diff --git a/knoq/certificate.yaml b/knoq/certificate.yaml
new file mode 100644
index 000000000..e79799b8c
--- /dev/null
+++ b/knoq/certificate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: knoq-certificate
+
+spec:
+  issuerRef:
+    kind: ClusterIssuer
+    name: cluster-issuer
+  secretName: knoq-tls
+  duration: 2160h0m0s # 90d
+  renewBefore: 720h0m0s # 30d
+  dnsNames:
+    - knoq.trap.jp
diff --git a/knoq/deployment.yaml b/knoq/deployment.yaml
new file mode 100644
index 000000000..8a5efeea7
--- /dev/null
+++ b/knoq/deployment.yaml
@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: knoq
+  labels:
+    app: knoq
+
+spec:
+  selector:
+    matchLabels:
+      app: knoq
+  template:
+    metadata:
+      labels:
+        app: knoq
+    spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: In
+                    values:
+                      - las211.tokyotech.org
+              weight: 1
+
+      containers:
+        - name: knoq
+          image: ghcr.io/traptitech/knoq:main
+          env:
+            - name: DB_USER
+              value: "service_knoq"
+            - name: DB_PORT
+              value: "3306"
+            - name: DB_HOST
+              value: "tailscale.kmbk.tokyotech.org"
+            - name: DB_NAME
+              value: "service_knoq"
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: knoq-secrets
+                  key: DB_PASSWORD
+          ports:
+            - containerPort: 3000
+          resources:
+            requests:
+              cpu: "10m"
+              memory: "10Mi"
+            limits:
+              cpu: "200m"
+              memory: "300Mi"
diff --git a/knoq/ingress-route.yaml b/knoq/ingress-route.yaml
new file mode 100644
index 000000000..f36808b98
--- /dev/null
+++ b/knoq/ingress-route.yaml
@@ -0,0 +1,21 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: knoq-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    secretName: knoq-tls
+
+  routes:
+    - match: Host(`knoq.trap.jp`) 
+      middlewares:
+        - name: auth-trap-jp-hard
+          namespace: auth
+      services:
+        - kind: Service
+          name: knoq-service
+          port: 3000
+          scheme: http
diff --git a/knoq/kustomization.yaml b/knoq/kustomization.yaml
new file mode 100644
index 000000000..ba4bbacca
--- /dev/null
+++ b/knoq/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+  - deployment.yaml
+  - service.yaml
+  - ingress-route.yaml
+  - certificate.yaml
diff --git a/knoq/service.yaml b/knoq/service.yaml
new file mode 100644
index 000000000..350de7b9f
--- /dev/null
+++ b/knoq/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: knoq-service
+
+spec:
+  type: ClusterIP
+  selector:
+    app: knoq
+  ports:
+    - name: http
+      port: 3000
+      targetPort: 3000