diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 56a9caf8..e3b9ba78 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
       - name: install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.14.x
+          go-version: 1.16.x
       - name: verify
         run: hack/verify-all.sh -v
   test:
@@ -40,6 +40,30 @@ jobs:
       - name: install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.14.x
+          go-version: 1.16.x
       - name: make test
         run: make test
+  e2e:
+    name: e2e
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v2
+      - name: install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16.x
+      - name: images
+        run: make docker-build
+      - name: setup kind
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: v0.11.1
+      - name: Load image on the nodes of the cluster
+        run: |
+          kind load docker-image --name=kind work-api-controller:latest
+      - name: Run e2e test
+        run: |
+          make test-e2e
+        env:
+          KUBECONFIG: /home/runner/.kube/config
diff --git a/Makefile b/Makefile
index 6faef641..c01b321d 100644
--- a/Makefile
+++ b/Makefile
@@ -74,3 +74,9 @@ docker-build: generate fmt vet manifests
 .PHONY: docker-push
 docker-push: docker-build
 	docker push ${IMG}
+
+deploy:
+	kubectl apply -f config/crd
+	kubectl apply -k deploy
+
+test-e2e: deploy
\ No newline at end of file
diff --git a/cmd/workcontroller/workcontroller.go b/cmd/workcontroller/workcontroller.go
index 5cc2ea6c..f3310ecf 100644
--- a/cmd/workcontroller/workcontroller.go
+++ b/cmd/workcontroller/workcontroller.go
@@ -43,10 +43,13 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var hubkubeconfig string
+	var workNamespace string
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
-	flag.StringVar(&hubkubeconfig, "kubeconfig to connect to hub", "",
+	flag.StringVar(&hubkubeconfig, "hub-kube-config", "",
+		"Paths to a kubeconfig connect to hub.")
+	flag.StringVar(&workNamespace, "work-namespace", "",
 		"Paths to a kubeconfig connect to hub.")
 	flag.Parse()
 	opts := ctrl.Options{
@@ -54,6 +57,7 @@ func main() {
 		MetricsBindAddress: metricsAddr,
 		LeaderElection:     enableLeaderElection,
 		Port:               9443,
+		Namespace:          workNamespace,
 	}
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 
diff --git a/deploy/clusterrole_binding.yaml b/deploy/clusterrole_binding.yaml
new file mode 100644
index 00000000..24582a8b
--- /dev/null
+++ b/deploy/clusterrole_binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: work-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  # We deploy a controller that could work with permission lower than cluster-admin, the tradeoff is
+  # responsivity because list/watch cannot be maintained over too many namespaces.
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: work-controllert-sa
+    namespace: open-cluster-management-agent
diff --git a/deploy/component_namespace.yaml b/deploy/component_namespace.yaml
new file mode 100644
index 00000000..f907cfee
--- /dev/null
+++ b/deploy/component_namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: work
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
new file mode 100644
index 00000000..9288dc4d
--- /dev/null
+++ b/deploy/deployment.yaml
@@ -0,0 +1,39 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: work-controller
+  labels:
+    app: work
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: work-controller
+  template:
+    metadata:
+      labels:
+        app: work-controller
+    spec:
+      serviceAccountName: work-controller-sa
+      containers:
+      - name: wwork-controller
+        image: work-api-controller:latest
+        imagePullPolicy: IfNotPresent
+        args:
+          - "/controller"
+          - "--work-namespace=default"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          runAsNonRoot: true
+        volumeMounts:
+        - name: hub-kubeconfig-secret
+          mountPath: "/spoke/hub-kubeconfig"
+          readOnly: true
+      volumes:
+      - name: hub-kubeconfig-secret
+        secret:
+          secretName: hub-kubeconfig-secret
diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
new file mode 100644
index 00000000..531b3a1e
--- /dev/null
+++ b/deploy/kustomization.yaml
@@ -0,0 +1,16 @@
+
+# Adds namespace to all resources.
+namespace: work
+
+resources:
+- ./component_namespace.yaml
+- ./service_account.yaml
+- ./clusterrole_binding.yaml
+- ./deployment.yaml
+
+images:
+- name: work-api-controller:latest
+  newName: work-api-controller
+  newTag: latest
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
diff --git a/deploy/service_account.yaml b/deploy/service_account.yaml
new file mode 100644
index 00000000..7dd5f293
--- /dev/null
+++ b/deploy/service_account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: work-controllert-sa