diff --git a/apps/apache-demo/apply.sh b/apps/apache-demo/apply.sh
new file mode 100755
index 0000000..23f6f2b
--- /dev/null
+++ b/apps/apache-demo/apply.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+kubectl apply -f deployment.yaml -f service.yaml -f istio.yaml
diff --git a/apps/apache-demo/delete.sh b/apps/apache-demo/delete.sh
new file mode 100755
index 0000000..999972b
--- /dev/null
+++ b/apps/apache-demo/delete.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+kubectl delete -f deployment.yaml -f service.yaml -f istio.yaml
diff --git a/apps/apache-demo/deployment.yaml b/apps/apache-demo/deployment.yaml
new file mode 100644
index 0000000..938c72c
--- /dev/null
+++ b/apps/apache-demo/deployment.yaml
@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: apache-demo
+  namespace: secure
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: apache-demo
+  template:
+    metadata:
+      labels:
+        app: apache-demo
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: apache-demo
+        image: pub.msandor.hu/msandor/apache-demo:latest
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+      restartPolicy: Always
diff --git a/apps/apache-demo/istio.yaml b/apps/apache-demo/istio.yaml
new file mode 100644
index 0000000..0fd3f52
--- /dev/null
+++ b/apps/apache-demo/istio.yaml
@@ -0,0 +1,36 @@
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: apache-demo-gw
+  namespace: secure
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+      - "app.kind.local"
+
+---
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: apache-demo-vs
+  namespace: secure
+spec:
+  hosts:
+    - "app.kind.local"
+  gateways:
+    - apache-demo-gw
+  http:
+  - match:
+    - uri:
+        prefix: /
+    route:
+    - destination:
+        host: apache-demo.secure.svc.cluster.local
+        port:
+          number: 8080
diff --git a/apps/apache-demo/service.yaml b/apps/apache-demo/service.yaml
new file mode 100644
index 0000000..12265a7
--- /dev/null
+++ b/apps/apache-demo/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: apache-demo
+  namespace: secure
+spec:
+  ports:
+    - port: 8080
+      targetPort: 8080
+      name: http
+  selector:
+    app: apache-demo