diff --git a/continuousintegration/docker/ctafrontend/cc7/config/ctaeos/etc/xrd.cf.mgm b/continuousintegration/docker/ctafrontend/cc7/config/ctaeos/etc/xrd.cf.mgm
index 4ec7e479cdd24e348ba48c8dcf579de066c02e0a..c6ef4c0d1ca9f10f3a8bb9f6d2ecba64dcd2d2b0 100644
--- a/continuousintegration/docker/ctafrontend/cc7/config/ctaeos/etc/xrd.cf.mgm
+++ b/continuousintegration/docker/ctafrontend/cc7/config/ctaeos/etc/xrd.cf.mgm
@@ -19,11 +19,11 @@ sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytab
 # KRB  authentication
 #sec.protocol krb5 -exptkn:/var/eos/auth/krb5#<uid> host/<host>@CERN.CH
 #sec.protocol krb5 host/<host>@CERN.CH
-
+sec.protocol krb5 /etc/eos.krb5.keytab eos/eos-server@TEST.CTA
 
 sec.protbind localhost.localdomain unix sss
 sec.protbind localhost unix sss
-sec.protbind * only sss unix
+sec.protbind * only sss unix krb5
 ###########################################################
 mgmofs.fs /
 mgmofs.targetport 1095
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/client.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/client.sh
new file mode 100755
index 0000000000000000000000000000000000000000..504aa72daaeb77bc2cbf5e4c393bae3eb24f8f35
--- /dev/null
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/client.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+/opt/run/bin/init_pod.sh
+
+yum-config-manager --enable cta-artifacts
+yum-config-manager --enable ceph
+
+# Install missing RPMs
+yum -y install cta-cli cta-debuginfo xrootd-client eos-client
+
+cat <<EOF > /etc/cta/cta-cli.conf
+# The CTA frontend address in the form <FQDN>:<TCPPort>
+# solved by kubernetes DNS server so KIS...
+ctafrontend:10955
+EOF
+
+# sleep forever but exit immediately when pod is deleted
+exec /bin/bash -c "trap : TERM INT; sleep infinity & wait"
diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh
index 664fd9a99cd3003e51bd122f5d9850d7edec253b..f40ade7f74237566b1313a904228440e3d8a4f79 100755
--- a/continuousintegration/orchestration/create_instance.sh
+++ b/continuousintegration/orchestration/create_instance.sh
@@ -197,7 +197,7 @@ echo OK
 
 echo "Launching pods"
 
-for podname in ctacli tpsrv01 tpsrv02 ctaeos ctafrontend kdc; do
+for podname in client ctacli tpsrv01 tpsrv02 ctaeos ctafrontend kdc; do
   kubectl create -f ${poddir}/pod-${podname}.yaml --namespace=${instance}
 done
 
@@ -229,13 +229,21 @@ done
 echo OK
 
 echo -n "Configuring KDC clients (frontend, cli...) "
+kubectl --namespace=${instance} exec kdc cat /etc/krb5.conf | kubectl --namespace=${instance} exec -i client --  bash -c "cat > /etc/krb5.conf"
 kubectl --namespace=${instance} exec kdc cat /etc/krb5.conf | kubectl --namespace=${instance} exec -i ctacli --  bash -c "cat > /etc/krb5.conf" 
 kubectl --namespace=${instance} exec kdc cat /etc/krb5.conf | kubectl --namespace=${instance} exec -i ctafrontend --  bash -c "cat > /etc/krb5.conf"
+kubectl --namespace=${instance} exec kdc cat /etc/krb5.conf | kubectl --namespace=${instance} exec -i ctaeos --  bash -c "cat > /etc/krb5.conf"
 kubectl --namespace=${instance} exec kdc cat /root/admin1.keytab | kubectl --namespace=${instance} exec -i ctacli --  bash -c "cat > /root/admin1.keytab"
+kubectl --namespace=${instance} exec kdc cat /root/user1.keytab | kubectl --namespace=${instance} exec -i ctacli --  bash -c "cat > /root/user1.keytab"
 kubectl --namespace=${instance} exec kdc cat /root/cta-frontend.keytab | kubectl --namespace=${instance} exec -i ctafrontend --  bash -c "cat > /etc/cta-frontend.keytab"
+kubectl --namespace=${instance} exec kdc cat /root/eos.keytab | kubectl --namespace=${instance} exec -i ctaeos --  bash -c "cat > /etc/eos.krb5.keytab"
 kubectl --namespace=${instance} exec ctacli -- kinit -kt /root/admin1.keytab admin1@TEST.CTA
+kubectl --namespace=${instance} exec client -- kinit -kt /root/user1.keytab user1@TEST.CTA
 echo OK
 
+echo "klist for client:"
+kubectl --namespace=${instance} exec client klist
+
 echo "klist for ctacli:"
 kubectl --namespace=${instance} exec ctacli klist
 
diff --git a/continuousintegration/orchestration/delete_instance.sh b/continuousintegration/orchestration/delete_instance.sh
index e93d8a753855eb78b375d87596c0e1fb48db9d8a..432f81c32bddeb06099a0a4103bd8eb48618f4db 100755
--- a/continuousintegration/orchestration/delete_instance.sh
+++ b/continuousintegration/orchestration/delete_instance.sh
@@ -34,7 +34,7 @@ fi
 # indeed if the system test fails, artifacts are not collected for the build
 tmpdir=$(mktemp -d -t ${instance}_delete_XXXX)
 echo "Collecting stdout logs of pods to ${tmpdir}"
-for podcontainer in "init -c ctainit" "ctacli -c ctacli" "ctaeos -c mgm" "ctafrontend -c ctafrontend" "kdc -c kdc" "tpsrv01 -c taped" "tpsrv01 -c rmcd" "tpsrv02 -c taped" "tpsrv02 -c rmcd"; do
+for podcontainer in "init -c ctainit" "client -c client" "ctacli -c ctacli" "ctaeos -c mgm" "ctafrontend -c ctafrontend" "kdc -c kdc" "tpsrv01 -c taped" "tpsrv01 -c rmcd" "tpsrv02 -c taped" "tpsrv02 -c rmcd"; do
   kubectl --namespace ${instance} logs ${podcontainer} > ${tmpdir}/$(echo ${podcontainer} | sed -e 's/ -c /-/').log
 done
 kubectl --namespace ${instance} exec ctacli -- tar -C /mnt/logs -zcf - . > ${tmpdir}/varlog.tgz
diff --git a/continuousintegration/orchestration/pod-client.yaml b/continuousintegration/orchestration/pod-client.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..bd535dc1c5dae31a4957ca61b553ec076bc01b13
--- /dev/null
+++ b/continuousintegration/orchestration/pod-client.yaml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: client
+  labels:
+    k8s-app: client
+spec:
+  restartPolicy: Never
+  containers:
+  - name: client
+    image: gitlab-registry.cern.ch/cta/ctageneric:78673git921a9300
+    stdin: true
+    env:
+    - name: MY_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: MY_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_NAME
+      value: "$(MY_NAMESPACE)"
+    - name: BUILDTREE_BASE
+      valueFrom:
+        configMapKeyRef:
+          name: buildtree
+          key: base
+    - name: BUILDTREE_SUBDIR
+      valueFrom:
+        configMapKeyRef:
+          name: buildtree
+          key: subdir
+    - name: TERM
+      value: "xterm"
+    command: ['/opt/run/bin/client.sh']
+    args: ["none"]
+    volumeMounts:
+    - mountPath: /shared
+      name: shared
+    - mountPath: /mnt/logs
+      name: logstorage
+    securityContext:
+      privileged: true
+
+  volumes:
+  - name: shared
+    hostPath:
+      path: /opt/cta
+  - name: logstorage
+    persistentVolumeClaim:
+      claimName: claimlogs