diff --git a/roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml b/roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml
index b68a616..64c8e6a 100644
--- a/roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml
+++ b/roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml
@@ -16,7 +16,7 @@
         --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig"
 
 - name: 设置认证参数
-  shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-controller-manager \
+  shell: "{{ base_dir }}/bin/kubectl config set-credentials system:kube-controller-manager \
         --client-certificate={{ base_dir }}/.cluster/ssl/kube-controller-manager.pem \
         --client-key={{ base_dir }}/.cluster/ssl/kube-controller-manager-key.pem \
         --embed-certs=true \
@@ -25,7 +25,7 @@
 - name: 设置上下文参数
   shell: "{{ base_dir }}/bin/kubectl config set-context default \
         --cluster=kubernetes \
-        --user=kube-controller-manager \
+        --user=system:kube-controller-manager \
         --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig"
 
 - name: 选择默认上下文
diff --git a/roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml b/roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml
index 56115dc..a3db92f 100644
--- a/roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml
+++ b/roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml
@@ -16,7 +16,7 @@
         --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig"
 
 - name: 设置认证参数
-  shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-scheduler \
+  shell: "{{ base_dir }}/bin/kubectl config set-credentials system:kube-scheduler \
         --client-certificate={{ base_dir }}/.cluster/ssl/kube-scheduler.pem \
         --client-key={{ base_dir }}/.cluster/ssl/kube-scheduler-key.pem \
         --embed-certs=true \
@@ -25,7 +25,7 @@
 - name: 设置上下文参数
   shell: "{{ base_dir }}/bin/kubectl config set-context default \
         --cluster=kubernetes \
-        --user=kube-scheduler \
+        --user=system:kube-scheduler \
         --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig"
 
 - name: 选择默认上下文
diff --git a/roles/deploy/templates/kube-controller-manager-csr.json.j2 b/roles/deploy/templates/kube-controller-manager-csr.json.j2
index 86d6587..f656dd8 100644
--- a/roles/deploy/templates/kube-controller-manager-csr.json.j2
+++ b/roles/deploy/templates/kube-controller-manager-csr.json.j2
@@ -10,7 +10,7 @@
       "C": "CN",
       "ST": "HangZhou",
       "L": "XS",
-      "O": "k8s",
+      "O": "system:kube-controller-manager",
       "OU": "System"
     }
   ]
diff --git a/roles/deploy/templates/kube-scheduler-csr.json.j2 b/roles/deploy/templates/kube-scheduler-csr.json.j2
index e341062..70b9048 100644
--- a/roles/deploy/templates/kube-scheduler-csr.json.j2
+++ b/roles/deploy/templates/kube-scheduler-csr.json.j2
@@ -10,7 +10,7 @@
       "C": "CN",
       "ST": "HangZhou",
       "L": "XS",
-      "O": "k8s",
+      "O": "system:kube-scheduler",
       "OU": "System"
     }
   ]
diff --git a/roles/kube-master/templates/kube-apiserver.service.j2 b/roles/kube-master/templates/kube-apiserver.service.j2
index ca34e61..1df0dae 100644
--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@@ -19,7 +19,6 @@ ExecStart={{ bin_dir }}/kube-apiserver \
   --etcd-certfile={{ ca_dir }}/kubernetes.pem \
   --etcd-keyfile={{ ca_dir }}/kubernetes-key.pem \
   --etcd-servers={{ ETCD_ENDPOINTS }} \
-  --insecure-bind-address=127.0.0.1 \
   --kubelet-https=true \
   --kubelet-client-certificate={{ ca_dir }}/admin.pem \
   --kubelet-client-key={{ ca_dir }}/admin-key.pem \
diff --git a/roles/kube-master/templates/kube-controller-manager.service.j2 b/roles/kube-master/templates/kube-controller-manager.service.j2
index 5925d1e..c1283d6 100644
--- a/roles/kube-master/templates/kube-controller-manager.service.j2
+++ b/roles/kube-master/templates/kube-controller-manager.service.j2
@@ -5,17 +5,18 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 [Service]
 ExecStart={{ bin_dir }}/kube-controller-manager \
   --address=127.0.0.1 \
-  --master=http://127.0.0.1:8080 \
   --allocate-node-cidrs=true \
-  --service-cluster-ip-range={{ SERVICE_CIDR }} \
   --cluster-cidr={{ CLUSTER_CIDR }} \
   --cluster-name=kubernetes \
   --cluster-signing-cert-file={{ ca_dir }}/ca.pem \
   --cluster-signing-key-file={{ ca_dir }}/ca-key.pem \
-  --node-cidr-mask-size={{ NODE_CIDR_LEN }} \
-  --service-account-private-key-file={{ ca_dir }}/ca-key.pem \
-  --root-ca-file={{ ca_dir }}/ca.pem \
+  --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \
   --leader-elect=true \
+  --node-cidr-mask-size={{ NODE_CIDR_LEN }} \
+  --root-ca-file={{ ca_dir }}/ca.pem \
+  --service-account-private-key-file={{ ca_dir }}/ca-key.pem \
+  --service-cluster-ip-range={{ SERVICE_CIDR }} \
+  --use-service-account-credentials=true \
   --v=2
 Restart=always
 RestartSec=5
diff --git a/roles/kube-master/templates/kube-scheduler.service.j2 b/roles/kube-master/templates/kube-scheduler.service.j2
index 0f2d3d3..77d80b4 100644
--- a/roles/kube-master/templates/kube-scheduler.service.j2
+++ b/roles/kube-master/templates/kube-scheduler.service.j2
@@ -5,7 +5,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 [Service]
 ExecStart={{ bin_dir }}/kube-scheduler \
   --address=127.0.0.1 \
-  --master=http://127.0.0.1:8080 \
+  --kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
   --leader-elect=true \
   --v=2
 Restart=always
diff --git a/roles/kube-node/tasks/create-kubelet-kubeconfig.yml b/roles/kube-node/tasks/create-kubelet-kubeconfig.yml
new file mode 100644
index 0000000..c66bf88
--- /dev/null
+++ b/roles/kube-node/tasks/create-kubelet-kubeconfig.yml
@@ -0,0 +1,34 @@
+- name: 准备kubelet 证书签名请求
+  template: src=kubelet-csr.json.j2 dest={{ ca_dir }}/kubelet-csr.json
+
+- name: 创建 kubelet 证书与私钥
+  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes kubelet-csr.json | {{ bin_dir }}/cfssljson -bare kubelet"
+
+# 创建kubelet.kubeconfig
+- name: 设置集群参数
+  shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
+        --certificate-authority={{ ca_dir }}/ca.pem \
+        --embed-certs=true \
+        --server={{ KUBE_APISERVER }} \
+   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
+
+- name: 设置客户端认证参数
+  shell: "{{ bin_dir }}/kubectl config set-credentials system:node:{{ inventory_hostname }} \
+        --client-certificate={{ ca_dir }}/kubelet.pem \
+        --embed-certs=true \
+        --client-key={{ ca_dir }}/kubelet-key.pem \
+   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
+
+- name: 设置上下文参数
+  shell: "{{ bin_dir }}/kubectl config set-context default \
+        --cluster=kubernetes \
+   --user=system:node:{{ inventory_hostname }} \
+   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
+
+- name: 选择默认上下文
+  shell: "{{ bin_dir }}/kubectl config use-context default \
+   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
diff --git a/roles/kube-node/tasks/main.yml b/roles/kube-node/tasks/main.yml
index 4705134..9356242 100644
--- a/roles/kube-node/tasks/main.yml
+++ b/roles/kube-node/tasks/main.yml
@@ -27,41 +27,8 @@
     line: "    server: {{ KUBE_APISERVER }}"
 
 ##----------kubelet 配置部分--------------
-
-- name: 准备kubelet 证书签名请求
-  template: src=kubelet-csr.json.j2 dest={{ ca_dir }}/kubelet-csr.json
-
-- name: 创建 kubelet 证书与私钥
-  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
-        -ca={{ ca_dir }}/ca.pem \
-        -ca-key={{ ca_dir }}/ca-key.pem \
-        -config={{ ca_dir }}/ca-config.json \
-        -profile=kubernetes kubelet-csr.json | {{ bin_dir }}/cfssljson -bare kubelet"
-
-# 创建kubelet.kubeconfig 
-- name: 设置集群参数
-  shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
-        --certificate-authority={{ ca_dir }}/ca.pem \
-        --embed-certs=true \
-        --server={{ KUBE_APISERVER }} \
-	--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
-
-- name: 设置客户端认证参数
-  shell: "{{ bin_dir }}/kubectl config set-credentials system:node:{{ inventory_hostname }} \
-        --client-certificate={{ ca_dir }}/kubelet.pem \
-        --embed-certs=true \
-        --client-key={{ ca_dir }}/kubelet-key.pem \
-	--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
-
-- name: 设置上下文参数
-  shell: "{{ bin_dir }}/kubectl config set-context default \
-        --cluster=kubernetes \
-	--user=system:node:{{ inventory_hostname }} \
-	--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
-
-- name: 选择默认上下文
-  shell: "{{ bin_dir }}/kubectl config use-context default \
-	--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
+# 创建 kubelet 相关证书及 kubelet.kubeconfig
+- import_tasks: create-kubelet-kubeconfig.yml
 
 - name: 准备 cni配置文件
   template: src=cni-default.conf.j2 dest=/etc/cni/net.d/10-default.conf
diff --git a/roles/prepare/tasks/main.yml b/roles/prepare/tasks/main.yml
index 21a03eb..45f3aa3 100644
--- a/roles/prepare/tasks/main.yml
+++ b/roles/prepare/tasks/main.yml
@@ -58,4 +58,12 @@
 
     - name: 分发 kube-proxy.kubeconfig配置文件
       copy: src={{ base_dir }}/.cluster/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig
+
+    - name: 分发 kube-controller-manager.kubeconfig配置文件
+      copy: src={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig dest=/etc/kubernetes/kube-controller-manager.kubeconfig
+      when: "inventory_hostname in groups['kube-master']"
+
+    - name: 分发 kube-scheduler.kubeconfig配置文件
+      copy: src={{ base_dir }}/.cluster/kube-scheduler.kubeconfig dest=/etc/kubernetes/kube-scheduler.kubeconfig
+      when: "inventory_hostname in groups['kube-master']"
   when: "inventory_hostname in groups['kube-master'] or inventory_hostname in groups['kube-node']"