diff --git a/ckcp/openshift_dev_setup.sh b/ckcp/openshift_dev_setup.sh
index 580149dc3..4edfa6aeb 100755
--- a/ckcp/openshift_dev_setup.sh
+++ b/ckcp/openshift_dev_setup.sh
@@ -404,35 +404,6 @@ register_compute() {
     --crs-to-sync "$(IFS=,; echo "${CRS_TO_SYNC[*]}")" |
     indent 4
 
-  check_cr_sync
-}
-
-check_cr_sync() {
-  # Wait until CRDs are synced to KCP
-  echo -n "- Sync CRDs to KCP: "
-  local cr_regexp
-  cr_regexp="$(
-    IFS=\|
-    echo "${CRS_TO_SYNC[*]}"
-  )"
-  local wait_period=0
-  while [[ "$(KUBECONFIG="$KUBECONFIG_KCP" kubectl api-resources -o name 2>&1 | grep -Ewc "$cr_regexp")" -ne ${#CRS_TO_SYNC[@]} ]]; do
-    wait_period=$((wait_period + 10))
-    #when timeout, print out the CR resoures that is not synced to KCP
-    if [ "$wait_period" -gt 300 ]; then
-      echo "Failed to sync following resources to KCP: "
-      cr_synced=$(KUBECONFIG="$KUBECONFIG_KCP" kubectl api-resources -o name)
-      for cr in "${CRS_TO_SYNC[@]}"; do
-        if [ "$(echo "$cr_synced" | grep -wc "$cr")" -eq 0 ]; then
-          echo "    * $cr"
-        fi
-      done
-      exit 1
-    fi
-    echo -n "."
-    sleep 10
-  done
-  echo "OK"
 }
 
 main() {
diff --git a/gitops/README.md b/gitops/README.md
index f2e580be9..d67c16367 100644
--- a/gitops/README.md
+++ b/gitops/README.md
@@ -215,3 +215,9 @@ spec:
       path: root:${ORG_ID}:compute
 
 ```
+## Workspace Controller
+Pipeline Service deploys a controller named 'settings controller' into every kcp user workspace that is created for consuming Pipeline Service. This controller enforces a few restrictions in the user workspace such as Quotas and Network Policies.
+- Quotas limit the amount of compute resources that can be consumed.
+- NetworkPolicies restrict the access granted to the pods running the pipeline tasks to support hermetic builds.
+
+More information on the controller can be found [here](https://github.com/openshift-pipelines/pipeline-service-workspace-controller).
diff --git a/gitops/sre/environment/kcp/workspace-controller/base/kustomization.yaml b/gitops/sre/environment/kcp/workspace-controller/base/kustomization.yaml
new file mode 100644
index 000000000..db4e19fec
--- /dev/null
+++ b/gitops/sre/environment/kcp/workspace-controller/base/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - github.com/openshift-pipelines/pipeline-service-workspace-controller/config/default
diff --git a/gitops/sre/environment/kcp/workspace-controller/overlays/kustomization.yaml b/gitops/sre/environment/kcp/workspace-controller/overlays/kustomization.yaml
new file mode 100644
index 000000000..f37df7c8d
--- /dev/null
+++ b/gitops/sre/environment/kcp/workspace-controller/overlays/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+images:
+  - name: quay.io/redhat-pipeline-service/settings-operator
+    newName: quay.io/redhat-pipeline-service/settings-operator
+    newTag: latest
+namespace: settings-pipeline-service-controller
diff --git a/images/kcp-registrar/bin/register.sh b/images/kcp-registrar/bin/register.sh
index 79f1380c3..e13427c6d 100755
--- a/images/kcp-registrar/bin/register.sh
+++ b/images/kcp-registrar/bin/register.sh
@@ -264,6 +264,45 @@ configure_synctarget_ws() {
     fi
 }
 
+check_cr_sync() {
+  # Wait until CRDs are synced to KCP
+  echo -n "- Sync CRDs to KCP: "
+  local cr_regexp
+  cr_regexp="$(
+    IFS=\|
+    echo "${CRS_TO_SYNC[*]}"
+  )"
+  cr_regexp=$(echo "$cr_regexp" | tr "," \|)
+  readarray -td, crs_to_sync_arr <<<"$CRS_TO_SYNC"; declare -p crs_to_sync_arr >/dev/null;
+
+  local wait_period=0
+  while [[ "$(KUBECONFIG=${kcp_kcfg} kubectl api-resources -o name 2>&1 | grep -Ewc "$cr_regexp")" -ne ${#crs_to_sync_arr[@]} ]]; do
+    wait_period=$((wait_period + 10))
+    #when wait_period is reached, print out the CR resources that is not synced to KCP
+    if [ "$wait_period" -gt 300 ]; then
+      echo "Failed to sync following resources to KCP: "
+      cr_synced=$(KUBECONFIG="$KUBECONFIG_KCP" kubectl api-resources -o name)
+      for cr in "${CRS_TO_SYNC[@]}"; do
+        if [ "$(echo "$cr_synced" | grep -wc "$cr")" -eq 0 ]; then
+          echo "    * $cr"
+        fi
+      done
+      exit 1
+    fi
+    echo -n "."
+    sleep 10
+  done
+  echo "OK"
+}
+
+install_workspace_controller() {
+  ws_controller_manifests="$WORKSPACE_DIR/environment/kcp/workspace-controller/overlays"
+  if [[ -d "$ws_controller_manifests" ]]; then
+    printf "Deploying Workspace Controller into the workspace\n"
+    KUBECONFIG=${kcp_kcfg} kubectl apply -k "$ws_controller_manifests" | indent 2
+  fi
+}
+
 main() {
     parse_args "$@"
     prechecks
@@ -283,6 +322,8 @@ main() {
         register_cluster 2>&1 | indent 2
     done
     configure_synctarget_ws
+    check_cr_sync
+    install_workspace_controller
 }
 
 if [ "${BASH_SOURCE[0]}" == "$0" ]; then