diff --git a/.gitea/workflows/e2e.yml b/.gitea/workflows/e2e.yml
new file mode 100644
index 0000000..5796d88
--- /dev/null
+++ b/.gitea/workflows/e2e.yml
@@ -0,0 +1,61 @@
+on: pull_request
+jobs:
+  k8s-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Docker CLI, kind, and kubectl
+        run: |
+          # Install Docker CLI (to talk to the host daemon via the mounted socket)
+          apt-get update && apt-get install -y docker.io jq
+
+          # Install kind
+          curl -Lo /usr/local/bin/kind https://kind.sigs.k8s.io/dl/v0.24.0/kind-linux-amd64
+          chmod +x /usr/local/bin/kind
+
+          # Install kubectl
+          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+          install kubectl /usr/local/bin/
+
+      - name: Create kind cluster
+        run: |
+          kind create cluster --name test-cluster --wait 5m
+
+      - name: Connect kind to the job container's network and fix kubeconfig
+        run: |
+          # 1. Find the Docker network the job container is on
+          #    The job container's hostname is the container ID
+          JOB_CONTAINER_ID=$(hostname)
+          NETWORK_NAME=$(docker inspect "$JOB_CONTAINER_ID" \
+            --format '{{range $k, $v := .NetworkSettings.Networks}}{{$k}}{{end}}')
+
+          echo "Job container network: $NETWORK_NAME"
+
+          # 2. Get the kind control-plane container name
+          KIND_CONTAINER="test-cluster-control-plane"
+
+          # 3. Connect the kind container to the same network
+          docker network connect "$NETWORK_NAME" "$KIND_CONTAINER"
+
+          # 4. Get the kind container's IP on that network
+          KIND_IP=$(docker inspect "$KIND_CONTAINER" \
+            --format "{{(index .NetworkSettings.Networks \"$NETWORK_NAME\").IPAddress}}")
+
+          echo "Kind container IP on shared network: $KIND_IP"
+
+          # 5. Rewrite the kubeconfig to use the kind container's IP
+          #    kind's API server listens on port 6443 inside the container
+          kubectl config set-cluster kind-test-cluster \
+            --server="https://${KIND_IP}:6443"
+
+          # 6. Since the TLS cert won't match the new IP, use insecure mode
+          #    OR set insecure-skip-tls-verify
+          kubectl config set-cluster kind-test-cluster \
+            --insecure-skip-tls-verify=true
+
+      - name: Verify cluster access
+        run: |
+          kubectl cluster-info
+          kubectl get nodes
+          kubectl get pods -A