diff --git a/drone/drone-runner-deployment.yaml b/drone/drone-runner-deployment.yaml
index 1bd0e99..0db2689 100644
--- a/drone/drone-runner-deployment.yaml
+++ b/drone/drone-runner-deployment.yaml
@@ -1,23 +1,25 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: drone-runner
+  name: drone
   namespace: default
+  labels:
+    app.kubernetes.io/name: drone
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: drone-runner
+      app.kubernetes.io/name: drone
   template:
     metadata:
       labels:
-        app: drone-runner
+        app.kubernetes.io/name: drone
     spec:
       serviceAccountName: drone-pipeline
       nodeSelector:
         node-role.kubernetes.io/control-plane: "true"
       containers:
-      - name: drone-runner
+      - name: runner
         image: registry.t-aaron.com/drone/drone-runner-kube:latest
         env:
         - name: DRONE_RPC_PROTO
@@ -36,3 +38,9 @@ spec:
           value: "IfNotPresent"
         - name: DRONE_RUNNER_IMAGE_PULL_SECRETS
           value: ""
+        - name: DRONE_RUNNER_CAPACITY
+          value: "2"
+        - name: DRONE_RUNNER_PRIVILEGED_IMAGES
+          value: "plugins/docker,registry.t-aaron.com/plugins/docker"
+        - name: DRONE_CLONE_IMAGE
+          value: "registry.t-aaron.com/drone/git:latest"
diff --git a/drone/drone-runner-rbac.yaml b/drone/drone-runner-rbac.yaml
new file mode 100644
index 0000000..612edb3
--- /dev/null
+++ b/drone/drone-runner-rbac.yaml
@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: drone
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: drone
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: drone-pipeline
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: drone
+
diff --git a/drone/drone-server-deployment.yaml b/drone/drone-server-deployment.yaml
index 65954f3..5118f8f 100644
--- a/drone/drone-server-deployment.yaml
+++ b/drone/drone-server-deployment.yaml
@@ -37,6 +37,8 @@ spec:
           value: "true"
         - name: DRONE_TRACE
           value: "true"
+        - name: DRONE_USER_CREATE
+          value: "username:tuoheng,admin:true"
         volumeMounts:
         - name: drone-data
           mountPath: /data