diff --git a/baton/kubernetes.mdx b/baton/kubernetes.mdx
new file mode 100644
index 00000000..3f409038
--- /dev/null
+++ b/baton/kubernetes.mdx
@@ -0,0 +1,278 @@
+---
+title: "Set up a Kubernetes connector"
+description: "C1 provides identity governance for Kubernetes. Integrate your Kubernetes cluster with C1 to run user access reviews (UARs) and gain visibility into RBAC permissions across your cluster."
+og:title: "Set up a Kubernetes connector"
+og:description: "C1 provides identity governance for Kubernetes. Integrate your Kubernetes cluster with C1 to run user access reviews (UARs) and gain visibility into RBAC permissions across your cluster."
+sidebarTitle: "Kubernetes"
+---
+
+
+**Important note on hosting:**
+
+This connector requires network access to your Kubernetes API server. If your cluster API endpoint is not publicly accessible, you must run the connector in self-hosted mode, deployed inside the cluster itself.
+
+
+## Capabilities
+
+| Resource | Sync | Provision |
+| :--- | :--- | :--- |
+| Namespaces | | |
+| Service accounts | | |
+| Kubernetes users | | |
+| Kubernetes groups | | |
+| Roles | | |
+| Cluster roles | | |
+| Nodes | | |
+| Pods | | |
+| Deployments | | |
+| StatefulSets | | |
+| DaemonSets | | |
+| Secrets | | |
+| ConfigMaps | | |
+
+## Before you begin
+
+You'll need:
+- A running Kubernetes cluster
+- `kubectl` configured to connect to the cluster
+- Permissions to create namespaces, service accounts, and RBAC resources in the cluster
+
+## Set up RBAC permissions in your cluster
+
+The connector uses a Kubernetes service account to read cluster state. Apply the following manifest to create the namespace, service account, and the read-only RBAC permissions it needs.
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: baton
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: baton-kubernetes
+ namespace: baton
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: baton-kubernetes-reader
+rules:
+ - apiGroups: [""]
+ resources:
+ - namespaces
+ - nodes
+ - pods
+ - secrets
+ - configmaps
+ - serviceaccounts
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["apps"]
+ resources:
+ - deployments
+ - statefulsets
+ - daemonsets
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["rbac.authorization.k8s.io"]
+ resources:
+ - roles
+ - rolebindings
+ - clusterroles
+ - clusterrolebindings
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: baton-kubernetes-reader
+subjects:
+ - kind: ServiceAccount
+ name: baton-kubernetes
+ namespace: baton
+roleRef:
+ kind: ClusterRole
+ name: baton-kubernetes-reader
+ apiGroup: rbac.authorization.k8s.io
+```
+
+Save this as `baton-rbac.yaml` and apply it:
+
+```bash
+kubectl apply -f baton-rbac.yaml
+```
+
+## Configure the Kubernetes connector
+
+
+**To complete this task, you'll need:**
+
+- The **Connector Administrator** or **Super Administrator** role in C1
+
+
+
+
+**Follow these instructions to deploy the Kubernetes connector inside your cluster.**
+
+When running in service mode, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
+
+### Resources
+
+* [GitHub repository](https://github.com/conductorone/baton-kubernetes): Access the source code, report issues, or contribute to the project.
+
+### Step 1: Set up a new Kubernetes connector in C1
+
+
+
+ In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
+
+
+ Search for **Baton** and click **Add**.
+
+
+ Choose how to set up the new connector:
+
+ - Add the connector to a currently unmanaged app
+ - Add the connector to a managed app
+ - Create a new managed app
+
+
+ Set the owner for this connector and click **Next**.
+
+
+ In the **Settings** area of the page, click **Edit**.
+
+
+ Click **Rotate** to generate a new Client ID and Secret. Copy and save these credentials — you'll need them in the next step.
+
+
+
+### Step 2: Deploy the connector to your cluster
+
+Create a secret with your C1 credentials and deploy the connector using the service account created earlier.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+ name: baton-conductorone-creds
+ namespace: baton
+type: Opaque
+stringData:
+ BATON_CLIENT_ID: ""
+ BATON_CLIENT_SECRET: ""
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: baton-kubernetes
+ namespace: baton
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: baton-kubernetes
+ template:
+ metadata:
+ labels:
+ app: baton-kubernetes
+ spec:
+ serviceAccountName: baton-kubernetes
+ containers:
+ - name: baton-kubernetes
+ image: ghcr.io/conductorone/baton-kubernetes:latest
+ envFrom:
+ - secretRef:
+ name: baton-conductorone-creds
+```
+
+Save this as `baton-kubernetes.yaml`, fill in your C1 credentials, and apply it:
+
+```bash
+kubectl apply -f baton-kubernetes.yaml
+```
+
+### Step 3: Verify the connector is running
+
+
+
+ Check that the pod started successfully:
+
+ ```bash
+ kubectl get pods -n baton
+ kubectl logs -n baton deployment/baton-kubernetes
+ ```
+
+
+ In C1, click **Apps**. On the **Managed apps** tab, locate the application you added the connector to. Kubernetes data should appear on the **Entitlements** and **Accounts** tabs after the first sync completes.
+
+
+
+**Done.** Your Kubernetes connector is now pulling access data into C1.
+
+
+**Follow these instructions to use a built-in, no-code connector hosted by C1.**
+
+
+Cloud-hosted mode requires your Kubernetes API server to be publicly accessible. You'll need a bearer token and the public API server URL.
+
+
+### Step 1: Generate a long-lived bearer token
+
+Create a service account token secret in your cluster:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+ name: baton-kubernetes-token
+ namespace: baton
+ annotations:
+ kubernetes.io/service-account.name: baton-kubernetes
+type: kubernetes.io/service-account-token
+```
+
+```bash
+kubectl apply -f token-secret.yaml
+kubectl get secret baton-kubernetes-token -n baton -o jsonpath='{.data.token}' | base64 -d
+```
+
+Copy the decoded token — you'll need it when configuring the connector.
+
+### Step 2: Get your API server URL
+
+```bash
+kubectl cluster-info | grep "Kubernetes control plane"
+```
+
+### Step 3: Configure the connector in C1
+
+
+
+ In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
+
+
+ Search for **Kubernetes** and click **Add**.
+
+
+ Choose how to set up the new connector:
+
+ - Add the connector to a currently unmanaged app
+ - Add the connector to a managed app
+ - Create a new managed app
+
+
+ Set the owner for this connector and click **Next**.
+
+
+ In the **Settings** area, click **Edit** and enter:
+ - **Server**: your API server URL
+ - **Token**: the bearer token generated above
+
+
+ Click **Save**. The connector's label changes to **Syncing**, then **Connected**.
+
+
+
+**Done.** Your Kubernetes connector is now pulling access data into C1.
+
+