diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 36121a5743..be6a9d640b 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -4100,7 +4100,8 @@ class JobLaunchSerializer(BaseSerializer):
                 errors.setdefault('credentials', []).append(_(
                     'Cannot assign multiple {} credentials.'
                 ).format(cred.unique_hash(display=True)))
-            if cred.credential_type.kind not in ('ssh', 'vault', 'cloud', 'net'):
+            if cred.credential_type.kind not in ('ssh', 'vault', 'cloud',
+                                                 'net', 'kubernetes'):
                 errors.setdefault('credentials', []).append(_(
                     'Cannot assign a Credential of kind `{}`'
                 ).format(cred.credential_type.kind))
diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py
index a950ff118f..77481a3917 100644
--- a/awx/api/views/__init__.py
+++ b/awx/api/views/__init__.py
@@ -2657,7 +2657,7 @@ class JobTemplateCredentialsList(SubListCreateAttachDetachAPIView):
             return {"error": _("Cannot assign multiple {credential_type} credentials.").format(
                 credential_type=sub.unique_hash(display=True))}
         kind = sub.credential_type.kind
-        if kind not in ('ssh', 'vault', 'cloud', 'net'):
+        if kind not in ('ssh', 'vault', 'cloud', 'net', 'kubernetes'):
             return {'error': _('Cannot assign a Credential of kind `{}`.').format(kind)}
 
         return super(JobTemplateCredentialsList, self).is_valid_relation(parent, sub, created)
diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
index 36bb2684ea..9cc8ad2721 100644
--- a/awx/main/models/credential/__init__.py
+++ b/awx/main/models/credential/__init__.py
@@ -1169,7 +1169,18 @@ ManagedCredentialType(
             'multiline': True,
         }],
         'required': ['host', 'bearer_token'],
-    }
+    },
+    injectors={
+        'file': {
+            'template': '{{ ssl_ca_cert }}'
+        },
+        'env': {
+            'K8S_AUTH_HOST': '{{ host }}',
+            'K8S_AUTH_API_KEY': '{{ bearer_token }}',
+            'K8S_AUTH_VERIFY_SSL': '{{ verify_ssl }}',
+            'K8S_AUTH_SSL_CA_CERT': '{{ tower.filename }}',
+        },
+    },
 )
 
 
diff --git a/awx/ui/client/lib/components/tag/_index.less b/awx/ui/client/lib/components/tag/_index.less
index d53a5e19e6..2be7f05320 100644
--- a/awx/ui/client/lib/components/tag/_index.less
+++ b/awx/ui/client/lib/components/tag/_index.less
@@ -67,6 +67,10 @@
     &--external:before {
         content: '\f14c'
     }
+
+    &--kubernetes_bearer_token:before {
+        content: '\f0c2';
+    }
 }
 
 .TagComponent-button {
diff --git a/awx/ui/client/src/templates/job_templates/multi-credential/multi-credential-modal.directive.js b/awx/ui/client/src/templates/job_templates/multi-credential/multi-credential-modal.directive.js
index 19e98d7ca3..fee9395c5c 100644
--- a/awx/ui/client/src/templates/job_templates/multi-credential/multi-credential-modal.directive.js
+++ b/awx/ui/client/src/templates/job_templates/multi-credential/multi-credential-modal.directive.js
@@ -111,7 +111,7 @@ function multiCredentialModalController(GetBasePath, qs, MultiCredentialService)
 
         scope.credentialTypes.forEach((credentialType => {
             if(credentialType.kind
-                .match(/^(machine|cloud|net|ssh|vault)$/)) {
+                .match(/^(machine|cloud|net|ssh|vault|kubernetes)$/)) {
                     scope.displayedCredentialTypes.push(credentialType);
             }
         }));
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 31a736e083..a493b4c863 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -32,8 +32,8 @@ django-oauth-toolkit==1.1.3  # via -r /awx_devel/requirements/requirements.in
 django-pglocks==1.0.4     # via -r /awx_devel/requirements/requirements.in
 django-polymorphic==2.1.2  # via -r /awx_devel/requirements/requirements.in
 django-qsstats-magic==1.1.0  # via -r /awx_devel/requirements/requirements.in
-django-redis==4.5.0
 django-radius==1.3.3      # via -r /awx_devel/requirements/requirements.in
+django-redis==4.5.0       # via -r /awx_devel/requirements/requirements.in
 django-solo==1.1.3        # via -r /awx_devel/requirements/requirements.in
 django-split-settings==1.0.0  # via -r /awx_devel/requirements/requirements.in
 django-taggit==1.2.0      # via -r /awx_devel/requirements/requirements.in
@@ -100,7 +100,7 @@ python3-openid==3.1.0     # via social-auth-core
 python3-saml==1.9.0       # via -r /awx_devel/requirements/requirements.in
 pytz==2019.3              # via django, irc, tempora, twilio
 pyyaml==5.3.1             # via -r /awx_devel/requirements/requirements.in, ansible-runner, djangorestframework-yaml, kubernetes
-redis==3.4.1              # via -r /awx_devel/requirements/requirements.in
+redis==3.4.1              # via -r /awx_devel/requirements/requirements.in, django-redis
 requests-oauthlib==1.3.0  # via kubernetes, msrest, social-auth-core
 requests==2.23.0          # via -r /awx_devel/requirements/requirements.in, adal, azure-keyvault, django-oauth-toolkit, kubernetes, msrest, requests-oauthlib, slackclient, social-auth-core, twilio
 rsa==4.0                  # via google-auth
diff --git a/requirements/requirements_ansible.in b/requirements/requirements_ansible.in
index 6cc129180c..4eaf5f7c1d 100644
--- a/requirements/requirements_ansible.in
+++ b/requirements/requirements_ansible.in
@@ -62,5 +62,7 @@ requests
 requests-credssp==1.0.2   # For windows authentication awx/issues/1144
 # OpenStack
 openstacksdk==0.37.0
+# Openshift/k8s
+openshift>=0.11.0  # minimum version to pull in new pyyaml for CVE-2017-18342
 pip==19.3.1  # see upgrade blockers
-setuptools==41.6.0  # see upgrade blockers
\ No newline at end of file
+setuptools==41.6.0  # see upgrade blockers
diff --git a/requirements/requirements_ansible.txt b/requirements/requirements_ansible.txt
index b7d0d1d810..26667ea9a9 100644
--- a/requirements/requirements_ansible.txt
+++ b/requirements/requirements_ansible.txt
@@ -26,7 +26,7 @@ azure-mgmt-loganalytics==0.2.0  # via -r /awx_devel/requirements/requirements_an
 azure-mgmt-marketplaceordering==0.1.0  # via -r /awx_devel/requirements/requirements_ansible.in
 azure-mgmt-monitor==0.5.2  # via -r /awx_devel/requirements/requirements_ansible.in
 azure-mgmt-network==2.3.0  # via -r /awx_devel/requirements/requirements_ansible.in
-azure-mgmt-nspkg==2.0.0 # via -r /awx_devel/requirements/requirements_ansible.in, azure-mgmt-authorization, azure-mgmt-automation, azure-mgmt-batch, azure-mgmt-cdn, azure-mgmt-compute, azure-mgmt-containerinstance, azure-mgmt-containerregistry, azure-mgmt-containerservice, azure-mgmt-cosmosdb, azure-mgmt-devtestlabs, azure-mgmt-dns, azure-mgmt-hdinsight, azure-mgmt-iothub, azure-mgmt-keyvault, azure-mgmt-loganalytics, azure-mgmt-marketplaceordering, azure-mgmt-monitor, azure-mgmt-network, azure-mgmt-rdbms, azure-mgmt-redis, azure-mgmt-resource, azure-mgmt-servicebus, azure-mgmt-sql, azure-mgmt-storage, azure-mgmt-trafficmanager, azure-mgmt-web
+azure-mgmt-nspkg==2.0.0; python_version < "3" # via -r /awx_devel/requirements/requirements_ansible.in, azure-mgmt-authorization, azure-mgmt-automation, azure-mgmt-batch, azure-mgmt-cdn, azure-mgmt-compute, azure-mgmt-containerinstance, azure-mgmt-containerregistry, azure-mgmt-containerservice, azure-mgmt-cosmosdb, azure-mgmt-devtestlabs, azure-mgmt-dns, azure-mgmt-hdinsight, azure-mgmt-iothub, azure-mgmt-keyvault, azure-mgmt-loganalytics, azure-mgmt-marketplaceordering, azure-mgmt-monitor, azure-mgmt-network, azure-mgmt-rdbms, azure-mgmt-redis, azure-mgmt-resource, azure-mgmt-servicebus, azure-mgmt-sql, azure-mgmt-storage, azure-mgmt-trafficmanager, azure-mgmt-web
 azure-mgmt-rdbms==1.4.1   # via -r /awx_devel/requirements/requirements_ansible.in
 azure-mgmt-redis==5.0.0   # via -r /awx_devel/requirements/requirements_ansible.in
 azure-mgmt-resource==2.1.0  # via -r /awx_devel/requirements/requirements_ansible.in
@@ -43,7 +43,7 @@ boto3==1.9.223            # via -r /awx_devel/requirements/requirements_ansible.
 boto==2.47.0              # via -r /awx_devel/requirements/requirements_ansible.in
 botocore==1.12.253        # via boto3, s3transfer
 cachetools==3.1.1         # via google-auth
-certifi==2019.11.28       # via msrest, requests
+certifi==2019.11.28       # via kubernetes, msrest, requests
 cffi==1.13.2              # via bcrypt, cryptography, pynacl
 chardet==3.0.4            # via requests
 colorama==0.4.3           # via azure-cli-core, knack
@@ -53,18 +53,19 @@ docutils==0.15.2          # via botocore
 dogpile.cache==0.9.0      # via openstacksdk
 enum34==1.1.6; python_version < "3" # via cryptography, knack, msrest, ovirt-engine-sdk-python
 futures==3.3.0; python_version < "3" # via openstacksdk, s3transfer
-google-auth==1.6.2        # via -r /awx_devel/requirements/requirements_ansible.in
+google-auth==1.6.2        # via -r /awx_devel/requirements/requirements_ansible.in, kubernetes
 humanfriendly==4.18       # via azure-cli-core
 idna==2.8                 # via requests
-ipaddress==1.0.23; python_version < "3" # via cryptography, openstacksdk
+ipaddress==1.0.23; python_version < "3" # via cryptography, kubernetes, openstacksdk
 iso8601==0.1.12           # via keystoneauth1, openstacksdk
 isodate==0.6.0            # via msrest
-jinja2==2.10.1            # via -r /awx_devel/requirements/requirements_ansible.in
+jinja2==2.10.1            # via -r /awx_devel/requirements/requirements_ansible.in, openshift
 jmespath==0.9.4           # via azure-cli-core, boto3, botocore, knack, openstacksdk
 jsonpatch==1.24           # via openstacksdk
 jsonpointer==2.0          # via jsonpatch
 keystoneauth1==3.18.0     # via openstacksdk
 knack==0.3.3              # via azure-cli-core
+kubernetes==11.0.0        # via openshift
 lxml==4.4.2               # via ncclient
 markupsafe==1.1.1         # via jinja2
 monotonic==1.5; python_version < "3" # via humanfriendly
@@ -76,6 +77,7 @@ netaddr==0.7.19           # via -r /awx_devel/requirements/requirements_ansible.
 netifaces==0.10.9         # via openstacksdk
 ntlm-auth==1.4.0          # via requests-credssp, requests-ntlm
 oauthlib==3.1.0           # via requests-oauthlib
+openshift==0.11.2         # via -r /awx_devel/requirements/requirements_ansible.in
 openstacksdk==0.37.0      # via -r /awx_devel/requirements/requirements_ansible.in
 os-service-types==1.7.0   # via keystoneauth1, openstacksdk
 ovirt-engine-sdk-python==4.3.0  # via -r /awx_devel/requirements/requirements_ansible.in
@@ -93,27 +95,32 @@ pykerberos==1.2.1         # via requests-kerberos
 pynacl==1.3.0             # via paramiko
 pyopenssl==19.1.0         # via azure-cli-core, requests-credssp
 pyparsing==2.4.5          # via packaging
-python-dateutil==2.8.1    # via adal, azure-storage, botocore
+python-dateutil==2.8.1    # via adal, azure-storage, botocore, kubernetes
+python-string-utils==0.6.0; python_version < "3" # via openshift
 pyvmomi==6.7.3            # via -r /awx_devel/requirements/requirements_ansible.in
 pywinrm[kerberos]==0.3.0  # via -r /awx_devel/requirements/requirements_ansible.in
-pyyaml==5.2               # via azure-cli-core, knack, openstacksdk
+pyyaml==5.2               # via azure-cli-core, knack, kubernetes, openstacksdk
 requests-credssp==1.0.2   # via -r /awx_devel/requirements/requirements_ansible.in
 requests-kerberos==0.12.0  # via pywinrm
 requests-ntlm==1.1.0      # via pywinrm
-requests-oauthlib==1.3.0  # via msrest
-requests==2.22.0          # via -r /awx_devel/requirements/requirements_ansible.in, adal, apache-libcloud, azure-cli-core, azure-keyvault, azure-storage, keystoneauth1, msrest, pyvmomi, pywinrm, requests-credssp, requests-kerberos, requests-ntlm, requests-oauthlib
+requests-oauthlib==1.3.0  # via kubernetes, msrest
+requests==2.22.0          # via -r /awx_devel/requirements/requirements_ansible.in, adal, apache-libcloud, azure-cli-core, azure-keyvault, azure-storage, keystoneauth1, kubernetes, msrest, pyvmomi, pywinrm, requests-credssp, requests-kerberos, requests-ntlm, requests-oauthlib
 requestsexceptions==1.4.0  # via openstacksdk
 rsa==4.0                  # via google-auth
+ruamel.ordereddict==0.4.14; python_version < "3" # via ruamel.yaml
+ruamel.yaml.clib==0.2.0   # via ruamel.yaml
+ruamel.yaml==0.16.10      # via openshift
 s3transfer==0.2.1         # via boto3
 selectors2==2.0.1         # via ncclient
-six==1.13.0               # via azure-cli-core, bcrypt, cryptography, google-auth, isodate, keystoneauth1, knack, munch, ncclient, openstacksdk, ovirt-engine-sdk-python, packaging, pynacl, pyopenssl, python-dateutil, pyvmomi, pywinrm, requests-credssp, stevedore
+six==1.13.0               # via azure-cli-core, bcrypt, cryptography, google-auth, isodate, keystoneauth1, knack, kubernetes, munch, ncclient, openshift, openstacksdk, ovirt-engine-sdk-python, packaging, pynacl, pyopenssl, python-dateutil, pyvmomi, pywinrm, requests-credssp, stevedore, websocket-client
 stevedore==1.31.0         # via keystoneauth1
 tabulate==0.8.2           # via azure-cli-core, knack
 typing==3.7.4.1; python_version < "3" # via msrest
-urllib3==1.25.7           # via botocore, requests
+urllib3==1.25.7           # via botocore, kubernetes, requests
+websocket-client==0.57.0  # via kubernetes
 wheel==0.33.6  # via azure-cli-core (overriden, see upgrade blockers)
 xmltodict==0.12.0         # via pywinrm
 
 # The following packages are considered to be unsafe in a requirements file:
 pip==19.3.1               # via -r /awx_devel/requirements/requirements_ansible.in, azure-cli-core
-setuptools==41.6.0        # via -r /awx_devel/requirements/requirements_ansible.in, ncclient
+setuptools==41.6.0        # via -r /awx_devel/requirements/requirements_ansible.in, kubernetes, ncclient