diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
index 4fc9247..a6032bc 100644
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -1,4 +1,4 @@
-name: Build and Push Container Image
+name: CI/CD Pipeline
 
 on:
   push:
@@ -52,3 +52,30 @@ jobs:
         run: |
           VERSION=${GITEA_REF#refs/tags/}
           docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    if: gitea.event_name != 'pull_request'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Apply manifests
+        run: |
+          kubectl apply -f k8s/configmap.yaml -f k8s/service.yaml -f k8s/deployment.yaml
+
+      - name: Update image
+        run: |
+          kubectl set image deployment/cfb-manager \
+            cfb-manager=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ gitea.sha }}
+
+      - name: Wait for rollout
+        run: |
+          kubectl rollout status deployment/cfb-manager --timeout=120s
diff --git a/k8s/configmap.yaml b/k8s/configmap.yaml
new file mode 100644
index 0000000..7ca4ef2
--- /dev/null
+++ b/k8s/configmap.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cfb-manager-config
+  namespace: default
+data:
+  CFB_BOUNCER_HOST: "10.253.100.131"
+  CFB_BOUNCER_PORT: "22"
+  CFB_BOUNCER_USER: "root"
+  CFB_CROWDSEC_HOST: "10.253.100.240"
+  CFB_CROWDSEC_PORT: "22"
+  CFB_CROWDSEC_USER: "root"
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
new file mode 100644
index 0000000..cf4664c
--- /dev/null
+++ b/k8s/deployment.yaml
@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cfb-manager
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cfb-manager
+  template:
+    metadata:
+      labels:
+        app: cfb-manager
+    spec:
+      imagePullSecrets:
+        - name: gitea-registry
+      containers:
+        - name: cfb-manager
+          image: gitea.anvil.it.com/kaffa/cf-bouncer-manager:latest
+          command: ["uv", "run", "uvicorn", "api_server:app", "--host", "0.0.0.0", "--port", "8000"]
+          ports:
+            - containerPort: 8000
+          envFrom:
+            - configMapRef:
+                name: cfb-manager-config
+          volumeMounts:
+            - name: ssh-key
+              mountPath: /root/.ssh
+              readOnly: true
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+          readinessProbe:
+            tcpSocket:
+              port: 8000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 8000
+            initialDelaySeconds: 60
+            periodSeconds: 30
+      volumes:
+        - name: ssh-key
+          secret:
+            secretName: cfb-ssh-key
+            defaultMode: 0600
+            items:
+              - key: id_rsa
+                path: id_rsa
diff --git a/k8s/service.yaml b/k8s/service.yaml
new file mode 100644
index 0000000..3a64eae
--- /dev/null
+++ b/k8s/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cfb-manager
+  namespace: default
+spec:
+  type: ClusterIP
+  selector:
+    app: cfb-manager
+  ports:
+    - port: 8000
+      targetPort: 8000
+      protocol: TCP