diff --git a/.gitea/workflows/kubernetes-deploy.yaml b/.gitea/workflows/kubernetes-deploy.yaml
new file mode 100644
index 0000000..8373ad2
--- /dev/null
+++ b/.gitea/workflows/kubernetes-deploy.yaml
@@ -0,0 +1,76 @@
+name: Deploy to K8s
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install kubectl
+        run: |
+          curl -sfLO "https://dl.k8s.io/release/$(curl -sfL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+          install kubectl /usr/local/bin/
+
+      - name: Get Kanidm token from Vault
+        id: vault
+        run: |
+          # Authenticate to Vault (AppRole — no CLI needed)
+          VAULT_TOKEN=$(curl -sf --request POST \
+            --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \
+            https://vault.hrajfrisbee.cz/v1/auth/approle/login | jq -r '.auth.client_token')
+
+          # Read the kanidm API token
+          API_TOKEN=$(curl -sf \
+            -H "X-Vault-Token: ${VAULT_TOKEN}" \
+            https://vault.hrajfrisbee.cz/v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token')
+
+          echo "::add-mask::${API_TOKEN}"
+          echo "api_token=${API_TOKEN}" >> "$GITHUB_OUTPUT"
+
+      - name: Exchange for K8s OIDC token via Kanidm
+        id: k8s
+        run: |
+          RESPONSE=$(curl -sf -X POST "https://idm.home.hrajfrisbee.cz/oauth2/token" \
+            -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
+            -d "client_id=k8s" \
+            -d "subject_token=${{ steps.vault.outputs.api_token }}" \
+            -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
+            -d "audience=k8s" \
+            -d "scope=openid groups")
+
+          ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token')
+          [ "$ID_TOKEN" != "null" ] && [ -n "$ID_TOKEN" ] || { echo "::error::Kanidm token exchange failed"; echo "$RESPONSE" | jq . >&2; exit 1; }
+
+          echo "::add-mask::${ID_TOKEN}"
+          echo "id_token=${ID_TOKEN}" >> "$GITHUB_OUTPUT"
+
+          # Sanity check
+          echo "$ID_TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq '{sub, groups, exp}'
+
+      - name: Configure kubectl & deploy
+        run: |
+          echo "${{ secrets.K8S_CA_CERT }}" > /tmp/ca.crt
+          
+          kubectl config set-cluster mycluster \
+            --server=https://192.168.0.31:6443 \
+            --certificate-authority=/tmp/ca.crt \
+            --insecure-skip-tls-verify=true          
+
+          kubectl config set-credentials gitea-ci \
+            --token="${{ steps.k8s.outputs.id_token }}"
+
+          kubectl config set-context gitea-ci \
+            --cluster=mycluster --user=gitea-ci
+
+          kubectl config use-context gitea-ci
+
+          kubectl auth whoami
+          kubectl get ns
+
+          # your deploy here
+          # kubectl apply -f k8s/
\ No newline at end of file