diff --git a/manifests/bases/kustomize-controller/kustomization.yaml b/manifests/bases/kustomize-controller/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9492b8d0cdf3357c00231685e910c17f1983de7d
--- /dev/null
+++ b/manifests/bases/kustomize-controller/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- github.com/fluxcd/kustomize-controller/config//crd?ref=v0.0.1-alpha.4
+- github.com/fluxcd/kustomize-controller/config//manager?ref=v0.0.1-alpha.4
diff --git a/manifests/bases/source-controller/kustomization.yaml b/manifests/bases/source-controller/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..39ede655f8d7ebdb6aebdb824e5da54395f84f2e
--- /dev/null
+++ b/manifests/bases/source-controller/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- github.com/fluxcd/source-controller/config//crd?ref=v0.0.1-alpha.2
+- github.com/fluxcd/source-controller/config//manager?ref=v0.0.1-alpha.2
diff --git a/manifests/install/kustomization.yaml b/manifests/install/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f5e991b056abc3ef40246c0ce338c8b3229f1d82
--- /dev/null
+++ b/manifests/install/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitops-system
+resources:
+  - namespace.yaml
+  - ../bases/source-controller
+  - ../bases/kustomize-controller
+  - ../rbac
+  - ../policies
+transformers:
+  - labels.yaml
diff --git a/manifests/install/labels.yaml b/manifests/install/labels.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..aecb8e3a9f3704d0032723e54dd362e0ca11b180
--- /dev/null
+++ b/manifests/install/labels.yaml
@@ -0,0 +1,9 @@
+apiVersion: builtin
+kind: LabelTransformer
+metadata:
+  name: labels
+labels:
+  app.kubernetes.io/instance: gitops-system
+fieldSpecs:
+  - path: metadata/labels
+    create: true
diff --git a/manifests/install/namespace.yaml b/manifests/install/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ab45ab3c9182b47b52a1e403694995133b2ba5be
--- /dev/null
+++ b/manifests/install/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitops-system
diff --git a/manifests/policies/deny-ingress.yaml b/manifests/policies/deny-ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d9d0d0a35d04dff636c1b37f2a724dcd6848b987
--- /dev/null
+++ b/manifests/policies/deny-ingress.yaml
@@ -0,0 +1,8 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-ingress
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
diff --git a/manifests/policies/kustomization.yaml b/manifests/policies/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f535811deb4b0bbe5d48e5da9a3f79c6d089b2c0
--- /dev/null
+++ b/manifests/policies/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deny-ingress.yaml
diff --git a/manifests/rbac/cluster_role.yaml b/manifests/rbac/cluster_role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9ce30d9129c5d0de8d1ad1e0ffd2cc2a6950ee5a
--- /dev/null
+++ b/manifests/rbac/cluster_role.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cluster-reconciler
+rules:
+  - apiGroups: ['*']
+    resources: ['*']
+    verbs: ['*']
+  - nonResourceURLs: ['*']
+    verbs: ['*']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-reconciler
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: system
diff --git a/manifests/rbac/kustomization.yaml b/manifests/rbac/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ea165a8f556f1d2316c9691d1dcc4e20d36e51af
--- /dev/null
+++ b/manifests/rbac/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster_role.yaml
+  - role.yaml
diff --git a/manifests/rbac/role.yaml b/manifests/rbac/role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4e79d1854ca4bef30383a659c1822a6489665b9f
--- /dev/null
+++ b/manifests/rbac/role.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: crd-controller
+rules:
+- apiGroups: ['source.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+- apiGroups: ['kustomize.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: crd-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: crd-controller
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: system