diff --git a/deploy/kubernetes/keytransparency-deployment.yml.tmpl b/deploy/kubernetes/keytransparency-deployment.yml.tmpl
index d65b2e3ff..9da219f27 100644
--- a/deploy/kubernetes/keytransparency-deployment.yml.tmpl
+++ b/deploy/kubernetes/keytransparency-deployment.yml.tmpl
@@ -155,4 +155,59 @@ spec:
         imagePullPolicy: Always
         ports:
           - containerPort: 9090
-            name: prometheus
\ No newline at end of file
+            name: prometheus
+
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: kt-monitor
+spec:
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        run: kt-monitor
+    spec:
+      volumes:
+      - name: secrets-volume
+        secret:
+          secretName: kt-monitor-secrets
+      containers:
+      - name: kt-monitor
+        image: us.gcr.io/key-transparency/keytransparency-monitor
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: secrets-volume
+          readOnly: true
+          mountPath: "/secrets"
+        ports:
+          - containerPort: 8080
+            name: json-grpc
+        args: ["--addr=0.0.0.0:8099",
+               "--kt-url=kt-server:8080",
+               # TODO(ismail): generate TLS key-pairs for the monitor:
+               "--tls-key=/secrets/server.key",
+               "--tls-cert=/secrets/server.crt",
+               "--poll-period=5s",
+               "--sign-key=/secrets/monitor_sign-key.pem",
+               "--password=towel",
+               "--alsologtostderr",
+               "--v=3"]
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kt-monitor
+  labels:
+    run: kt-monitor
+spec:
+  type: NodePort
+  ports:
+    - port: 8081
+      targetPort: 8081
+      name: metrics
+  selector:
+    run: kt-monitor
+---
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 3c0e640ab..fb29211a1 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -145,13 +145,17 @@ function checkCmdsAvailable()
 
 function prepareSecrets()
 {
-  local EXISTS=0
   # if kt-secrets does not exist, create it:
   kubectl get secret kt-secrets
   # kubectl exits with 1 if kt-secret does not exist
   if [ $? -ne 0 ]; then
     kubectl create secret generic kt-secrets --from-file=genfiles/server.crt --from-file=genfiles/server.key --from-file=genfiles/vrf-key.pem
   fi
+  # if monitor-secrets does not exist, create it, too:
+  kubectl get secret kt-monitor-secrets
+  if [ $? -ne 0 ]; then
+    kubectl create secret generic kt-monitor-secrets --from-file=genfiles/monitor_sign-key.pem
+  fi
 }
 
 # Run everything: