diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index a761d0a..77d3c39 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -18,6 +18,9 @@ jobs:
       contents: write
       packages: write
 
+    env:
+      KUBECONFIG: /tmp/kubeconfig
+
     outputs:
       image-tag: ${{ steps.meta.outputs.tags }}
       image-digest: ${{ steps.build.outputs.digest }}
@@ -37,8 +40,50 @@ jobs:
 
       - name: Setup Kubernetes access
         run: |
-          # Running in Kubernetes Pod - use in-cluster config
-          echo "Running in Kubernetes - using ServiceAccount"
+          # Running in Kubernetes Pod - create kubeconfig from ServiceAccount
+          echo "Setting up in-cluster kubeconfig"
+
+          SA_PATH="/var/run/secrets/kubernetes.io/serviceaccount"
+
+          if [ ! -f "${SA_PATH}/token" ]; then
+            echo "❌ ServiceAccount token not found"
+            exit 1
+          fi
+
+          echo "✅ ServiceAccount token found"
+
+          # Get cluster info
+          KUBE_HOST="${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}"
+          KUBE_PORT="${KUBERNETES_SERVICE_PORT:-443}"
+          KUBE_URL="https://${KUBE_HOST}:${KUBE_PORT}"
+
+          echo "Kubernetes API: ${KUBE_URL}"
+
+          # Create kubeconfig
+          cat > ${KUBECONFIG} <<EOF
+          apiVersion: v1
+          kind: Config
+          clusters:
+          - cluster:
+              certificate-authority: ${SA_PATH}/ca.crt
+              server: ${KUBE_URL}
+            name: default
+          contexts:
+          - context:
+              cluster: default
+              namespace: $(cat ${SA_PATH}/namespace)
+              user: default
+            name: default
+          current-context: default
+          users:
+          - name: default
+            user:
+              tokenFile: ${SA_PATH}/token
+          EOF
+
+          chmod 600 ${KUBECONFIG}
+
+          # Test connection
           kubectl version
           kubectl get nodes -o wide