diff --git a/AGENTS.md b/AGENTS.md
index f1d06e8..85ffd5c 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -10,16 +10,18 @@ This repository builds and publishes a Docker image for [OpenCode](https://openc
 .
 ├── Dockerfile      # Image definition
 ├── Jenkinsfile     # CI/CD pipeline (nightly build + Docker Hub push)
+├── opencode-attach # Helper script for attaching to a running server
 └── README.md       # Usage documentation
 ```
 
 ## Dockerfile conventions
 
-- **Base image**: `node:24-alpine` — use the latest Node.js LTS Alpine image.
-- **Install**: `npm i -g opencode-ai` — installs OpenCode globally.
+- **Base image**: `node:24` — Debian-based Node.js image (not Alpine, needed for apt packages).
+- **Install**: `npm i -g opencode-ai n2-soul@<version>` — installs OpenCode and Soul globally.
 - **Version check**: `RUN opencode --version` after install to validate the build and record the installed version in build logs.
-- **Dedicated user**: a non-root `opencode` user and group are created with `addgroup`/`adduser`. All runtime steps run as this user.
-- **Entrypoint**: `["opencode", "serve"]` — the container always starts the HTTP server.
+- **Dedicated user**: a non-root `opencode` user and group are created with `groupadd`/`useradd` (UID/GID 1000). All runtime steps run as this user.
+- **Cluster tooling**: `kubectl` is copied from the official `registry.k8s.io/kubectl` image (multi-stage COPY).
+- **Entrypoint**: `["opencode"]` — arguments are passed at runtime (e.g. `serve`).
 
 ## Jenkinsfile conventions
 
diff --git a/Dockerfile b/Dockerfile
index 5316a53..16948cc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,48 +1,24 @@
 FROM node:24
 
 RUN apt-get update && apt-get upgrade -y && \
-    apt-get install -y --no-install-recommends \
-    podman \
-    uidmap \
-    slirp4netns \
-    fuse-overlayfs \
-    dbus-user-session \
-    containernetworking-plugins \
-    netavark \
-    aardvark-dns \
-    iptables \
-    ca-certificates && \
+    apt-get install -y --no-install-recommends ca-certificates && \
     rm -rf /var/lib/apt/lists/*
 
 RUN set -eux; \
     userdel -r node; \
     groupadd -g 1000 opencode; \
     useradd -m -u 1000 -g 1000 -s /usr/bin/bash opencode; \
-    awk -F: '!seen[$1":"$2":"$3]++' /etc/subuid > /etc/subuid.tmp; \
-    mv /etc/subuid.tmp /etc/subuid; \
-    awk -F: '!seen[$1":"$2":"$3]++' /etc/subgid > /etc/subgid.tmp; \
-    mv /etc/subgid.tmp /etc/subgid; \
-    mkdir -p /home/opencode/.config/containers /home/opencode/.local/share/containers; \
-    printf '%s\n' '[storage]' 'driver = "vfs"' > /home/opencode/.config/containers/storage.conf; \
-    printf '%s\n' '[engine]' 'cgroup_manager = "cgroupfs"' 'events_logger = "file"' > /home/opencode/.config/containers/containers.conf; \
-    chown -R 1000:1000 /home/opencode/.config /home/opencode/.local; \
     npm update -g && \
-    npm install -g opencode-ai n2-soul@9.0.8 && \
+    npm install -g opencode-ai n2-soul@9.0.9 && \
     chown -R 1000:1000 /usr/local/lib/node_modules/n2-soul/ && \
     npm cache clean --force
 
 COPY --chmod=755 opencode-attach /usr/local/bin/opencode-attach
 COPY --from=registry.k8s.io/kubectl:v1.35.3 /bin/kubectl /usr/local/bin/kubectl
 
-ENV XDG_RUNTIME_DIR=/tmp/run-user/1000
-ENV _CONTAINERS_USERNS_CONFIGURED=""
-
-RUN mkdir -p /tmp/run-user/1000 && chown -R 1000:1000 /tmp/run-user
-
 USER opencode
 WORKDIR /home/opencode
 
 RUN opencode --version
-RUN podman --version
 
 ENTRYPOINT ["opencode"]
diff --git a/README.md b/README.md
index 7213520..a226277 100644
--- a/README.md
+++ b/README.md
@@ -66,25 +66,6 @@ export OPENCODE_API_URL=http://127.0.0.1:4096
 opencode-attach
 ```
 
-## Podman rootless (ready-to-use)
-
-The image now includes Podman configured for rootless usage with the `opencode` user (`/etc/subuid`, `/etc/subgid`, `fuse-overlayfs`, `slirp4netns`).
-
-When running this image, add runtime options required by Podman-in-container:
-
-```bash
-docker run -it -p 4096:4096 \
-  --security-opt seccomp=unconfined \
-  --device /dev/fuse \
-  jcabillot/opencode
-```
-
-Quick check inside the container:
-
-```bash
-podman info
-```
-
 ## API
 
 Once running, the server exposes an OpenAPI 3.1 spec at:
@@ -110,6 +91,6 @@ See the [OpenCode server docs](https://opencode.ai/docs/server/) for the full AP
 - **Base image**: `node:24` (Debian)
 - **Install**: `opencode-ai` via npm global install
 - **User**: dedicated non-root `opencode` user
-- **Container tooling**: Podman rootless (`podman`, `uidmap`, `slirp4netns`, `fuse-overlayfs`)
+- **Cluster tooling**: `kubectl` (copied from official registry image)
 - **Entrypoint**: `opencode serve`
 - **Default port**: `4096`