diff --git a/workspaces/frontend/manifests/kustomize/base/deployment.yaml b/workspaces/frontend/manifests/kustomize/base/deployment.yaml
new file mode 100644
index 000000000..c57639858
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/base/deployment.yaml
@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workspaces-frontend
+spec:
+  selector:
+    matchLabels: {}
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 1
+  template:
+    metadata:
+      labels: {}
+    spec:
+      terminationGracePeriodSeconds: 30
+      containers:
+      - name: workspaces-frontend
+        image: workspaces-frontend
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"
+        ports:
+        - name: http-ui
+          containerPort: 8080
+        env:
+        - name: PORT
+          value: "8080"
+        resources:
+          limits:
+            cpu: "1"
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 256Mi
+        livenessProbe:
+          httpGet:
+            path: /
+            port: http-ui
+            scheme: HTTP
+          initialDelaySeconds: 15
+          periodSeconds: 20
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /
+            port: http-ui
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 3
+          failureThreshold: 3
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/base/kustomization.yaml b/workspaces/frontend/manifests/kustomize/base/kustomization.yaml
new file mode 100644
index 000000000..8ff7a35ff
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/base/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kubeflow-workspaces
+
+resources:
+- namespace.yaml
+- deployment.yaml
+- service.yaml
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/component: ui
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/base/namespace.yaml b/workspaces/frontend/manifests/kustomize/base/namespace.yaml
new file mode 100644
index 000000000..0076fabf9
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubeflow-workspaces
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/base/service.yaml b/workspaces/frontend/manifests/kustomize/base/service.yaml
new file mode 100644
index 000000000..34ba13dc6
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/base/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: workspaces-frontend
+spec:
+  ports:
+  - name: http-ui
+    port: 8080
+    targetPort: http-ui
+  type: ClusterIP
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/components/common/kustomization.yaml b/workspaces/frontend/manifests/kustomize/components/common/kustomization.yaml
new file mode 100644
index 000000000..a80030c5d
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/components/common/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: workspaces-frontend
+    app.kubernetes.io/part-of: kubeflow-workspaces
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/components/istio/authorization-policy.yaml b/workspaces/frontend/manifests/kustomize/components/istio/authorization-policy.yaml
new file mode 100644
index 000000000..29ced65b1
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/components/istio/authorization-policy.yaml
@@ -0,0 +1,17 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: workspaces-frontend
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: ui
+      app.kubernetes.io/managed-by: kustomize
+      app.kubernetes.io/name: workspaces-frontend
+      app.kubernetes.io/part-of: kubeflow-workspaces
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/components/istio/destination-rule.yaml b/workspaces/frontend/manifests/kustomize/components/istio/destination-rule.yaml
new file mode 100644
index 000000000..d1ef05f11
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/components/istio/destination-rule.yaml
@@ -0,0 +1,9 @@
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: workspaces-frontend
+spec:
+  host: workspaces-frontend.kubeflow-workspaces.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/components/istio/kustomization.yaml b/workspaces/frontend/manifests/kustomize/components/istio/kustomization.yaml
new file mode 100644
index 000000000..7ac2400f1
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/components/istio/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- destination-rule.yaml
+- virtual-service.yaml
+- authorization-policy.yaml
+
+labels:
+- pairs:
+    app.kubernetes.io/component: ui
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml b/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml
new file mode 100644
index 000000000..edf17a55b
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: workspaces-frontend
+spec:
+  gateways:
+    - kubeflow/kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+    - match:
+        - uri:
+            prefix: /workspaces/
+        - uri:
+            exact: /workspaces
+      rewrite:
+        uri: /
+      route:
+        - destination:
+            host: workspaces-frontend.kubeflow-workspaces.svc.cluster.local
+            port:
+              number: 8080
\ No newline at end of file
diff --git a/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml b/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml
new file mode 100644
index 000000000..84f7c9594
--- /dev/null
+++ b/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml
@@ -0,0 +1,99 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kubeflow-workspaces
+
+resources:
+- ../../base
+
+components:
+- ../../components/istio
+- ../../components/common
+
+patches:
+- patch: |-
+    - op: remove
+      path: /metadata/labels/app.kubernetes.io~1component
+    - op: remove
+      path: /metadata/labels/app.kubernetes.io~1name
+    - op: add
+      path: /metadata/labels/istio-injection
+      value: enabled
+  target:
+    kind: Namespace
+    name: kubeflow-workspaces
+
+replacements:
+- source:
+    fieldPath: metadata.namespace
+    kind: Deployment
+    name: workspaces-frontend
+  targets:
+  - fieldPaths:
+    - metadata.name
+    select:
+      kind: Namespace
+      name: kubeflow-workspaces
+- source:
+    fieldPath: metadata.name
+    kind: Service
+    name: workspaces-frontend
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.http.0.route.0.destination.host
+    options:
+      delimiter: .
+    select:
+      group: networking.istio.io
+      kind: VirtualService
+      name: workspaces-frontend
+      version: v1beta1
+  - fieldPaths:
+    - spec.host
+    options:
+      delimiter: .
+    select:
+      group: networking.istio.io
+      kind: DestinationRule
+      name: workspaces-frontend
+      version: v1beta1
+- source:
+    fieldPath: metadata.namespace
+    kind: Service
+    name: workspaces-frontend
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.http.0.route.0.destination.host
+    options:
+      delimiter: .
+      index: 1
+    select:
+      group: networking.istio.io
+      kind: VirtualService
+      name: workspaces-frontend
+      version: v1beta1
+  - fieldPaths:
+    - spec.host
+    options:
+      delimiter: .
+      index: 1
+    select:
+      group: networking.istio.io
+      kind: DestinationRule
+      name: workspaces-frontend
+      version: v1beta1
+- source:
+    fieldPath: spec.ports.[name=http-ui].port
+    kind: Service
+    name: workspaces-frontend
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.http.0.route.0.destination.port.number
+    select:
+      group: networking.istio.io
+      kind: VirtualService
+      name: workspaces-frontend
+      version: v1beta1
\ No newline at end of file