diff --git a/clusters/dqs.dd.soeren.cloud/monitoring/blackbox-exporter/config.yaml b/clusters/dqs.dd.soeren.cloud/monitoring/blackbox-exporter/config.yaml
new file mode 100644
index 0000000..417814f
--- /dev/null
+++ b/clusters/dqs.dd.soeren.cloud/monitoring/blackbox-exporter/config.yaml
@@ -0,0 +1,40 @@
+---
+modules:
+  dns_soerenschneider:
+    dns:
+      query_name: router.ez.soeren.cloud
+      query_type: A
+      validate_answer_rrs:
+        fail_if_not_matches_regexp:
+          - "router.ez.soeren.cloud.\t.*\tIN\tA\t.*192\\.168\\.2\\.3"
+    prober: dns
+  http:
+    http:
+      tls_config:
+        cert_file: /certs/tls.crt
+        key_file: /certs/tls.key
+      valid_status_codes:
+        - 200
+        - 204
+        - 301
+        - 302
+        - 403
+        - 404
+    prober: http
+    timeout: 5s
+  http_2xx:
+    prober: http
+    timeout: 5s
+  icmp:
+    icmp:
+      preferred_ip_protocol: ip4
+    prober: icmp
+    timeout: 2s
+  tcp_cert:
+    prober: tcp
+    tcp:
+      tls: true
+    timeout: 2s
+  tcp_connect:
+    prober: tcp
+    timeout: 2s
diff --git a/clusters/dqs.dd.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml b/clusters/dqs.dd.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml
new file mode 100644
index 0000000..c2d5b75
--- /dev/null
+++ b/clusters/dqs.dd.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - ../../../../apps/monitoring/blackbox_exporter
+components:
+  - ../../../../apps/monitoring/blackbox_exporter/components/custom-config
+  - ../../../../apps/monitoring/blackbox_exporter/components/reverse-proxy
+  - ../../../../apps/monitoring/blackbox_exporter/components/tls-client-cert
+configMapGenerator:
+  - name: blackbox-exporter-config
+    files:
+      - config.yaml
diff --git a/clusters/dqs.dd.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml b/clusters/dqs.dd.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml
new file mode 100644
index 0000000..d6fd40e
--- /dev/null
+++ b/clusters/dqs.dd.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - ../../../../apps/monitoring/kube-state-metrics
+components:
+  - ../../../../apps/monitoring/kube-state-metrics/components/rbac
diff --git a/clusters/dqs.dd.soeren.cloud/monitoring/kustomization.yaml b/clusters/dqs.dd.soeren.cloud/monitoring/kustomization.yaml
new file mode 100644
index 0000000..3f8ce4e
--- /dev/null
+++ b/clusters/dqs.dd.soeren.cloud/monitoring/kustomization.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - namespace.yaml
+  - alertmanager
+  - blackbox-exporter
+  - karma
+  - kube-state-metrics
+  - prometheus
+  - pushgateway
+  - vmalert
+components:
+  - ../../../apps/monitoring/components/tls-client-cert
+  - ../../../apps/monitoring/components/reverse-proxy
+  - ../../../apps/monitoring/components/reverse-proxy-istio
+patches:
+  - target:
+      kind: VirtualService
+      name: monitoring-reverse-proxy
+    patch: |-
+      - op: "replace"
+        path: "/spec/hosts"
+        value:
+          - "monitoring.dqs.dd.soeren.cloud"
+  - target:
+      kind: Issuer
+      name: vault-issuer
+    patch: |-
+      - op: "replace"
+        path: "/spec/vault/auth/kubernetes/mountPath"
+        value: "/v1/auth/dqs.dd.soeren.cloud"
diff --git a/clusters/dqs.dd.soeren.cloud/monitoring/namespace.yaml b/clusters/dqs.dd.soeren.cloud/monitoring/namespace.yaml
new file mode 100644
index 0000000..cb3be8a
--- /dev/null
+++ b/clusters/dqs.dd.soeren.cloud/monitoring/namespace.yaml
@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: monitoring
+  labels:
+    name: monitoring
diff --git a/clusters/dqs.dd.soeren.cloud/monitoring/pushgateway/kustomization.yaml b/clusters/dqs.dd.soeren.cloud/monitoring/pushgateway/kustomization.yaml
new file mode 100644
index 0000000..ded268c
--- /dev/null
+++ b/clusters/dqs.dd.soeren.cloud/monitoring/pushgateway/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - ../../../../apps/monitoring/pushgateway
+components:
+  - ../../../../apps/monitoring/pushgateway/components/reverse-proxy
diff --git a/clusters/dqs.dd.soeren.cloud/monitoring/vmalert/kustomization.yaml b/clusters/dqs.dd.soeren.cloud/monitoring/vmalert/kustomization.yaml
new file mode 100644
index 0000000..5bceaa3
--- /dev/null
+++ b/clusters/dqs.dd.soeren.cloud/monitoring/vmalert/kustomization.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - ../../../../apps/monitoring/vmalert
+components:
+  - ../../../../apps/monitoring/vmalert/components/tls-client-cert
+  - ../../../../apps/monitoring/vmalert/components/initcontainer-seed-rules
+patches:
+  - target:
+      kind: Deployment
+      name: vmalert
+    patch: |
+      - op: add
+        path: "/spec/template/spec/containers/0/args"
+        value:
+          - "-notifier.url=http://alertmanager"
+          - "-datasource.url=http://prometheus"
+          - "-rule=/rules/*.rules"