diff --git a/manifests/cluster-role-binding.yaml b/manifests/cluster-role-binding.yaml
new file mode 100644
index 0000000..b921484
--- /dev/null
+++ b/manifests/cluster-role-binding.yaml
@@ -0,0 +1,11 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: lldap-controller
+subjects:
+  - kind: ServiceAccount
+    name: lldap-controller
+roleRef:
+  kind: ClusterRole
+  name: lldap-controller
+  apiGroup: rbac.authorization.k8s.io
diff --git a/manifests/cluster-role.yaml b/manifests/cluster-role.yaml
new file mode 100644
index 0000000..3a821c7
--- /dev/null
+++ b/manifests/cluster-role.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: lldap-controller
+rules:
+  - apiGroups: ["lldap.huizinga.dev"]
+    resources:
+      ["serviceusers", "serviceusers/status", "serviceusers/finalizers"]
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: ["events.k8s.io"]
+    resources: ["events"]
+    verbs: ["create"]
diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml
new file mode 100644
index 0000000..3a9e21c
--- /dev/null
+++ b/manifests/deployment.yaml
@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: lldap-controller
+  labels:
+    app: lldap-controller
+    app.kubernetes.io/name: lldap-controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: lldap-controller
+  template:
+    metadata:
+      labels:
+        app: lldap-controller
+      annotations:
+        kubectl.kubernetes.io/default-container: lldap-controller
+    spec:
+      serviceAccountName: lldap-controller
+      securityContext: {}
+      containers:
+        - name: lldap-controller
+          image: git.huizinga.dev/dreaded_x/lldap-controller:sha-${SHA_SHORT}
+          imagePullPolicy: IfNotPresent
+          securityContext: {}
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 100Mi
+          env:
+            - name: RUST_LOG
+              value: info,lldap_controller=debug
+            - name: LLDAP_URL
+              value: "http://lldap:17170"
+            - name: LLDAP_ADMIN_USERNAME
+              value: admin
+            - name: LLDAP_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: lldap-ldap-user-pass
diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml
new file mode 100644
index 0000000..c40ff6d
--- /dev/null
+++ b/manifests/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: lldap
+resources:
+  - ./service-account.yaml
+  - ./cluster-role.yaml
+  - ./cluster-role-binding.yaml
+  - ./deployment.yaml
diff --git a/manifests/service-account.yaml b/manifests/service-account.yaml
new file mode 100644
index 0000000..45cca68
--- /dev/null
+++ b/manifests/service-account.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: lldap-controller
+  labels:
+    app: lldap-controller
+    app.kubernetes.io/name: lldap-controller
+automountServiceAccountToken: true