diff --git a/deploy/role.yaml b/deploy/role.yaml
index 7aadfa5b..7438d6d3 100644
--- a/deploy/role.yaml
+++ b/deploy/role.yaml
@@ -5,6 +5,14 @@ metadata:
   creationTimestamp: null
   name: tower-operator
 rules:
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
   - apiGroups:
       - ""
     resources:
diff --git a/deploy/tower-operator.yaml b/deploy/tower-operator.yaml
index a11677cb..4275e305 100644
--- a/deploy/tower-operator.yaml
+++ b/deploy/tower-operator.yaml
@@ -5,6 +5,12 @@ metadata:
   creationTimestamp: null
   name: tower-operator
 rules:
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - '*'
   - apiGroups:
       - ""
     resources:
diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml
index e804e89d..667b74e1 100644
--- a/roles/tower/defaults/main.yml
+++ b/roles/tower/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+tower_multitenant: false
+tower_ingress_type: ingress
+
 tower_hostname: example-tower.test
 tower_secret_key: aabbcc
 
diff --git a/roles/tower/templates/tower_config.yaml.j2 b/roles/tower/templates/tower_config.yaml.j2
index ee883ba1..ad88a4b4 100644
--- a/roles/tower/templates/tower_config.yaml.j2
+++ b/roles/tower/templates/tower_config.yaml.j2
@@ -40,7 +40,11 @@ data:
     INTERNAL_API_URL = 'http://127.0.0.1:8052'
     
     # Container environments don't like chroots
+{% if tower_multitenant == true %}
+    AWX_PROOT_ENABLED = True
+{% else %}
     AWX_PROOT_ENABLED = False
+{% endif %}
     
     # Automatically deprovision pods that go offline
     AWX_AUTO_DEPROVISION_INSTANCES = True
diff --git a/roles/tower/templates/tower_task.yaml.j2 b/roles/tower/templates/tower_task.yaml.j2
index f39192bd..ae841aae 100644
--- a/roles/tower/templates/tower_task.yaml.j2
+++ b/roles/tower/templates/tower_task.yaml.j2
@@ -20,8 +20,10 @@ spec:
       containers:
       - image: '{{ tower_task_image }}'
         name: tower-task
+{% if tower_multitenant == true %}
         securityContext:
           privileged: true
+{% endif %}
         command:
           - /usr/bin/launch_awx_task.sh
         envFrom:
diff --git a/roles/tower/templates/tower_web.yaml.j2 b/roles/tower/templates/tower_web.yaml.j2
index a423336f..9105f38f 100644
--- a/roles/tower/templates/tower_web.yaml.j2
+++ b/roles/tower/templates/tower_web.yaml.j2
@@ -94,11 +94,12 @@ spec:
   - port: 80
     protocol: TCP
     targetPort: 8052
+    name: http
   selector:
     app: tower
 
 # Tower Ingress.
-{% if tower_hostname != '' %}
+{% if 'ingress' == tower_ingress_type %}
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
@@ -115,3 +116,23 @@ spec:
           serviceName: '{{ meta.name }}-service'
           servicePort: 80
 {% endif %}
+
+{% if 'route' == tower_ingress_type %}
+---
+apiVersion: v1
+kind: Route
+metadata:
+  name: '{{ meta.name }}'
+  namespace: '{{ meta.namespace }}'
+spec:
+  port:
+    targetPort: http
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: edge
+  to:
+    kind: Service
+    name: {{ meta.name }}-service
+    weight: 100
+  wildcardPolicy: None
+{% endif %}