diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 5575c1b..b43fd6c 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -17,8 +17,6 @@ env:
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
-  TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
-  TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
 
 jobs:
   terraform:
diff --git a/.gitea/workflows/destroy.yml b/.gitea/workflows/destroy.yml
index d72febe..a2f9ba5 100644
--- a/.gitea/workflows/destroy.yml
+++ b/.gitea/workflows/destroy.yml
@@ -16,8 +16,6 @@ env:
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
-  TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
-  TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
 
 jobs:
   destroy:
diff --git a/README.md b/README.md
index 0529bb5..c120619 100644
--- a/README.md
+++ b/README.md
@@ -164,7 +164,7 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → **
 | `S3_BUCKET` | S3 bucket name (e.g., `k8s-terraform-state`) |
 | `TAILSCALE_AUTH_KEY` | Tailscale auth key for node bootstrap |
 | `TAILSCALE_TAILNET` | Tailnet domain (e.g., `yourtailnet.ts.net`) |
-| `RUNNER_ALLOWED_CIDRS` | CIDR list (HCL format) allowed to SSH/API from CI runner, e.g. `["0.0.0.0/0"]` or your runner egress CIDR |
+| `RUNNER_ALLOWED_CIDRS` | Optional CIDR list for CI runner access if you choose to pass it via tfvars/secrets |
 | `SSH_PUBLIC_KEY` | SSH public key content |
 | `SSH_PRIVATE_KEY` | SSH private key content |