diff --git a/kubernetes.yml b/kubernetes.yml
index d658f9e..4fb5dff 100644
--- a/kubernetes.yml
+++ b/kubernetes.yml
@@ -1,9 +1,8 @@
 - hosts: k8s-controller
   roles:
-  - role: keepalived
+  - role: k8s-controller
     tags:
-    - keepalived
-  - role: kubelet
+    - k8s-controller
 
 - hosts: k8s-node
   roles:
diff --git a/roles/k8s-controller/meta/main.yml b/roles/k8s-controller/meta/main.yml
new file mode 100644
index 0000000..7c50d45
--- /dev/null
+++ b/roles/k8s-controller/meta/main.yml
@@ -0,0 +1,8 @@
+dependencies:
+- role: kubelet
+- role: keepalived
+  tags:
+  - keepalived
+- role: haproxy
+  tags:
+  - haproxy
diff --git a/roles/k8s-controller/tasks/main.yml b/roles/k8s-controller/tasks/main.yml
new file mode 100644
index 0000000..7478010
--- /dev/null
+++ b/roles/k8s-controller/tasks/main.yml
@@ -0,0 +1,43 @@
+# SELinux prevents HAProxy (haproxy_t) from reading the Kubernetes root
+# CA certificate file (kubernetes_file_t).  Changing the policy to
+# allow it would be overly permissive, so we make a private copy of the
+# file for HAproxy to use.
+- name: ensure haproxy has a copy of kubernetes ca certificate
+  copy:
+    src: /etc/kubernetes/pki/ca.crt
+    dest: /etc/haproxy/kube-root-ca.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+    setype: etc_t
+    remote_src: true
+  tags:
+  - haproxy
+  - ca-cert
+- name: ensure haproxy is configured for kubernetes apiserver
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/conf.d/40-apiserver.cfg
+    mode: u=rw,go=r
+  tags:
+  - config
+  - haproxy-config
+  - haproxy
+  notify: reload haproxy
+- name: ensure haproxy can connect to kubernetes apiserver port
+  seboolean:
+    name: haproxy_connect_any
+    state: true
+    persistent: true
+  tags:
+  - selinux
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure haproxy is running
+  service:
+    name: haproxy
+    state: started
+  tags:
+  - service
diff --git a/roles/k8s-controller/templates/haproxy.cfg.j2 b/roles/k8s-controller/templates/haproxy.cfg.j2
new file mode 100644
index 0000000..fba80ec
--- /dev/null
+++ b/roles/k8s-controller/templates/haproxy.cfg.j2
@@ -0,0 +1,16 @@
+listen apiserver
+    mode tcp
+    bind *:443,:::443 v6only
+
+    option tcplog
+
+    balance roundrobin
+
+    option httpchk
+    http-check connect ssl
+    http-check send meth GET uri /healthz
+    http-check expect status 200
+
+{% for server in groups["k8s-controller"] %}
+    server {{ server.split(".")[0] }} {{ server }}:6443 check ca-file /etc/haproxy/kube-root-ca.crt
+{% endfor %}