diff --git a/group_vars/k8s-controller.yml b/group_vars/k8s-controller.yml
index c048893..ae75c43 100644
--- a/group_vars/k8s-controller.yml
+++ b/group_vars/k8s-controller.yml
@@ -21,3 +21,12 @@ vrrp_instance:
     track_process {
         kube-apiserver
     }
+
+kube_root_ca_pem: >-
+  {{ lookup(
+    "kubernetes.core.k8s",
+    kind="ConfigMap",
+    namespace="kube-public",
+    resource_name="kube-root-ca.crt"
+    ).data["ca.crt"]
+  }}
diff --git a/kubernetes.yml b/kubernetes.yml
index d658f9e..4fb5dff 100644
--- a/kubernetes.yml
+++ b/kubernetes.yml
@@ -1,9 +1,8 @@
 - hosts: k8s-controller
   roles:
-  - role: keepalived
+  - role: k8s-controller
     tags:
-    - keepalived
-  - role: kubelet
+    - k8s-controller
 
 - hosts: k8s-node
   roles:
diff --git a/roles/k8s-controller/meta/main.yml b/roles/k8s-controller/meta/main.yml
new file mode 100644
index 0000000..7c50d45
--- /dev/null
+++ b/roles/k8s-controller/meta/main.yml
@@ -0,0 +1,8 @@
+dependencies:
+- role: kubelet
+- role: keepalived
+  tags:
+  - keepalived
+- role: haproxy
+  tags:
+  - haproxy
diff --git a/roles/k8s-controller/tasks/main.yml b/roles/k8s-controller/tasks/main.yml
new file mode 100644
index 0000000..1b1eb1b
--- /dev/null
+++ b/roles/k8s-controller/tasks/main.yml
@@ -0,0 +1,38 @@
+- name: ensure haproxy has a copy of kubernetes ca certificate
+  copy:
+    dest: /etc/haproxy/kube-root-ca.crt
+    content: '{{ kube_root_ca_pem }}'
+    owner: root
+    group: root
+    mode: u=rw,go=r
+    setype: etc_t
+  tags:
+  - haproxy
+  - ca-cert
+- name: ensure haproxy is configured for kubernetes apiserver
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/conf.d/40-apiserver.cfg
+    mode: u=rw,go=r
+  tags:
+  - config
+  - haproxy-config
+  - haproxy
+  notify: reload haproxy
+- name: ensure haproxy can connect to kubernetes apiserver port
+  seboolean:
+    name: haproxy_connect_any
+    state: true
+    persistent: true
+  tags:
+  - selinux
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure haproxy is running
+  service:
+    name: haproxy
+    state: started
+  tags:
+  - service
diff --git a/roles/k8s-controller/templates/haproxy.cfg.j2 b/roles/k8s-controller/templates/haproxy.cfg.j2
new file mode 100644
index 0000000..fba80ec
--- /dev/null
+++ b/roles/k8s-controller/templates/haproxy.cfg.j2
@@ -0,0 +1,16 @@
+listen apiserver
+    mode tcp
+    bind *:443,:::443 v6only
+
+    option tcplog
+
+    balance roundrobin
+
+    option httpchk
+    http-check connect ssl
+    http-check send meth GET uri /healthz
+    http-check expect status 200
+
+{% for server in groups["k8s-controller"] %}
+    server {{ server.split(".")[0] }} {{ server }}:6443 check ca-file /etc/haproxy/kube-root-ca.crt
+{% endfor %}