diff --git a/nix/kubernetes/configuration.nix b/nix/kubernetes/configuration.nix
index 16fcf75c..598ded20 100644
--- a/nix/kubernetes/configuration.nix
+++ b/nix/kubernetes/configuration.nix
@@ -14,6 +14,7 @@
     ./roles/image_based_appliance
     ./roles/iso
     ./roles/kube_apiserver
+    ./roles/kube_controller_manager
     ./roles/kubernetes
     ./roles/minimal_base
     ./roles/network
diff --git a/nix/kubernetes/keys/package/deploy-script/package.nix b/nix/kubernetes/keys/package/deploy-script/package.nix
index 6d325436..d639c01e 100644
--- a/nix/kubernetes/keys/package/deploy-script/package.nix
+++ b/nix/kubernetes/keys/package/deploy-script/package.nix
@@ -92,6 +92,13 @@ let
           group = 10024;
           mode = "0640";
         }
+        {
+          dest_dir = "/vm/${vm_name}/persist/keys/kube";
+          file = "${k8s.ca}/ca.key";
+          owner = 10024;
+          group = 10024;
+          mode = "0600";
+        }
         {
           dest_dir = "/vm/${vm_name}/persist/keys/kube";
           file = "${k8s.keys.kube-api-server}/kube-api-server.crt";
@@ -128,6 +135,13 @@ let
           group = 10024;
           mode = "0600";
         }
+        {
+          dest_dir = "/vm/${vm_name}/persist/keys/kube";
+          file = "${k8s.client-configs.kube-controller-manager}/kube-controller-manager.kubeconfig";
+          owner = 10024;
+          group = 10024;
+          mode = "0600";
+        }
         # {
         #   dest_dir = "/vm/${vm_name}/persist/keys/kube";
         #   file = "${self.kubernetes}/kubernetes.pem";
diff --git a/nix/kubernetes/roles/control_plane/default.nix b/nix/kubernetes/roles/control_plane/default.nix
index 1c0b58b9..b460144d 100644
--- a/nix/kubernetes/roles/control_plane/default.nix
+++ b/nix/kubernetes/roles/control_plane/default.nix
@@ -20,5 +20,6 @@
   config = lib.mkIf config.me.control_plane.enable {
     me.kubernetes.enable = true;
     me.kube_apiserver.enable = true;
+    me.kube_controller_manager.enable = true;
   };
 }
diff --git a/nix/kubernetes/roles/kube_apiserver/default.nix b/nix/kubernetes/roles/kube_apiserver/default.nix
index 2a76188f..a78f4dcb 100644
--- a/nix/kubernetes/roles/kube_apiserver/default.nix
+++ b/nix/kubernetes/roles/kube_apiserver/default.nix
@@ -66,7 +66,7 @@ in
             "--bind-address=0.0.0.0"
             "--client-ca-file=/.persist/keys/kube/ca.crt"
             "--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
-            "--etcd-cafile=/.persist/keys/kube/ca.pem"
+            "--etcd-cafile=/.persist/keys/kube/ca.crt"
             "--etcd-certfile=/.persist/keys/kube/kube-api-server.crt"
             "--etcd-keyfile=/.persist/keys/kube/kube-api-server.key"
             "--etcd-servers=${builtins.concatStringsSep "," config.me.kube_apiserver.etcd_services}"
diff --git a/nix/kubernetes/roles/kube_controller_manager/default.nix b/nix/kubernetes/roles/kube_controller_manager/default.nix
new file mode 100644
index 00000000..9b33b497
--- /dev/null
+++ b/nix/kubernetes/roles/kube_controller_manager/default.nix
@@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  # shellCommand = cmd: (lib.concatMapStringsSep " " lib.strings.escapeShellArg cmd);
+  shellCommand = cmd: (builtins.concatStringsSep " " cmd);
+in
+{
+  imports = [ ];
+
+  options.me = {
+    kube_controller_manager.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install kube_controller_manager.";
+    };
+  };
+
+  config = lib.mkIf config.me.kube_controller_manager.enable {
+    systemd.services.kube-controller-manager = {
+      enable = true;
+      description = "Kubernetes Controller Manager";
+      documentation = [ "https://github.com/kubernetes/kubernetes" ];
+      wantedBy = [ "kubernetes.target" ];
+      # path = with pkgs; [
+      #   zfs
+      # ];
+      unitConfig.DefaultDependencies = "no";
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = (
+          shellCommand [
+            # NEW:
+            "${pkgs.kubernetes}/bin/kube-controller-manager"
+            "--bind-address=0.0.0.0"
+            # "--cluster-cidr=10.200.0.0/16"
+            "--cluster-cidr=2620:11f:7001:7:ffff:ffff:0ac8:0000/16"
+            "--cluster-name=kubernetes"
+            "--cluster-signing-cert-file=/.persist/keys/kube/ca.crt"
+            "--cluster-signing-key-file=/.persist/keys/kube/ca.key"
+            "--kubeconfig=/.persist/keys/kube/kube-controller-manager.kubeconfig"
+            "--root-ca-file=/.persist/keys/kube/ca.crt"
+            "--service-account-private-key-file=/.persist/keys/kube/service-accounts.key"
+            "--service-cluster-ip-range=2620:11f:7001:7:ffff:ffff:0ac5:0000/16"
+            # "--service-cluster-ip-range=10.197.0.0/16"
+            "--use-service-account-credentials=true"
+            "--v=2"
+          ]
+        );
+        Restart = "on-failure";
+        RestartSec = 5;
+      };
+    };
+  };
+}