diff --git a/jenkins/README.md b/jenkins/README.md
index d298168..e9d81a0 100644
--- a/jenkins/README.md
+++ b/jenkins/README.md
@@ -1,38 +1,31 @@
-# Jenkins Kubernetes Integration
+# Jenkins in Kubernetes
 
 ## Kubernetes Setup
 
-Create *jenkins* user:
-
-```sh
-kubeadm kubeconfig user \
-    --client-name jenkins \
-    --config kubeadm-user.yaml \
-    --org jenkins \
-    > jenkins.kubeconfig
-```
-
 Configure Jenkins resources:
 
 ```sh
-kubectl apply -f jenkins.yaml
+ln imagepull-gitea jenkins/.dockerconfigjson
+kubectl apply -k jenkins
 ```
 
-
 ## Jenkins Setup
 
 Install [Kubernetes plugin][0].
 
 Set *TCP port for inbound agents* setting (*Manage Jenkins* → *Configure Global
-Security*) to *Fixed* and enter a number.  Be sure to open this port with
-*firewalld* on the Jenkins server.
+Security*) to *Fixed* and enter `40414`.
 
 Configure Kubernetes (*Manage Jenkins* → *Manage Nodes and Clouds* → *Configure
 Clouds*:
 
-* *Kubernetes URL*: https://kubernetes.pyrocufflink.blue:6443
-* *Kubernetes server certificate key*: Contents of `/etc/kubernetes/pki/ca.crt`
-* *Kubernetes Namespace*: jenkins
-* *Credentials*: Certificate and private key from `jenkins.kubeconfig`
+1. *Add a new cloud* → *Kubernetes*
+2. Enter a name
+3. *Kubernetes Cloud details...*
+   * *Kubernetes URL*: (leave blank; will use Kubernetes service discovery)
+   * *Kubernetes Namespace*: `jenkins-jobs`
+   * *Credentials*: `- none -` (will use Service Account token)
+   * *Jenkins tunnel*: `jenkins.jenkins.svc.cluster.local:` (trailing colon!)
+
 
 [0]: https://plugins.jenkins.io/kubernetes/
diff --git a/jenkins/jenkins.yaml b/jenkins/jenkins.yaml
index 06bb983..1cadfb3 100644
--- a/jenkins/jenkins.yaml
+++ b/jenkins/jenkins.yaml
@@ -3,12 +3,43 @@ kind: Namespace
 metadata:
   name: jenkins
 
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jenkins-jobs
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jenkins
+  namespace: jenkins
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jenkins
+  namespace: jenkins
+  labels:
+    app.kubernetes.io/name: jenkins
+    app.kubernetes.io/component: master
+    app.kubernetes.io/instance: jenkins
+    app.kubernetes.io/part-of: jenkins
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: jenkins
-  namespace: jenkins
+  namespace: jenkins-jobs
 rules:
 - apiGroups:
   - ''
@@ -23,13 +54,106 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: jenkins-binding
-  namespace: jenkins
+  name: jenkins
+  namespace: jenkins-jobs
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: jenkins
 subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
+- kind: ServiceAccount
   name: jenkins
+  namespace: jenkins
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: master
+    app.kubernetes.io/name: jenkins
+    app.kubernetes.io/instance: jenkins
+    app.kubernetes.io/part-of: jenkins
+  name: jenkins
+  namespace: jenkins
+spec:
+  ports:
+  - name: http
+    port: 8080
+  - name: jnlp
+    port: 40414
+  selector:
+    app.kubernetes.io/component: master
+    app.kubernetes.io/name: jenkins
+    app.kubernetes.io/instance: jenkins
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: jenkins
+  namespace: jenkins
+  labels:
+    app.kubernetes.io/name: jenkins
+    app.kubernetes.io/component: master
+    app.kubernetes.io/instance: jenkins
+    app.kubernetes.io/part-of: jenkins
+spec:
+  serviceName: jenkins
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: jenkins
+      app.kubernetes.io/component: master
+      app.kubernetes.io/instance: jenkins
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: jenkins
+        app.kubernetes.io/component: master
+        app.kubernetes.io/instance: jenkins
+    spec:
+      containers:
+      - name: jenkins
+        image: docker.io/jenkins/jenkins:lts
+        imagePullPolicy: Always
+        ports:
+        - name: http
+          containerPort: 8080
+        - name: jnlp
+          containerPort: 40414
+        volumeMounts:
+        - name: jenkins-data
+          mountPath: /var/jenkins_home
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+      serviceAccountName: jenkins
+      volumes:
+      - name: jenkins-data
+        persistentVolumeClaim:
+          claimName: jenkins
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jenkins
+  namespace: jenkins
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: jenkins.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jenkins
+            port:
+              name: http
+  tls:
+  - hosts:
+    - jenkins.pyrocufflink.blue
diff --git a/jenkins/kustomization.yaml b/jenkins/kustomization.yaml
new file mode 100644
index 0000000..3e7cccd
--- /dev/null
+++ b/jenkins/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- jenkins.yaml
+
+secretGenerator:
+- name: imagepull-gitea
+  namespace: jenkins
+  type: kubernetes.io/dockerconfigjson
+  files:
+  - .dockerconfigjson