diff --git a/kube/services/revproxy/gen3.nginx.conf/thor-service.conf b/kube/services/revproxy/gen3.nginx.conf/thor-service.conf
new file mode 100644
index 000000000..e5f522ebb
--- /dev/null
+++ b/kube/services/revproxy/gen3.nginx.conf/thor-service.conf
@@ -0,0 +1,19 @@
+          location /thor/ {
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              
+              error_page 403 @errorworkspace;
+              set $authz_resource "/thor";
+              set $authz_method "access";
+              set $authz_service "thor";
+              # be careful - sub-request runs in same context as this request
+              auth_request /gen3-authz;
+
+              set $proxy_service  "thor-service";
+              set $upstream http://thor-service$des_domain;
+              rewrite ^/thor/(.*) /$1 break;
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/thor/;
+          }
+
diff --git a/kube/services/thor/thor-deploy.yaml b/kube/services/thor/thor-deploy.yaml
new file mode 100644
index 000000000..024e8fe01
--- /dev/null
+++ b/kube/services/thor/thor-deploy.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: thor-deployment
+spec:
+  selector:
+    # Only select pods based on the 'app' label
+    matchLabels:
+      app: thor
+  revisionHistoryLimit: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: thor
+        public: "yes"
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - thor
+              topologyKey: "kubernetes.io/hostname"
+      automountServiceAccountToken: false
+      containers:
+      - name: thor
+        image: quay.io/cdis/thor:master
+        imagePullPolicy: Always
+
diff --git a/kube/services/thor/thor-service.yaml b/kube/services/thor/thor-service.yaml
new file mode 100644
index 000000000..66a0ffab8
--- /dev/null
+++ b/kube/services/thor/thor-service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: thor-service
+spec:
+  selector:
+    app: thor
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80 
+      name: http
+