diff --git a/kms/cr.yaml b/kms/cr.yaml
new file mode 100644
index 0000000..36111df
--- /dev/null
+++ b/kms/cr.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kms-teddysun-role
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups: [""]
+    resources:
+      - pods
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - roles
+      - rolebindings
+    verbs:
+      - get
+      - list
\ No newline at end of file
diff --git a/kms/crb.yaml b/kms/crb.yaml
new file mode 100644
index 0000000..35ec459
--- /dev/null
+++ b/kms/crb.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kms-teddysun-binding
+subjects:
+  - kind: ServiceAccount
+    name: kms-service-account
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: kms-teddysun-role
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/kms/deploy.yaml b/kms/deploy.yaml
new file mode 100644
index 0000000..4a44e62
--- /dev/null
+++ b/kms/deploy.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kms-deployment
+  namespace: default
+  labels:
+    app: kms
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kms
+  template:
+    metadata:
+      labels:
+        app: kms
+    spec:
+      containers:
+      - name: kms
+        image: teddysun/kms
+        ports:
+        - containerPort: 1688
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "512Mi"
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
diff --git a/kms/gateway.yaml b/kms/gateway.yaml
new file mode 100644
index 0000000..15cc5e9
--- /dev/null
+++ b/kms/gateway.yaml
@@ -0,0 +1,14 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: kms-gateway
+  namespace: default
+spec:
+  gatewayClassName: cilium
+  listeners:
+    - name: kms
+      protocol: TCP
+      port: 1688
+      allowedRoutes:
+        namespaces:
+          from: All
\ No newline at end of file
diff --git a/kms/kustomization.yaml b/kms/kustomization.yaml
new file mode 100644
index 0000000..cda5a10
--- /dev/null
+++ b/kms/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cm.yaml
+  - cr.yaml
+  - crb.yaml
+  - deploy.yaml
+  - gateway.yaml
+  - route.yaml
+  #- secret.yaml
+  - svc.yaml
+  - svcacc.yaml
\ No newline at end of file
diff --git a/kms/route.yaml b/kms/route.yaml
new file mode 100644
index 0000000..7989cfa
--- /dev/null
+++ b/kms/route.yaml
@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: TCPRoute
+metadata:
+  name: kms-route
+  namespace: default
+spec:
+  parentRefs:
+    - name: kms-gateway
+  rules:
+    - backendRefs:
+        - name: kms-service
+          port: 1688
+          weight: 1
\ No newline at end of file
diff --git a/kms/svc.yaml b/kms/svc.yaml
new file mode 100644
index 0000000..9593dda
--- /dev/null
+++ b/kms/svc.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kms-service
+spec:
+  selector:
+    app: kms
+  type: ClusterIP
+  ports:
+    - port: 1688
+      targetPort: 1688
+      protocol: TCP
+
diff --git a/kms/svcacc.yaml b/kms/svcacc.yaml
new file mode 100644
index 0000000..64febf9
--- /dev/null
+++ b/kms/svcacc.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kms-service-account
+  namespace: default
\ No newline at end of file