diff --git a/kube/20-deployment.yaml b/kube/20-deployment.yaml
new file mode 100644
--- /dev/null
+++ b/kube/20-deployment.yaml
@@ -0,0 +1,123 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  namespace: pomerium
+  name: autocert-data
+spec:
+  storageClassName: ""
+  volumeName: "autocert-data"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: pomerium
+  name: pomerium-metrics
+  namespace: pomerium
+spec:
+  ports:
+    - { name: metrics, port: 9090, protocol: TCP, targetPort: metrics }
+  selector: { app.kubernetes.io/name: pomerium }
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: pomerium
+  name: pomerium-proxy
+  namespace: pomerium
+spec:
+  ports:
+    - { name: https, port: 443, protocol: TCP, targetPort: https }
+    - { name: http, port: 80, protocol: TCP, targetPort: http }
+  selector: { app.kubernetes.io/name: pomerium }
+  type: LoadBalancer
+  externalIPs:
+  # prime forwards to this
+    - 10.5.0.1
+  # local dns picks this
+    - 10.2.0.1
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels: { app.kubernetes.io/name: pomerium }
+  name: pomerium
+  namespace: pomerium
+spec:
+  replicas: 1
+  selector:
+    matchLabels: { app.kubernetes.io/name: pomerium }
+  template:
+    metadata:
+      labels: { app.kubernetes.io/name: pomerium }
+    spec:
+      containers:
+        - args:
+            - all-in-one
+            - --pomerium-config=global
+            - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
+            - --metrics-bind-address=$(POD_IP):9090
+          env:
+            - { name: TMPDIR, value: /tmp }
+            - { name: XDG_CACHE_HOME, value: /tmp }
+            - name: POMERIUM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+          image: pomerium/ingress-controller:sha-5294279
+          imagePullPolicy: IfNotPresent
+          name: pomerium
+          ports:
+            - { containerPort: 8443, name: https, protocol: TCP }
+            - { containerPort: 8080, name: http, protocol: TCP }
+            - { containerPort: 9090, name: metrics, protocol: TCP }
+          resources:
+            limits: { cpu: 5000m, memory: 1Gi }
+            requests: { cpu: 300m, memory: 200Mi }
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1000
+            runAsNonRoot: true
+            runAsUser: 1000
+          volumeMounts:
+            - { mountPath: /tmp, name: tmp }
+            - { mountPath: /data/autocert, name: autocert }
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: pomerium-controller
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - { name: tmp, emptyDir: {} }
+        - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "kubernetes.io/hostname"
+                    operator: In
+                    values: ["bang"]
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/name: pomerium
+  name: pomerium
+spec:
+  controller: pomerium.io/ingress-controller