diff --git a/k8s/apps/mtproxy/daemonset.yaml b/k8s/apps/mtproxy/daemonset.yaml
index cf06ade..14e403b 100644
--- a/k8s/apps/mtproxy/daemonset.yaml
+++ b/k8s/apps/mtproxy/daemonset.yaml
@@ -23,8 +23,48 @@ spec:
               - matchExpressions:
                   - key: mtproxy
                     operator: Exists
+      serviceAccountName: mtproxy
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+        - name: register-proxy
+          image: bitnami/kubectl:latest
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: SECRET
+            - name: PORT
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: PORT
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
+              if [ -z "${SERVER}" ]; then
+                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
+                exit 1
+              fi
+              LINK="tg://proxy?server=${SERVER}&port=${PORT}&secret=${SECRET}"
+              echo "Registering: ${SERVER} -> ${LINK}"
+              if kubectl get secret mtproxy-links -n "${NAMESPACE}" &>/dev/null; then
+                kubectl patch secret mtproxy-links -n "${NAMESPACE}" \
+                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
+              else
+                kubectl create secret generic mtproxy-links -n "${NAMESPACE}" \
+                  --from-literal="${SERVER}=${LINK}"
+              fi
+              echo "Done"
       containers:
         - name: mtproxy
           image: ultradesu/mtproxy:v0.02
diff --git a/k8s/apps/mtproxy/kustomization.yaml b/k8s/apps/mtproxy/kustomization.yaml
index faa2752..671eed9 100644
--- a/k8s/apps/mtproxy/kustomization.yaml
+++ b/k8s/apps/mtproxy/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 
 resources:
   - ./app.yaml
+  - ./rbac.yaml
   - ./daemonset.yaml
   - ./external-secrets.yaml
 # - ./storage.yaml
diff --git a/k8s/apps/mtproxy/rbac.yaml b/k8s/apps/mtproxy/rbac.yaml
new file mode 100644
index 0000000..c5d13bd
--- /dev/null
+++ b/k8s/apps/mtproxy/rbac.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mtproxy
+  labels:
+    app: mtproxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mtproxy-node-reader
+  labels:
+    app: mtproxy
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: mtproxy-node-reader
+  labels:
+    app: mtproxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mtproxy-node-reader
+subjects:
+  - kind: ServiceAccount
+    name: mtproxy
+    namespace: mtproxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mtproxy-secret-manager
+  labels:
+    app: mtproxy
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mtproxy-secret-manager
+  labels:
+    app: mtproxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mtproxy-secret-manager
+subjects:
+  - kind: ServiceAccount
+    name: mtproxy