diff --git a/manifests/bases/kustomize-controller/kustomization.yaml b/manifests/bases/kustomize-controller/kustomization.yaml
new file mode 100644
index 00000000..9492b8d0
--- /dev/null
+++ b/manifests/bases/kustomize-controller/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- github.com/fluxcd/kustomize-controller/config//crd?ref=v0.0.1-alpha.4
+- github.com/fluxcd/kustomize-controller/config//manager?ref=v0.0.1-alpha.4
diff --git a/manifests/bases/source-controller/kustomization.yaml b/manifests/bases/source-controller/kustomization.yaml
new file mode 100644
index 00000000..39ede655
--- /dev/null
+++ b/manifests/bases/source-controller/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- github.com/fluxcd/source-controller/config//crd?ref=v0.0.1-alpha.2
+- github.com/fluxcd/source-controller/config//manager?ref=v0.0.1-alpha.2
diff --git a/manifests/install/kustomization.yaml b/manifests/install/kustomization.yaml
new file mode 100644
index 00000000..f5e991b0
--- /dev/null
+++ b/manifests/install/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitops-system
+resources:
+  - namespace.yaml
+  - ../bases/source-controller
+  - ../bases/kustomize-controller
+  - ../rbac
+  - ../policies
+transformers:
+  - labels.yaml
diff --git a/manifests/install/labels.yaml b/manifests/install/labels.yaml
new file mode 100644
index 00000000..aecb8e3a
--- /dev/null
+++ b/manifests/install/labels.yaml
@@ -0,0 +1,9 @@
+apiVersion: builtin
+kind: LabelTransformer
+metadata:
+  name: labels
+labels:
+  app.kubernetes.io/instance: gitops-system
+fieldSpecs:
+  - path: metadata/labels
+    create: true
diff --git a/manifests/install/namespace.yaml b/manifests/install/namespace.yaml
new file mode 100644
index 00000000..ab45ab3c
--- /dev/null
+++ b/manifests/install/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitops-system
diff --git a/manifests/policies/deny-ingress.yaml b/manifests/policies/deny-ingress.yaml
new file mode 100644
index 00000000..d9d0d0a3
--- /dev/null
+++ b/manifests/policies/deny-ingress.yaml
@@ -0,0 +1,8 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-ingress
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
diff --git a/manifests/policies/kustomization.yaml b/manifests/policies/kustomization.yaml
new file mode 100644
index 00000000..f535811d
--- /dev/null
+++ b/manifests/policies/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deny-ingress.yaml
diff --git a/manifests/rbac/cluster_role.yaml b/manifests/rbac/cluster_role.yaml
new file mode 100644
index 00000000..9ce30d91
--- /dev/null
+++ b/manifests/rbac/cluster_role.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cluster-reconciler
+rules:
+  - apiGroups: ['*']
+    resources: ['*']
+    verbs: ['*']
+  - nonResourceURLs: ['*']
+    verbs: ['*']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-reconciler
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: system
diff --git a/manifests/rbac/kustomization.yaml b/manifests/rbac/kustomization.yaml
new file mode 100644
index 00000000..ea165a8f
--- /dev/null
+++ b/manifests/rbac/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster_role.yaml
+  - role.yaml
diff --git a/manifests/rbac/role.yaml b/manifests/rbac/role.yaml
new file mode 100644
index 00000000..4e79d185
--- /dev/null
+++ b/manifests/rbac/role.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: crd-controller
+rules:
+- apiGroups: ['source.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+- apiGroups: ['kustomize.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: crd-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: crd-controller
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: system