
-            cidr: 10.0.56.200/32
-        - ipBlock:
-            cidr: 10.43.33.87/32
         - namespaceSelector:
             matchLabels:
-              kubernetes.io/metadata.name: traefik-system
+              kubernetes.io/metadata.name: kube-system
           podSelector:
             matchLabels:
-              app.kubernetes.io/name: traefik
+              k8s-app: kube-dns
       ports:
-        - port: 80
+        - port: 53
-          protocol: TCP
+          protocol: UDP
-        - port: 443
+        - port: 53
-          protocol: TCP
-        - port: 8000
-          protocol: TCP
-        - port: 8443
           protocol: TCP
+    # Browser Lab home / internal docs target. Use the real service port
+    # directly rather than public Traefik host aliases.
     - to:
         - namespaceSelector:
             matchLabels:
@@ -120,6 +94,17 @@ spec:
       ports:
         - port: 5300
           protocol: TCP
+    # noc1 step-ca ACME endpoint. The lane brief called out 9000/TCP; the live
+    # ACME directory currently answers on 9443/TCP, so both stay pinned to the
+    # same host rather than reopening Traefik or internet egress.
+    - to:
+        - ipBlock:
+            cidr: 10.0.56.10/32
+      ports:
+        - port: 9000
+          protocol: TCP
+        - port: 9443
+          protocol: TCP
 ---
 # 2) fc-desktop-default-deny — namespace-wide catch-all.
 #
@@ -330,3 +315,11 @@ spec:
           protocol: UDP
         - port: 53
           protocol: TCP
+    - to:
+        - ipBlock:
+            cidr: 10.0.56.10/32
+      ports:
+        - port: 9000
+          protocol: TCP
+        - port: 9443
+          protocol: TCP

apps/github-runner/.gitattributes

@@ -1,2 +0,0 @@
-*.sh text eol=lf
-Dockerfile text eol=lf

apps/github-runner/Dockerfile

@@ -1,44 +0,0 @@
-FROM myoung34/github-runner:latest
-
-ARG RUBY_VERSION=3.3.11
-ARG RUBY_MINOR=3.3
-ARG RUBY_BUILD_VERSION=v20260326
-ARG RUNNER_UID=1001
-ARG RUNNER_GID=1001
-
-ENV RUNNER_TOOL_CACHE=/home/runner/_tool
-ENV RUNNER_RUBY_TOOLCACHE=/opt/runner-toolcache
-ENV PATH="/home/runner/_tool/Ruby/${RUBY_MINOR}/x64/bin:/opt/runner-toolcache/Ruby/${RUBY_MINOR}/x64/bin:${PATH}"
-
-USER root
-
-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-        autoconf \
-        bison \
-        build-essential \
-        ca-certificates \
-        curl \
-        libdb-dev \
-        libffi-dev \
-        libgdbm-dev \
-        libgmp-dev \
-        libncurses-dev \
-        libreadline-dev \
-        libssl-dev \
-        libyaml-dev \
-        patch \
-        pkg-config \
-        uuid-dev \
-        zlib1g-dev \
-    && curl -fsSL "https://github.com/rbenv/ruby-build/archive/refs/tags/${RUBY_BUILD_VERSION}.tar.gz" -o /tmp/ruby-build.tar.gz \
-    && mkdir -p /tmp/ruby-build \
-    && tar -xzf /tmp/ruby-build.tar.gz --strip-components=1 -C /tmp/ruby-build \
-    && /tmp/ruby-build/install.sh \
-    && rm -rf /tmp/ruby-build /tmp/ruby-build.tar.gz /var/lib/apt/lists/*
-
-COPY install-ruby-toolcache.sh /usr/local/bin/install-ruby-toolcache.sh
-
-RUN chmod +x /usr/local/bin/install-ruby-toolcache.sh \
-    && RUBY_VERSION="${RUBY_VERSION}" RUBY_MINOR="${RUBY_MINOR}" TOOLCACHE_ROOT="${RUNNER_RUBY_TOOLCACHE}" RUNNER_UID="${RUNNER_UID}" RUNNER_GID="${RUNNER_GID}" /usr/local/bin/install-ruby-toolcache.sh \
-    && ruby -v

apps/github-runner/README.md

@@ -7,17 +7,12 @@ Deployments with `kubectl`; update this manifest and let ArgoCD reconcile.
 
 All repo-scoped Linux runners use:
 
-- `localhost/fc-github-runner:v20260520-ruby3.3.11`, derived from
-  `myoung34/github-runner:latest`
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
 - `EPHEMERAL=true`
 - `LABELS=self-hosted,linux,fc-build-linux`
 - writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and
   Actions tool cache
-- Ruby 3.3.11 seeded into `/home/runner/_tool/Ruby/3.3/x64` from the baked
-  `/opt/runner-toolcache` copy so `ruby/setup-ruby@v1` can discover it on
-  self-hosted `ubuntu-20.04-x64` runners
 
 `github-runner` for `FlowerCore.Common` is single-replica because it retains the
 original Longhorn ReadWriteOnce NuGet PVC. Every other repo-scoped runner uses
@@ -33,34 +28,6 @@ Sprint 32 final long-tail wave adds 16 two-replica Deployments:
 `FlowerCore.Provisioning`, `FlowerCore.Redis`, `FlowerCore.MessageBoard`, and
 `FlowerCore.MenuBoard`.
 
-## Image Build
-
-Ruby is baked with a pinned `ruby-build` release and Ruby patch version. The pod
-still mounts an `emptyDir` over `/home/runner`, so the `setup-runner-home` init
-container copies the baked toolcache from `/opt/runner-toolcache/Ruby` into
-`/home/runner/_tool/Ruby` before the runner container starts.
-
-```bash
-cd apps/github-runner
-podman build -t localhost/fc-github-runner:v20260520-ruby3.3.11 .
-podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 ruby -v
-podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 \
-  test -f /opt/runner-toolcache/Ruby/3.3/x64.complete
-podman save localhost/fc-github-runner:v20260520-ruby3.3.11 \
-  -o fc-github-runner-v20260520-ruby3.3.11.tar
-```
-
-Import the saved image on every schedulable RKE2 node before ArgoCD rolls the
-Deployments:
-
-```bash
-for node in rke2-server rke2-agent1 rke2-agent2; do
-  scp fc-github-runner-v20260520-ruby3.3.11.tar "$node:/tmp/"
-  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260520-ruby3.3.11 || true'
-  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260520-ruby3.3.11.tar'
-done
-```
-
 ## Post-Merge Proof
 
 After the PR is merged and ArgoCD syncs, verify the runner fleet:
@@ -69,14 +36,6 @@ After the PR is merged and ArgoCD syncs, verify the runner fleet:
 kubectl -n github-runner get deploy,pods,pvc
 ```
 
-Verify the Ruby toolcache in a fresh pod:
-
-```bash
-kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- ruby -v
-kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- sh -c \
-  'echo "$RUNNER_TOOL_CACHE" && test -f "$RUNNER_TOOL_CACHE/Ruby/3.3/x64.complete"'
-```
-
 Verify GitHub registration for the repo-scoped runners:
 
 ```bash
@@ -110,10 +69,6 @@ from GitHub Actions and verify it lands on an `rke2-linux-*` runner.
 - `actions/setup-dotnet` permission error at `/usr/share/dotnet`: check that
   `DOTNET_INSTALL_DIR=/home/runner/.dotnet` and related cache env vars are
   present on the runner pod.
-- `ruby/setup-ruby@v1` says self-hosted runners must install Ruby in
-  `$RUNNER_TOOL_CACHE`: check that the init container copied
-  `/opt/runner-toolcache/Ruby` into `/home/runner/_tool/Ruby` and that
-  `/home/runner/_tool/Ruby/3.3/x64.complete` exists.
 - `404` during runner registration: the fine-grained PAT is valid but missing
   repository access for that repo. Add the repo to the PAT access list; the PAT
   value does not change.

apps/github-runner/github-runner.yaml

@@ -22,16 +22,11 @@
 #   NUGET_PACKAGES, XDG_CACHE_HOME, and RUNNER_TOOL_CACHE are all pointed at
 #   writable mounted paths under /home/runner so actions/setup-dotnet does not
 #   attempt to install into /usr/share/dotnet.
-#   Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260520-ruby3.3.11
-#   under /opt/runner-toolcache; setup-runner-home copies it into
-#   /home/runner/_tool because the runner-home emptyDir masks image content
-#   under /home/runner at runtime.
 #
 # Credentials:
 #   OnePasswordItem "GitHub PAT (Runner Registration)" syncs Secret
-#   github-runner-token with field "credential". The custom image inherits
+#   github-runner-token with field "credential". myoung34/github-runner uses
-#   myoung34/github-runner behavior and uses ACCESS_TOKEN to mint short-lived
+#   ACCESS_TOKEN to mint short-lived registration tokens on pod start.
-#   registration tokens on pod start.
 #
 # Security model:
 #   - No ClusterRole / ClusterRoleBinding. The ServiceAccount has no K8s API
@@ -157,19 +152,15 @@ spec:
       # honors the deeper mount.
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -178,8 +169,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             # GitHub org/repo targeting.
             # Set REPO_URL for a repo-scoped runner (cheaper, simpler).
@@ -334,19 +325,15 @@ spec:
       # rather than re-applied per repo as flipped lanes land.
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -355,8 +342,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Shared.Pos"
@@ -472,19 +459,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -493,8 +476,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Puppet"
@@ -604,19 +587,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -625,8 +604,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Signage"
@@ -736,19 +715,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -757,8 +732,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.DMS"
@@ -868,19 +843,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -889,8 +860,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Telephony"
@@ -1000,19 +971,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -1021,8 +988,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Print.Web"
@@ -1132,19 +1099,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -1153,8 +1116,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Chat"
@@ -1264,19 +1227,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -1285,8 +1244,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.MySQL"
@@ -1396,19 +1355,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -1417,8 +1372,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Kiosk.Linux"
@@ -1530,19 +1485,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -1551,8 +1502,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Marquee"
@@ -1664,19 +1615,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -1685,8 +1632,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.TtsReader"
@@ -1798,19 +1745,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -1819,8 +1762,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Knowledge"
@@ -1931,19 +1874,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -1952,8 +1891,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.LlmBridge"
@@ -2064,19 +2003,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -2085,8 +2020,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Media"
@@ -2197,19 +2132,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -2218,8 +2149,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Presentations"
@@ -2330,19 +2261,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -2351,8 +2278,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.RemoteDesktop"
@@ -2463,19 +2390,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -2484,8 +2407,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.DNS"
@@ -2596,19 +2519,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -2617,8 +2536,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Distribution"
@@ -2729,19 +2648,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -2750,8 +2665,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Scoreboard"
@@ -2862,19 +2777,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -2883,8 +2794,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.SegmentDisplay"
@@ -2995,19 +2906,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -3016,8 +2923,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Signage.Contracts"
@@ -3128,19 +3035,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -3149,8 +3052,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.SignalControl"
@@ -3261,19 +3164,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -3282,8 +3181,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Intranet.Web"
@@ -3394,19 +3293,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -3415,8 +3310,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Provisioning"
@@ -3527,19 +3422,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -3548,8 +3439,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.Redis"
@@ -3660,19 +3551,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -3681,8 +3568,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.MessageBoard"
@@ -3793,19 +3680,15 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
-          imagePullPolicy: Never
           command:
             - sh
             - -c
             - |
               set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
           securityContext:
             runAsUser: 0
             runAsNonRoot: false
@@ -3814,8 +3697,8 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
           env:
             - name: REPO_URL
               value: "https://github.com/astoltz/FlowerCore.MenuBoard"

apps/github-runner/install-ruby-toolcache.sh

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-RUBY_VERSION="${RUBY_VERSION:-3.3.11}"
-RUBY_MINOR="${RUBY_MINOR:-3.3}"
-TOOLCACHE_ROOT="${TOOLCACHE_ROOT:-/opt/runner-toolcache}"
-RUNNER_UID="${RUNNER_UID:-1001}"
-RUNNER_GID="${RUNNER_GID:-1001}"
-RUBY_PREFIX="${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64"
-
-mkdir -p "${TOOLCACHE_ROOT}/Ruby"
-RUBY_CONFIGURE_OPTS="${RUBY_CONFIGURE_OPTS:---disable-install-doc --disable-yjit}" ruby-build "${RUBY_VERSION}" "${RUBY_PREFIX}"
-
-touch "${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64.complete"
-ln -sfn "${RUBY_VERSION}" "${TOOLCACHE_ROOT}/Ruby/${RUBY_MINOR}"
-
-"${RUBY_PREFIX}/bin/ruby" -v
-chown -R "${RUNNER_UID}:${RUNNER_GID}" "${TOOLCACHE_ROOT}"
-chmod -R a+rX "${TOOLCACHE_ROOT}"

apps/guacamole/guacamole.yaml

@@ -254,6 +254,68 @@ spec:
       targetPort: 4822
       name: guacd
 ---
+# Guacd display egress isolation.
+#
+# Guacamole web talks to guacd on TCP/4822. Guacd then opens the desktop
+# display connection to the per-session pod. Keep that second hop at raw VNC
+# 5901/TCP for the current RemoteDesktop Browser Lab/openSUSE images. Do not
+# grant guacd broad fc-desktop namespace egress; desktop-to-desktop lateral
+# paths remain blocked by apps/fc-desktop/network-policies.yaml.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: guacd-desktop-egress
+  namespace: guacamole
+  labels:
+    app.kubernetes.io/part-of: remotedesktop
+    app.kubernetes.io/component: display-isolation
+spec:
+  podSelector:
+    matchLabels:
+      app: guacd
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: guacamole
+      ports:
+        - port: 4822
+          protocol: TCP
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # kubectl-proxy sidecar reaches the Kubernetes API; keep it explicit
+    # because this NetworkPolicy selects the whole guacd pod.
+    - to: []
+      ports:
+        - port: 443
+          protocol: TCP
+        - port: 6443
+          protocol: TCP
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-desktop
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: remote-desktop
+      ports:
+        - port: 5901
+          protocol: TCP
+---
 # Guacamole Web Application
 apiVersion: apps/v1
 kind: Deployment

tests/bluejay-infra-lint/RemoteDesktopNetworkPolicyTests.cs

@@ -0,0 +1,93 @@
+using FluentAssertions;
+using Xunit;
+
+namespace BluejayInfraLint.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class RemoteDesktopNetworkPolicyTests
+{
+    private static readonly ManifestInventory Inventory = ManifestInventory.Load();
+
+    [Fact]
+    public void LiveDesktopIsolation_AllowsOnlyCoreDnsIntranetAndStepCaEgress()
+    {
+        var policy = NetworkPolicy("fc-desktop", "desktop-isolation");
+        var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
+
+        ports.Should().BeEquivalentTo("53", "5300", "9000", "9443");
+        policy.AllScalars().Should().Contain(new[]
+        {
+            "kube-system",
+            "kube-dns",
+            "intranet",
+            "intranet-web",
+            "10.0.56.10/32"
+        });
+    }
+
+    [Fact]
+    public void LiveDesktopIsolation_RemovesInternetNfsAndTraefikEgress()
+    {
+        var policy = NetworkPolicy("fc-desktop", "desktop-isolation");
+        var scalars = policy.AllScalars().ToList();
+        var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
+
+        scalars.Should().NotContain(new[] { "10.0.58.3/32", "10.0.56.200/32", "10.43.33.87/32", "traefik-system" });
+        ports.Should().NotContain(new[] { "80", "443", "445", "111", "2049", "8000", "8080", "8443" });
+        policy.MappingSequence("spec", "egress")
+            .Should()
+            .NotContain(rule => EgressRuleHasEmptyTo(rule), "desktop sessions must not use to: [] internet-style egress");
+    }
+
+    [Fact]
+    public void LiveGuacdIsolation_AllowsRawVncToDesktopPodsOnly()
+    {
+        var policy = NetworkPolicy("guacamole", "guacd-desktop-egress");
+        var scalars = policy.AllScalars().ToList();
+        var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
+
+        ports.Should().Contain("5901");
+        scalars.Should().Contain(new[] { "fc-desktop", "remote-desktop" });
+        ports.Should().NotContain(new[] { "3000", "3001", "3389", "80", "8080", "8443" });
+    }
+
+    [Fact]
+    public void LiveGuacdIsolation_KeepsGuacamoleWebIngressOnGuacdPort()
+    {
+        var policy = NetworkPolicy("guacamole", "guacd-desktop-egress");
+
+        policy.Scalar("spec", "podSelector", "matchLabels", "app").Should().Be("guacd");
+        policy.AllScalars().Should().Contain(new[] { "guacamole", "4822" });
+    }
+
+    [Fact]
+    public void HelperSmoke_FindsExpectedRemoteDesktopPolicies()
+    {
+        NetworkPolicy("fc-desktop", "desktop-isolation").Name.Should().Be("desktop-isolation");
+        NetworkPolicy("guacamole", "guacd-desktop-egress").Name.Should().Be("guacd-desktop-egress");
+    }
+
+    [Fact]
+    public void HelperSmoke_EgressPortExtractionKeepsDistinctPorts()
+    {
+        var ports = NetworkPolicy("fc-desktop", "desktop-isolation")
+            .EgressPorts()
+            .ToHashSet(StringComparer.Ordinal);
+
+        ports.Should().HaveCount(4);
+        ports.Should().Contain(new[] { "53", "5300", "9000", "9443" });
+    }
+
+    private static ManifestDocument NetworkPolicy(string ns, string name)
+        => Inventory.Documents.Single(document =>
+            document.Kind == "NetworkPolicy"
+            && string.Equals(document.Namespace, ns, StringComparison.Ordinal)
+            && string.Equals(document.Name, name, StringComparison.Ordinal));
+
+    private static bool EgressRuleHasEmptyTo(YamlDotNet.RepresentationModel.YamlMappingNode rule)
+        => rule.Children.Any(entry =>
+            entry.Key is YamlDotNet.RepresentationModel.YamlScalarNode key
+            && string.Equals(key.Value, "to", StringComparison.Ordinal)
+            && entry.Value is YamlDotNet.RepresentationModel.YamlSequenceNode sequence
+            && sequence.Children.Count == 0);
+}