diff --git a/k8s/core/authentik/worker-restart.yaml b/k8s/core/authentik/worker-restart.yaml
new file mode 100644
index 0000000..ec93e36
--- /dev/null
+++ b/k8s/core/authentik/worker-restart.yaml
@@ -0,0 +1,55 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: worker-restart-sa
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: worker-restart-role
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "patch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: worker-restart-rb
+subjects:
+  - kind: ServiceAccount
+    name: worker-restart-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: worker-restart-role
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: worker-daily-restart
+spec:
+  schedule: "0 * * * *" # every day at 04:00
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: worker-restart-sa
+          restartPolicy: OnFailure
+          containers:
+            - name: kubectl
+              image: bitnami/kubectl:latest
+              env:
+                - name: POD_NAMESPACE
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.namespace
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  kubectl -n "$POD_NAMESPACE" rollout restart deployment/authentik-worker