diff --git a/group_vars/k8s-controller.yml b/group_vars/k8s-controller.yml
index c048893..145c192 100644
--- a/group_vars/k8s-controller.yml
+++ b/group_vars/k8s-controller.yml
@@ -21,3 +21,12 @@ vrrp_instance:
     track_process {
         kube-apiserver
     }
+
+kube_root_ca_pem: >-
+  {{ lookup(
+    "kubernetes.core.k8s",
+    kind="ConfigMap",
+    namespace="default",
+    resource_name="kube-root-ca.crt"
+    ).data["ca.crt"]
+  }}
diff --git a/roles/k8s-controller/tasks/main.yml b/roles/k8s-controller/tasks/main.yml
index 7478010..1b1eb1b 100644
--- a/roles/k8s-controller/tasks/main.yml
+++ b/roles/k8s-controller/tasks/main.yml
@@ -1,16 +1,11 @@
-# SELinux prevents HAProxy (haproxy_t) from reading the Kubernetes root
-# CA certificate file (kubernetes_file_t).  Changing the policy to
-# allow it would be overly permissive, so we make a private copy of the
-# file for HAproxy to use.
 - name: ensure haproxy has a copy of kubernetes ca certificate
   copy:
-    src: /etc/kubernetes/pki/ca.crt
     dest: /etc/haproxy/kube-root-ca.crt
+    content: '{{ kube_root_ca_pem }}'
     owner: root
     group: root
     mode: u=rw,go=r
     setype: etc_t
-    remote_src: true
   tags:
   - haproxy
   - ca-cert