diff --git a/config/gateway-api/kustomization.yaml b/config/gateway-api/kustomization.yaml
new file mode 100644
index 00000000..e57cdd8d
--- /dev/null
+++ b/config/gateway-api/kustomization.yaml
@@ -0,0 +1,21 @@
+namespace: pomerium
+commonLabels:
+  app.kubernetes.io/name: pomerium
+resources:
+  - ../default
+patches:
+  - path: role_patch.yaml
+    target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRole
+      name: pomerium-controller
+  - patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: '--experimental-gateway-api'
+    target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: pomerium
diff --git a/config/gateway-api/role_patch.yaml b/config/gateway-api/role_patch.yaml
new file mode 100644
index 00000000..c3704643
--- /dev/null
+++ b/config/gateway-api/role_patch.yaml
@@ -0,0 +1,38 @@
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - gatewayclasses
+      - gateways
+      - httproutes
+      - referencegrants
+    verbs:
+      - get
+      - list
+      - watch
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - gatewayclasses/status
+      - gateways/status
+      - httproutes/status
+    verbs:
+      - get
+      - patch
+      - update