diff --git a/rosdump/.gitignore b/rosdump/.gitignore
index f6600d2..4012c3d 100644
--- a/rosdump/.gitignore
+++ b/rosdump/.gitignore
@@ -1,3 +1,3 @@
 rosdump
 rosdump.pub
-ssh_known_hosts
+known_hosts
diff --git a/rosdump/README.md b/rosdump/README.md
index 142bc0e..27e9168 100644
--- a/rosdump/README.md
+++ b/rosdump/README.md
@@ -14,55 +14,32 @@ We also considered [ytti/oxidized](https://github.com/ytti/oxidized),
 but it does not export Prometheus metrics either.
 
 
-# Deployment
-
-To apply changes run in this directory:
-
-```
-kubectl apply -n rosdump -f application.yml
-```
-
-To trigger cronjob:
-
-```
+## Manually trigger cronjob
+```sh
 kubectl create job -n rosdump --from=cronjob/rosdump-cronjob rosdump-job-oneshot
 ```
 
-For alerting:
-
-```
-absent(kube_cronjob_status_last_successful_time{cronjob="rosdump-cronjob"})
-```
-
-# Updating SSH public keys
-
-Whenever Mikrotik targets are added/removed or if their SSH keys change,
-use following to apply changes:
-
-```
-(for j in $(kubectl get cm -n rosdump rosdump-config -o json | jq -r '.data.targets');  do ssh-keyscan -t rsa $j; done) > ssh_known_hosts
-kubectl delete -n rosdump configmap rosdump-known-hosts
-kubectl create -n rosdump configmap rosdump-known-hosts --from-file=ssh_known_hosts
-```
+## Updating SSH secrets
+Secrets live and should be applied through secretspace.
 
+### known_hosts
 Make sure strong crypto is enabled on Mikrotik side:
-
 ```
 /ip ssh set strong-crypto=yes allow-none-crypto=no
 ```
 
+For when Mikrotik targets are added/removed and their SSH keys change.
+```
+(for j in $(kubectl get cm -n rosdump rosdump-config -o json | jq -r '.data.targets');  do ssh-keyscan -t rsa $j; done) > known_hosts
+```
 
 # Replacing SSH private key
+The private key is used for both Gitea and Mikrotik targets.
 
-This affects access to both Gitea and Mikrotik targets.
-
-Generate new key and inject it to Kubernetes cluster:
-
+Generate new key:
 ```
-rm -fv rosdump
+rm -fv rosdump rosdump.pub
 ssh-keygen -P '' -b 2048 -m PEM -t rsa -f rosdump -C rosdump
-kubectl delete -n rosdump secret rosdump-secrets
-kubectl create -n rosdump secret generic rosdump-secrets --from-file=ssh_identity=rosdump
 ```
 
-Proceed to replace the public key in Gitea with one from `rosdump.pub`
+Proceed to replace the public key in Gitea with `rosdump.pub`.
diff --git a/rosdump/application.yml b/rosdump/application.yaml
similarity index 97%
rename from rosdump/application.yml
rename to rosdump/application.yaml
index d27d987..08dbb33 100644
--- a/rosdump/application.yml
+++ b/rosdump/application.yaml
@@ -86,8 +86,8 @@ spec:
                   - configMap:
                       name: rosdump-known-hosts
                       items:
-                        - key: ssh_known_hosts
-                          path: ssh_known_hosts
+                        - key: known_hosts
+                          path: known_hosts
                   - configMap:
                       name: rosdump-config
 ---
diff --git a/rosdump/kustomization.yaml b/rosdump/kustomization.yaml
new file mode 100644
index 0000000..84fa018
--- /dev/null
+++ b/rosdump/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: rosdump
+
+resources:
+- ./application.yaml
+- ./networkpolicy-base.yaml
+- ssh://git@git.k-space.ee/secretspace/kube/rosdump
diff --git a/rosdump/networkpolicy-base.yml b/rosdump/networkpolicy-base.yaml
similarity index 100%
rename from rosdump/networkpolicy-base.yml
rename to rosdump/networkpolicy-base.yaml