diff --git a/.github/workflows/makefile.yml b/.github/workflows/makefile.yml
new file mode 100644
index 0000000..74e5066
--- /dev/null
+++ b/.github/workflows/makefile.yml
@@ -0,0 +1,29 @@
+name: Makefile CI
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build image
+      run: make docker-build
+
+    - name: Push image
+      run: make docker-push
diff --git a/Makefile b/Makefile
index 36f49fb..bf45726 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ endif
 OPERATOR_SDK_VERSION ?= v1.32.0
 
 # Image URL to use all building/pushing image targets
-IMG ?= controller:latest
+IMG ?= ghcr.io/openloft/vcluster-operator:latest
 
 .PHONY: all
 all: docker-build
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index fc80c37..1eb132e 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -21,10 +21,10 @@ resources:
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
-patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
-
-
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+patches:
+- path: manager_auth_proxy_patch.yaml
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index 5c5f0b8..bc0a4cb 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -1,2 +1,8 @@
 resources:
 - manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: ghcr.io/openloft/vcluster-operator
+  newTag: latest
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index c7aa9ce..9fe9cd2 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -93,7 +93,7 @@ spec:
         resources:
           limits:
             cpu: 500m
-            memory: 128Mi
+            memory: 256Mi
           requests:
             cpu: 10m
             memory: 64Mi
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 406d77d..d8af6b4 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -67,4 +67,17 @@ rules:
   resources:
   - "statefulsets"
 
+##
+## Extra rules used by the controller manager
+##
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies", "ingressclasses"]
+  verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["limitranges", "resourcequotas"]
+  verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterroles", "clusterrolebindings"]
+  verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
+
 #+kubebuilder:scaffold:rules