diff --git a/.infrastructure/app/deployment.yml b/.infrastructure/app/deployment.yml
index 6d86d03..4b9d429 100644
--- a/.infrastructure/app/deployment.yml
+++ b/.infrastructure/app/deployment.yml
@@ -91,4 +91,4 @@ spec:
           secretName: app-secret
       - name: app-config-volume
         configMap:
-          name: app-config
\ No newline at end of file
+          name: app-config
diff --git a/bootstrap.sh b/bootstrap.sh
index 2d534d7..2237ac5 100644
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -14,7 +14,8 @@ kubectl apply -f .infrastructure/app/clusterIp.yml
 kubectl apply -f .infrastructure/app/nodeport.yml
 kubectl apply -f .infrastructure/app/hpa.yml
 kubectl apply -f .infrastructure/app/deployment.yml
+kubectl apply -f .infrastructure/security/rbac.yml
 
 # Install Ingress Controller
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
-# kubectl apply -f .infrastructure/ingress/ingress.yml
+kubectl apply -f .infrastructure/ingress/ingress.yml
diff --git a/cluster.yml b/cluster.yml
index 4bbbe4c..439243f 100644
--- a/cluster.yml
+++ b/cluster.yml
@@ -1,61 +1,53 @@
-# this config file contains all config fields with comments
-# NOTE: this is not a particularly useful config file
-apiVersion: kind.x-k8s.io/v1alpha4
 kind: Cluster
-# patch the generated kubeadm config with some extra settings
+apiVersion: kind.x-k8s.io/v1alpha4
+
+# Patch the generated kubeadm config with some extra settings
 kubeadmConfigPatches:
-- |
-  apiVersion: kubelet.config.k8s.io/v1beta1
-  kind: KubeletConfiguration
-  evictionHard:
-    nodefs.available: "0%"
-# patch it further using a JSON 6902 patch
+  - |
+    apiVersion: kubelet.config.k8s.io/v1beta1
+    kind: KubeletConfiguration
+    evictionHard:
+      nodefs.available: "0%"
+# Patch it further using a JSON 6902 patch
 kubeadmConfigPatchesJSON6902:
-- group: kubeadm.k8s.io
-  version: v1beta3
-  kind: ClusterConfiguration
-  patch: |
-    - op: add
-      path: /apiServer/certSANs/-
-      value: my-hostname
-# 2 control plane node and 2 workers
+  - group: kubeadm.k8s.io
+    version: v1beta3
+    kind: ClusterConfiguration
+    patch: |
+      - op: add
+        path: /apiServer/certSANs/-
+        value: my-hostname
+# 2 control plane nodes and 2 workers
 nodes:
-# the control plane node config
-- role: control-plane
-  extraMounts:
-    - hostPath: /tmp
-      containerPath: /data
-  kubeadmConfigPatches:
-  - |
-    kind: InitConfiguration
-    nodeRegistration:
-      kubeletExtraArgs:
-        node-labels: "ingress-ready=true"
-  extraPortMappings:
-  - containerPort: 30007
-    hostPort: 30007
-  - containerPort: 30008
-    hostPort: 30008
-  - containerPort: 80
-    hostPort: 80
-    protocol: TCP
-  - containerPort: 443
-    hostPort: 443
-    protocol: TCP
-# the two workers
-- role: worker
-  extraMounts:
-    - hostPath: /tmp
-      containerPath: /data
-- role: worker
-  extraMounts:
-    - hostPath: /tmp
-      containerPath: /data
-- role: worker
-  extraMounts:
-    - hostPath: /tmp
-      containerPath: /data
-- role: worker
-  extraMounts:
-    - hostPath: /tmp
-      containerPath: /data
\ No newline at end of file
+  # The control plane node config
+  - role: control-plane
+    extraMounts:
+      - hostPath: /tmp
+        containerPath: /data
+    kubeadmConfigPatches:
+      - |
+        kind: InitConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            node-labels: "ingress-ready=true"
+    extraPortMappings:
+      - containerPort: 30007
+        hostPort: 30007
+      - containerPort: 30008
+        hostPort: 30008
+      - containerPort: 80
+        hostPort: 80
+        protocol: TCP
+      - containerPort: 443
+        hostPort: 443
+        protocol: TCP
+
+  # The worker nodes
+  - role: worker
+    extraMounts:
+      - hostPath: /tmp
+        containerPath: /data
+  - role: worker
+    extraMounts:
+      - hostPath: /tmp
+        containerPath: /data
diff --git a/security/rbac.yml b/security/rbac.yml
new file mode 100644
index 0000000..b3d8acb
--- /dev/null
+++ b/security/rbac.yml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: secrets-reader
+  namespace: todoapp
+secrets:
+- name: secrets-reader-token
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secrets-reader
+  namespace: todoapp
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["list", "get"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secrets-reader-binding
+  namespace: todoapp
+subjects:
+- kind: ServiceAccount
+  name: secrets-reader
+  namespace: todoapp
+roleRef:
+  kind: Role
+  name: secrets-reader
+  apiGroup: rbac.authorization.k8s.io