diff --git a/roles/containerd/templates/config.toml.j2 b/roles/containerd/templates/config.toml.j2
index 91c6fcf..5aeea32 100644
--- a/roles/containerd/templates/config.toml.j2
+++ b/roles/containerd/templates/config.toml.j2
@@ -1,108 +1,141 @@
-version = 2
+disabled_plugins = []
+imports = []
+oom_score = 0
+plugin_dir = ""
+required_plugins = []
 root = "{{ CONTAINERD_STORAGE_DIR }}" 
 state = "/run/containerd"
-plugin_dir = ""
-disabled_plugins = []
-required_plugins = []
-oom_score = 0
+version = 2
+
+[cgroup]
+  path = ""
+
+[debug]
+  address = ""
+  format = ""
+  gid = 0
+  level = ""
+  uid = 0
 
 [grpc]
   address = "/run/containerd/containerd.sock"
+  gid = 0
+  max_recv_message_size = 16777216
+  max_send_message_size = 16777216
   tcp_address = ""
   tcp_tls_cert = ""
   tcp_tls_key = ""
   uid = 0
-  gid = 0
-  max_recv_message_size = 16777216
-  max_send_message_size = 16777216
-
-[ttrpc]
-  address = ""
-  uid = 0
-  gid = 0
-
-[debug]
-  address = ""
-  uid = 0
-  gid = 0
-  level = ""
 
 [metrics]
   address = ""
   grpc_histogram = false
 
-[cgroup]
-  path = ""
-
-[timeouts]
-  "io.containerd.timeout.shim.cleanup" = "5s"
-  "io.containerd.timeout.shim.load" = "5s"
-  "io.containerd.timeout.shim.shutdown" = "3s"
-  "io.containerd.timeout.task.state" = "2s"
-
 [plugins]
+
   [plugins."io.containerd.gc.v1.scheduler"]
-    pause_threshold = 0.02
     deletion_threshold = 0
     mutation_threshold = 100
+    pause_threshold = 0.02
     schedule_delay = "0s"
     startup_delay = "100ms"
+
   [plugins."io.containerd.grpc.v1.cri"]
+    disable_apparmor = false
+    disable_cgroup = false
+    disable_hugetlb_controller = true
+    disable_proc_mount = false
     disable_tcp_service = true
+    enable_selinux = false
+    enable_tls_streaming = false
+    ignore_image_defined_volumes = false
+    max_concurrent_downloads = 3
+    max_container_log_line_size = 16384
+    netns_mounts_under_state_dir = false
+    restrict_oom_score_adj = false
+    sandbox_image = "{{ SANDBOX_IMAGE }}"
+    selinux_category_range = 1024
+    stats_collect_period = 10
+    stream_idle_timeout = "4h0m0s"
     stream_server_address = "127.0.0.1"
     stream_server_port = "0"
-    stream_idle_timeout = "4h0m0s"
-    enable_selinux = false
-    selinux_category_range = 1024
-    sandbox_image = "{{ SANDBOX_IMAGE }}"
-    stats_collect_period = 10
     systemd_cgroup = false
-    enable_tls_streaming = false
-    max_container_log_line_size = 16384
-    disable_cgroup = false
-    disable_apparmor = false
-    restrict_oom_score_adj = false
-    max_concurrent_downloads = 3
-    disable_proc_mount = false
-    unset_seccomp_profile = ""
     tolerate_missing_hugetlb_controller = true
-    disable_hugetlb_controller = true
-    ignore_image_defined_volumes = false
-    [plugins."io.containerd.grpc.v1.cri".containerd]
-      snapshotter = "overlayfs"
-      default_runtime_name = "runc"
-      no_pivot = false
-      disable_snapshot_annotations = true
-      discard_unpacked_layers = false
-      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
-        runtime_type = ""
-        runtime_engine = ""
-        runtime_root = ""
-        privileged_without_host_devices = false
-        base_runtime_spec = ""
-      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
-        runtime_type = ""
-        runtime_engine = ""
-        runtime_root = ""
-        privileged_without_host_devices = false
-        base_runtime_spec = ""
-      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-          runtime_type = "io.containerd.runc.v2"
-          runtime_engine = ""
-          runtime_root = ""
-          privileged_without_host_devices = false
-          base_runtime_spec = ""
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-            SystemdCgroup = true
+    unset_seccomp_profile = ""
+
     [plugins."io.containerd.grpc.v1.cri".cni]
       bin_dir = "{{ bin_dir }}"
       conf_dir = "/etc/cni/net.d"
-      max_conf_num = 1
       conf_template = "/etc/cni/net.d/10-default.conf"
-{% if ENABLE_MIRROR_REGISTRY %}
+      max_conf_num = 1
+
+    [plugins."io.containerd.grpc.v1.cri".containerd]
+      default_runtime_name = "runc"
+      disable_snapshot_annotations = true
+      discard_unpacked_layers = false
+      no_pivot = false
+      snapshotter = "overlayfs"
+
+      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
+        base_runtime_spec = ""
+        container_annotations = []
+        pod_annotations = []
+        privileged_without_host_devices = false
+        runtime_engine = ""
+        runtime_root = ""
+        runtime_type = ""
+
+        [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]
+
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          base_runtime_spec = ""
+          container_annotations = []
+          pod_annotations = []
+          privileged_without_host_devices = false
+          runtime_engine = ""
+          runtime_root = ""
+          runtime_type = "io.containerd.runc.v2"
+
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            BinaryName = ""
+            CriuImagePath = ""
+            CriuPath = ""
+            CriuWorkPath = ""
+            IoGid = 0
+            IoUid = 0
+            NoNewKeyring = false
+            NoPivotRoot = false
+            Root = ""
+            ShimCgroup = ""
+            SystemdCgroup = true
+
+      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
+        base_runtime_spec = ""
+        container_annotations = []
+        pod_annotations = []
+        privileged_without_host_devices = false
+        runtime_engine = ""
+        runtime_root = ""
+        runtime_type = ""
+
+        [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]
+
+    [plugins."io.containerd.grpc.v1.cri".image_decryption]
+      key_model = "node"
+
     [plugins."io.containerd.grpc.v1.cri".registry]
+      config_path = ""
+
+      [plugins."io.containerd.grpc.v1.cri".registry.auths]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.configs]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.headers]
+
       [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
+{% if ENABLE_MIRROR_REGISTRY %}
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
           endpoint = ["https://docker.mirrors.ustc.edu.cn", "http://hub-mirror.c.163.com"]
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]
@@ -112,31 +145,82 @@ oom_score = 0
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
           endpoint = ["https://quay.mirrors.ustc.edu.cn"]
 {% endif %}
-    [plugins."io.containerd.grpc.v1.cri".image_decryption]
-      key_model = ""
+
     [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
       tls_cert_file = ""
       tls_key_file = ""
+
   [plugins."io.containerd.internal.v1.opt"]
     path = "/opt/containerd"
+
   [plugins."io.containerd.internal.v1.restart"]
     interval = "10s"
+
   [plugins."io.containerd.metadata.v1.bolt"]
     content_sharing_policy = "shared"
+
   [plugins."io.containerd.monitor.v1.cgroups"]
     no_prometheus = false
+
   [plugins."io.containerd.runtime.v1.linux"]
-    shim = "containerd-shim"
+    no_shim = false
     runtime = "runc"
     runtime_root = ""
-    no_shim = false
+    shim = "containerd-shim"
     shim_debug = false
+
   [plugins."io.containerd.runtime.v2.task"]
     platforms = ["linux/amd64"]
+
   [plugins."io.containerd.service.v1.diff-service"]
     default = ["walking"]
-  [plugins."io.containerd.snapshotter.v1.devmapper"]
+
+  [plugins."io.containerd.snapshotter.v1.aufs"]
     root_path = ""
-    pool_name = ""
-    base_image_size = ""
+
+  [plugins."io.containerd.snapshotter.v1.btrfs"]
+    root_path = ""
+
+  [plugins."io.containerd.snapshotter.v1.devmapper"]
     async_remove = false
+    base_image_size = ""
+    pool_name = ""
+    root_path = ""
+
+  [plugins."io.containerd.snapshotter.v1.native"]
+    root_path = ""
+
+  [plugins."io.containerd.snapshotter.v1.overlayfs"]
+    root_path = ""
+
+  [plugins."io.containerd.snapshotter.v1.zfs"]
+    root_path = ""
+
+[proxy_plugins]
+
+[stream_processors]
+
+  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
+    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
+    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
+    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
+    path = "ctd-decoder"
+    returns = "application/vnd.oci.image.layer.v1.tar"
+
+  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
+    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
+    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
+    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
+    path = "ctd-decoder"
+    returns = "application/vnd.oci.image.layer.v1.tar+gzip"
+
+[timeouts]
+  "io.containerd.timeout.shim.cleanup" = "5s"
+  "io.containerd.timeout.shim.load" = "5s"
+  "io.containerd.timeout.shim.shutdown" = "3s"
+  "io.containerd.timeout.task.state" = "2s"
+
+[ttrpc]
+  address = ""
+  gid = 0
+  uid = 0
diff --git a/roles/kube-master/tasks/main.yml b/roles/kube-master/tasks/main.yml
index 5b33bd7..ed31a30 100644
--- a/roles/kube-master/tasks/main.yml
+++ b/roles/kube-master/tasks/main.yml
@@ -63,10 +63,6 @@
   - "/etc/kubernetes/kube-controller-manager.kubeconfig"
   - "/etc/kubernetes/kube-scheduler.kubeconfig"
 
-- name: 创建 kube-scheduler 配置文件
-  template: src=kube-scheduler-config.yaml.j2 dest=/etc/kubernetes/kube-scheduler-config.yaml
-  tags: restart_master, upgrade_k8s
-
 - name: 创建 master 服务的 systemd unit 文件
   template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
   with_items:
diff --git a/roles/kube-master/templates/kube-scheduler-config.yaml.j2 b/roles/kube-master/templates/kube-scheduler-config.yaml.j2
deleted file mode 100644
index 6bf850e..0000000
--- a/roles/kube-master/templates/kube-scheduler-config.yaml.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: kubescheduler.config.k8s.io/v1beta1
-kind: KubeSchedulerConfiguration
-clientConnection:
-  kubeconfig: "/etc/kubernetes/kube-scheduler.kubeconfig"
-healthzBindAddress: 0.0.0.0:10251
-leaderElection:
-  leaderElect: true
-metricsBindAddress: 0.0.0.0:10251
diff --git a/roles/kube-master/templates/kube-scheduler.service.j2 b/roles/kube-master/templates/kube-scheduler.service.j2
index d058241..001bfbc 100644
--- a/roles/kube-master/templates/kube-scheduler.service.j2
+++ b/roles/kube-master/templates/kube-scheduler.service.j2
@@ -4,7 +4,11 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 
 [Service]
 ExecStart={{ bin_dir }}/kube-scheduler \
-  --config=/etc/kubernetes/kube-scheduler-config.yaml \
+  --authentication-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
+  --authorization-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
+  --bind-address=0.0.0.0 \
+  --kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
+  --leader-elect=true \
   --v=2
 Restart=always
 RestartSec=5