diff --git a/k8s-sidecar/Dockerfile b/k8s-sidecar/Dockerfile
new file mode 100644
index 0000000..f719ed0
--- /dev/null
+++ b/k8s-sidecar/Dockerfile
@@ -0,0 +1,16 @@
+FROM alpine
+
+RUN apk add bash jq
+RUN apk add bash tar
+
+COPY resources/opa.tar.gz /opa.tar.gz
+
+RUN tar -xzf /opa.tar.gz -C /bin/ --remove-files
+
+RUN chmod +x /bin/opa
+
+COPY k8s-sidecar/start.sh /
+
+COPY k8s-sidecar/config-template.json /
+
+CMD ["/start.sh"]
\ No newline at end of file
diff --git a/k8s-sidecar/config-template.json b/k8s-sidecar/config-template.json
new file mode 100644
index 0000000..e6e5685
--- /dev/null
+++ b/k8s-sidecar/config-template.json
@@ -0,0 +1,29 @@
+{
+  "bundles": {
+	($instanceID): {
+	  "polling": {
+		"min_delay_seconds": 10,
+		"max_delay_seconds": 20
+	  },
+	  "service": "bundle_storage",
+	  "resource": $instanceResource,
+	  "signing": null,
+	  "persist": false,
+	  "size_limit_bytes": 0
+	}
+  },
+  "services": {
+	"bundle_storage": {
+	  "url": $bundleUrl,
+	  "credentials": {
+		"client_tls": {
+		  "cert": $iasCertPath,
+		  "private_key": $iasKeyPath
+		}
+	  }
+	}
+  },
+  "plugins": {
+	"dcl": true
+  }
+}
\ No newline at end of file
diff --git a/k8s-sidecar/start.sh b/k8s-sidecar/start.sh
new file mode 100755
index 0000000..6ded308
--- /dev/null
+++ b/k8s-sidecar/start.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+if ! ls /etc/secrets/sapbtp/identity; then
+    >&2 echo "Error: No identity service found at /etc/secrets/sapbtp/identity"
+    exit 1
+fi
+files=(/etc/secrets/sapbtp/identity/*)
+if [ ${#files[@]} -gt 1 ]; then
+  >&2 echo "Error: More than one identity service found at /etc/secrets/sapbtp/identity"
+  exit 1
+fi
+
+bundle_url=$(cat "${files[0]}/url")/bundle-gateway
+instance_id=$(cat "${files[0]}/authorization_instance_id")
+ias_cert_path=$(pwd -P)/"${files[0]}/certificate"
+ias_key_path=$(pwd -P)/"${files[0]}/key"
+
+jq -n --arg bundleUrl "$bundle_url" --arg iasCertPath "$ias_cert_path" --arg iasKeyPath "$ias_key_path" --arg instanceResource "$instance_id.tar.gz" --arg instanceID "$instance_id" -f config-template.json >config.yml
+
+>&2 echo "INFO: " "$(cat config.yml)"
+
+opa run -s -c config.yml --addr=[]:8181