diff --git a/PROJECT b/PROJECT
index 9d1f7c21..af4dfb44 100644
--- a/PROJECT
+++ b/PROJECT
@@ -1,3 +1,7 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: openstack.org
 layout:
 - go.kubebuilder.io/v3
@@ -42,4 +46,13 @@ resources:
     defaulting: true
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: openstack.org
+  group: mariadb
+  kind: MariaDBAccount
+  path: github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1
+  version: v1beta1
 version: "3"
diff --git a/api/v1beta1/mariadbaccount_types.go b/api/v1beta1/mariadbaccount_types.go
new file mode 100644
index 00000000..944e2d66
--- /dev/null
+++ b/api/v1beta1/mariadbaccount_types.go
@@ -0,0 +1,64 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// MariaDBAccountSpec defines the desired state of MariaDBAccount
+type MariaDBAccountSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// Foo is an example field of MariaDBAccount. Edit mariadbaccount_types.go to remove/update
+	Foo string `json:"foo,omitempty"`
+}
+
+// MariaDBAccountStatus defines the observed state of MariaDBAccount
+type MariaDBAccountStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// MariaDBAccount is the Schema for the mariadbaccounts API
+type MariaDBAccount struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   MariaDBAccountSpec   `json:"spec,omitempty"`
+	Status MariaDBAccountStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// MariaDBAccountList contains a list of MariaDBAccount
+type MariaDBAccountList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []MariaDBAccount `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&MariaDBAccount{}, &MariaDBAccountList{})
+}
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index 476fef6c..8d0a43bd 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -226,6 +226,95 @@ func (in *MariaDB) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MariaDBAccount) DeepCopyInto(out *MariaDBAccount) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MariaDBAccount.
+func (in *MariaDBAccount) DeepCopy() *MariaDBAccount {
+	if in == nil {
+		return nil
+	}
+	out := new(MariaDBAccount)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *MariaDBAccount) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MariaDBAccountList) DeepCopyInto(out *MariaDBAccountList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]MariaDBAccount, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MariaDBAccountList.
+func (in *MariaDBAccountList) DeepCopy() *MariaDBAccountList {
+	if in == nil {
+		return nil
+	}
+	out := new(MariaDBAccountList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *MariaDBAccountList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MariaDBAccountSpec) DeepCopyInto(out *MariaDBAccountSpec) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MariaDBAccountSpec.
+func (in *MariaDBAccountSpec) DeepCopy() *MariaDBAccountSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(MariaDBAccountSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MariaDBAccountStatus) DeepCopyInto(out *MariaDBAccountStatus) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MariaDBAccountStatus.
+func (in *MariaDBAccountStatus) DeepCopy() *MariaDBAccountStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(MariaDBAccountStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MariaDBDatabase) DeepCopyInto(out *MariaDBDatabase) {
 	*out = *in
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
index ba705d8b..4a94488b 100644
--- a/config/crd/kustomization.yaml
+++ b/config/crd/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
 - bases/mariadb.openstack.org_galeras.yaml
 - bases/mariadb.openstack.org_mariadbs.yaml
 - bases/mariadb.openstack.org_mariadbdatabases.yaml
+- bases/mariadb.openstack.org_mariadbaccounts.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -13,6 +14,7 @@ patchesStrategicMerge:
 #- patches/webhook_in_galeras.yaml
 #- patches/webhook_in_mariadbs.yaml
 #- patches/webhook_in_mariadbdatabases.yaml
+#- patches/webhook_in_mariadbaccounts.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
@@ -20,6 +22,7 @@ patchesStrategicMerge:
 #- patches/cainjection_in_galeras.yaml
 #- patches/cainjection_in_mariadbs.yaml
 #- patches/cainjection_in_mariadbdatabases.yaml
+#- patches/cainjection_in_mariadbaccounts.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
diff --git a/config/crd/patches/cainjection_in_mariadbaccounts.yaml b/config/crd/patches/cainjection_in_mariadbaccounts.yaml
new file mode 100644
index 00000000..1d5ed47c
--- /dev/null
+++ b/config/crd/patches/cainjection_in_mariadbaccounts.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: mariadbaccounts.mariadb.openstack.org
diff --git a/config/crd/patches/webhook_in_mariadbaccounts.yaml b/config/crd/patches/webhook_in_mariadbaccounts.yaml
new file mode 100644
index 00000000..3367c5d1
--- /dev/null
+++ b/config/crd/patches/webhook_in_mariadbaccounts.yaml
@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: mariadbaccounts.mariadb.openstack.org
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1
diff --git a/config/rbac/mariadbaccount_editor_role.yaml b/config/rbac/mariadbaccount_editor_role.yaml
new file mode 100644
index 00000000..f233ed4a
--- /dev/null
+++ b/config/rbac/mariadbaccount_editor_role.yaml
@@ -0,0 +1,31 @@
+# permissions for end users to edit mariadbaccounts.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: mariadbaccount-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: mariadb-operator
+    app.kubernetes.io/part-of: mariadb-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: mariadbaccount-editor-role
+rules:
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts/status
+  verbs:
+  - get
diff --git a/config/rbac/mariadbaccount_viewer_role.yaml b/config/rbac/mariadbaccount_viewer_role.yaml
new file mode 100644
index 00000000..0d6c038b
--- /dev/null
+++ b/config/rbac/mariadbaccount_viewer_role.yaml
@@ -0,0 +1,27 @@
+# permissions for end users to view mariadbaccounts.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: mariadbaccount-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: mariadb-operator
+    app.kubernetes.io/part-of: mariadb-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: mariadbaccount-viewer-role
+rules:
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts/status
+  verbs:
+  - get
diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml
index 0e707d3f..cb8e4142 100644
--- a/config/samples/kustomization.yaml
+++ b/config/samples/kustomization.yaml
@@ -3,4 +3,5 @@ resources:
 - mariadb_v1beta1_mariadb.yaml
 - mariadb_v1beta1_mariadbdatabase.yaml
 - mariadb_v1beta1_galera.yaml
+- mariadb_v1beta1_mariadbaccount.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples
diff --git a/config/samples/mariadb_v1beta1_mariadbaccount.yaml b/config/samples/mariadb_v1beta1_mariadbaccount.yaml
new file mode 100644
index 00000000..e8ed3f6c
--- /dev/null
+++ b/config/samples/mariadb_v1beta1_mariadbaccount.yaml
@@ -0,0 +1,12 @@
+apiVersion: mariadb.openstack.org/v1beta1
+kind: MariaDBAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: mariadbaccount
+    app.kubernetes.io/instance: mariadbaccount-sample
+    app.kubernetes.io/part-of: mariadb-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: mariadb-operator
+  name: mariadbaccount-sample
+spec:
+  # TODO(user): Add fields here
diff --git a/controllers/mariadbaccount_controller.go b/controllers/mariadbaccount_controller.go
new file mode 100644
index 00000000..f62cdc1a
--- /dev/null
+++ b/controllers/mariadbaccount_controller.go
@@ -0,0 +1,62 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	mariadbv1beta1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
+)
+
+// MariaDBAccountReconciler reconciles a MariaDBAccount object
+type MariaDBAccountReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+//+kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update
+
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// TODO(user): Modify the Reconcile function to compare the state specified by
+// the MariaDBAccount object against the actual cluster state, and then
+// perform operations to make the cluster state reflect the state specified by
+// the user.
+//
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.14.1/pkg/reconcile
+func (r *MariaDBAccountReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	_ = log.FromContext(ctx)
+
+	// TODO(user): your logic here
+
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *MariaDBAccountReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&mariadbv1beta1.MariaDBAccount{}).
+		Complete(r)
+}
diff --git a/controllers/suite_test.go b/controllers/suite_test.go
index cb981c21..fd6a3308 100644
--- a/controllers/suite_test.go
+++ b/controllers/suite_test.go
@@ -29,6 +29,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	mariadbv1beta1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -60,6 +62,9 @@ var _ = BeforeSuite(func() {
 	Expect(err).NotTo(HaveOccurred())
 	Expect(cfg).NotTo(BeNil())
 
+	err = mariadbv1beta1.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
 	//+kubebuilder:scaffold:scheme
 
 	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
diff --git a/main.go b/main.go
index 556aa2b9..51395cf1 100644
--- a/main.go
+++ b/main.go
@@ -151,6 +151,13 @@ func main() {
 		checker = mgr.GetWebhookServer().StartedChecker()
 	}
 
+	if err = (&controllers.MariaDBAccountReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "MariaDBAccount")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", checker); err != nil {