diff --git a/kubernetes/Bug_Control.md b/kubernetes/Bug_Control.md
new file mode 100644
index 0000000..5a1cb75
--- /dev/null
+++ b/kubernetes/Bug_Control.md
@@ -0,0 +1,50 @@
+# Error Control Vagrant Kubernetes
+While using `vagrant / vagrantfile` you can encounter of some errors, try to add few errors which faced during development of `kubernetes vagrant` file with solutions which worked whenever faced issues.
+
+### SSH connection get timeout or say ssh connection got reset, something like below error
+
+```bash
+SSH connection was reset! This usually happens when the machine is
+taking too long to reboot. First, try reloading your machine with
+`vagrant reload`, since a simple restart sometimes fixes things.
+If that doesn't work, destroy your machine and recreate it with
+a `vagrant destroy` followed by a `vagrant up`. If that doesn't work,
+contact support.
+```
+
+> Then can try to add below config to your vagrantfile
+```bash
+    config.vm.boot_timeout = 600
+```
+
+> if still not solved then best can try
+```bash
+$ rm -rf .vagrant
+```
+
+### While creating VM, vagrant failed to rename vm because of unclear vms
+```bash
+The name of your virtual machine couldn't be set because VirtualBox
+is reporting another VM with that name already exists. Most of the
+time, this is because of an error with VirtualBox not cleaning up
+properly. To fix this, verify that no VMs with that name do exist
+(by opening the VirtualBox GUI). If they don't, then look at the
+folder in the error message from VirtualBox below and remove it
+if there isn't any information you need in there.
+
+VirtualBox error:
+
+VBoxManage: error: Could not rename the directory '/Users/XXXXXXX/VirtualBox VMs/ubuntu-18.04-amd64_1619926105557_22107' to '/Users/XXXXXXX/VirtualBox VMs/load-balancer' to save the settings file (VERR_ALREADY_EXISTS)
+VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component SessionMachine, interface IMachine, callee nsISupports
+VBoxManage: error: Context: "SaveSettings()" at line 3249 of file VBoxManageModifyVM.cpp
+```
+
+> Simple can run command with path from error
+```bash
+$ rm -rf /Users/XXXXXXX/VirtualBox VMs/load-balancer
+```
+
+> Better to comment below line from your vagrantfile
+```bash
+    config.ssh.keep_alive = true
+```
\ No newline at end of file
diff --git a/kubernetes/ha/Vagrantfile b/kubernetes/ha/Vagrantfile
new file mode 100644
index 0000000..053a640
--- /dev/null
+++ b/kubernetes/ha/Vagrantfile
@@ -0,0 +1,48 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+require 'yaml'
+require 'open3'
+
+k8s = YAML.load_file(File.join(File.dirname(__FILE__), 'config.yaml'))
+ENV["LC_ALL"] = "en_US.UTF-8"
+
+msg = <<MSG
+------------------------------------------------------
+Kubernetes up and running ✌	☺ ✌ 
+
+URLS:
+ - Kubernetes control plane is running at https://192.160.0.10:6443
+ - CoreDNS is running at https://192.160.0.10:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
+
+------------------------------------------------------
+MSG
+
+Vagrant.configure(k8s['api_version']) do |config|
+	config.vm.boot_timeout = 600
+	# config.ssh.keep_alive = true
+	
+	# Load Balancer vm
+	if File.exist?('lib/ha.rb')
+		eval(IO.read('lib/ha.rb'), binding)
+	end
+
+	# Kubernetes Controller cluster
+	(1..k8s['resources']['master']['count']).each do |i|
+		if File.exist?('lib/master.rb')
+			eval(IO.read('lib/master.rb'), binding)
+		end
+	end
+
+	# Kubernetes Worker cluster
+	(1..k8s['resources']['node']['count']).each do |i|
+		if File.exist?('lib/node.rb')
+			eval(IO.read('lib/node.rb'), binding)
+		end
+	end
+
+	# Exchange ssh keys to access each other, expect HA can access each of vm but not other vm cannot to access HA directly.
+    if File.exist?('lib/trigger.rb')
+        eval(IO.read('lib/trigger.rb'), binding)
+    end
+end
diff --git a/kubernetes/ha/config.yaml b/kubernetes/ha/config.yaml
new file mode 100644
index 0000000..d6ab347
--- /dev/null
+++ b/kubernetes/ha/config.yaml
@@ -0,0 +1,29 @@
+---
+api_version: "2"
+image: "bento/ubuntu-18.04"
+ip_part: "10.240.0"
+user: "vagrant"
+
+cluster:
+    master: "controller"
+    node: "worker"
+    ha: "load-balancer"
+
+resources:
+    master:
+        cpus: 1
+        memory: 1024
+        count: 3
+        ip_prefix: 10
+    node:
+        cpus: 2
+        memory: 2048
+        count: 2
+        ip_prefix: 20
+    ha:
+        cpus: 1
+        memory: 1024
+        ip_prefix: 10
+
+net:
+    network_type: private_network
diff --git a/kubernetes/ha/lib/ha.rb b/kubernetes/ha/lib/ha.rb
new file mode 100644
index 0000000..049d812
--- /dev/null
+++ b/kubernetes/ha/lib/ha.rb
@@ -0,0 +1,53 @@
+config.vm.define "#{k8s['cluster']['ha']}" do |subconfig|
+    subconfig.vm.post_up_message = $msg
+    subconfig.vm.box = k8s['image']
+    subconfig.vm.box_check_update = false
+
+    subconfig.vm.hostname = "#{k8s['cluster']['ha']}"
+    subconfig.vm.network :private_network, ip: "#{k8s['ip_part']}.10"
+
+    # Hostfile :: Master node
+    subconfig.vm.provision "Load Balancer hostfile update", type: "shell" do |lb|
+        lb.inline = <<-SHELL
+            echo -e "127.0.0.1\t$2" | tee -a /etc/hosts; echo -e "$1\t$2" | tee -a /etc/hosts
+        SHELL
+        lb.args = ["#{k8s['ip_part']}.10", "#{k8s['cluster']['ha']}"]
+    end
+    subconfig.vm.provision "Master and Worker node hostfile update", type: "shell" do |cluster|
+        cluster.inline = <<-SHELL
+            # master
+            for i in $(eval echo {1..#{k8s['resources']['master']['count']}}); do
+                echo -e "${1}.$((10 + $i))\t#{k8s['cluster']['master']}-${i}" | tee -a /etc/hosts
+            done
+            # worker
+            for i in $(eval echo {1..#{k8s['resources']['node']['count']}}); do
+                echo -e "${1}.$((20 + $i))\t#{k8s['cluster']['node']}-${i}" | tee -a /etc/hosts
+            done
+        SHELL
+        cluster.args = ["#{k8s['ip_part']}"]
+    end
+
+    subconfig.vm.provider "virtualbox" do |vb|
+        vb.memory = k8s['resources']['ha']['memory']
+        vb.cpus = k8s['resources']['ha']['cpus']
+        vb.name = "#{k8s['cluster']['ha']}"
+        vb.gui = false
+    end
+
+    subconfig.vm.provision "#{k8s['cluster']['ha']}-setup", type: "shell" do |lb|
+        lb.path = "script/bootstrap_ha.sh"
+        lb.args   = ["#{k8s['user']}", "#{k8s['ip_part']}", "#{k8s['cluster']['master']}", "#{k8s['resources']['master']['count']}"]
+    end
+
+    subconfig.vm.provision "certificates provisioning", type: "shell" do |lb_cert|
+        lb_cert.path = "script/provisioning.sh"
+        lb_cert.args   = ["#{k8s['ip_part']}", "#{k8s['resources']['master']['ip_prefix']}", "#{k8s['resources']['node']['ip_prefix']}", "#{k8s['resources']['ha']['ip_prefix']}", "#{k8s['cluster']['master']}", "#{k8s['cluster']['node']}", "#{k8s['resources']['master']['count']}", "#{k8s['resources']['node']['count']}"]
+    end
+
+    subconfig.vm.provision "Generating Kubernetes Configuration", type: "shell" do |lb_config|
+        lb_config.path = "script/kube_config.sh"
+        lb_config.args   = ["#{k8s['ip_part']}", "#{k8s['resources']['master']['ip_prefix']}", "#{k8s['resources']['node']['ip_prefix']}", "#{k8s['resources']['ha']['ip_prefix']}", "#{k8s['cluster']['master']}", "#{k8s['cluster']['node']}", "#{k8s['resources']['master']['count']}", "#{k8s['resources']['node']['count']}"]
+    end
+
+    subconfig.vm.provision "Reboot to load all config", type:"shell", inline: "shutdown -r now"
+end
diff --git a/kubernetes/ha/lib/master.rb b/kubernetes/ha/lib/master.rb
new file mode 100644
index 0000000..5fb1261
--- /dev/null
+++ b/kubernetes/ha/lib/master.rb
@@ -0,0 +1,49 @@
+config.vm.define "#{k8s['cluster']['master']}-#{i}" do |subconfig|
+    # subconfig.vm.post_up_message = $msg
+    subconfig.vm.box = k8s['image']
+    subconfig.vm.box_check_update = false
+
+    subconfig.vm.hostname = "#{k8s['cluster']['master']}-#{i}"
+    subconfig.vm.network :private_network, ip: "#{k8s['ip_part']}.#{i + k8s['resources']['master']['ip_prefix']}"
+
+    # Hostfile :: Master node
+    subconfig.vm.provision "Load Balancer hostfile update", type: "shell" do |lb|
+        lb.inline = <<-SHELL
+            echo -e "127.0.0.1\t$1" | tee -a /etc/hosts; echo -e "$2\t$3" | tee -a /etc/hosts
+        SHELL
+        lb.args = ["#{k8s['cluster']['master']}-#{i}", "#{k8s['ip_part']}.#{k8s['resources']['ha']['ip_prefix']}", "#{k8s['cluster']['ha']}"]
+    end
+    subconfig.vm.provision "Master and Worker node hostfile update", type: "shell" do |cluster|
+        cluster.inline = <<-SHELL
+            # master
+            for i in $(eval echo {1..#{k8s['resources']['master']['count']}}); do
+                echo -e "${1}.$((#{k8s['resources']['master']['ip_prefix']} + $i))\t#{k8s['cluster']['master']}-${i}" | tee -a /etc/hosts
+            done
+
+            # worker
+            for i in $(eval echo {1..#{k8s['resources']['node']['count']}}); do
+                echo -e "${1}.$((#{k8s['resources']['node']['ip_prefix']} + $i))\t#{k8s['cluster']['node']}-${i}" | tee -a /etc/hosts
+            done
+        SHELL
+        cluster.args = ["#{k8s['ip_part']}"]
+    end
+
+    subconfig.vm.provider "virtualbox" do |vb|
+        vb.name = "#{k8s['cluster']['master']}-#{i}"
+        vb.memory = k8s['resources']['master']['memory']
+        vb.cpus = k8s['resources']['master']['cpus']
+        vb.gui = false
+    end
+
+    subconfig.vm.provision "vm-setup", type: "shell" do |vms|
+        vms.path = "script/bootstrap.sh"
+        vms.args   = ["#{k8s['user']}"]
+    end
+
+    subconfig.vm.provision "#{k8s['cluster']['master']}-#{i}-setup", type: "shell" do |mns|
+        mns.path = "script/bootstrap_master.sh"
+        mns.args   = ["#{k8s['ip_part']}", "#{k8s['resources']['master']['ip_prefix']}", "#{i}", "#{k8s['cluster']['master']}", "#{k8s['resources']['master']['count']}"]
+    end
+
+    subconfig.vm.provision "Reboot to load all config", type:"shell", inline: "shutdown -r now"
+end
diff --git a/kubernetes/ha/lib/node.rb b/kubernetes/ha/lib/node.rb
new file mode 100644
index 0000000..9890084
--- /dev/null
+++ b/kubernetes/ha/lib/node.rb
@@ -0,0 +1,46 @@
+config.vm.define "#{k8s['cluster']['node']}-#{i}" do |subconfig|
+    subconfig.vm.box = k8s['image']
+
+    subconfig.vm.hostname = "#{k8s['cluster']['node']}-#{i}"
+    subconfig.vm.network :private_network, ip: "#{k8s['ip_part']}.#{i + k8s['resources']['node']['ip_prefix']}"
+
+    # Hostfile :: Master node
+    subconfig.vm.provision "Load Balancer hostfile update", type: "shell" do |lb|
+        lb.inline = <<-SHELL
+            echo -e "127.0.0.1\t$1" | tee -a /etc/hosts; echo -e "$2\t$3" | tee -a /etc/hosts
+        SHELL
+        lb.args = ["#{k8s['cluster']['node']}", "#{k8s['ip_part']}.#{k8s['resources']['ha']['ip_prefix']}", "#{k8s['cluster']['ha']}"]
+    end
+    subconfig.vm.provision "Master and Worker node hostfile update", type: "shell" do |cluster|
+        cluster.inline = <<-SHELL
+            # master
+            for i in $(eval echo {1..#{k8s['resources']['master']['count']}}); do
+                echo -e "${1}.$((#{k8s['resources']['master']['ip_prefix']} + $i))\t#{k8s['cluster']['master']}-${i}" | tee -a /etc/hosts
+            done
+
+            # worker
+            for i in $(eval echo {1..#{k8s['resources']['node']['count']}}); do
+                echo -e "${1}.$((#{k8s['resources']['node']['ip_prefix']} + $i))\t#{k8s['cluster']['node']}-${i}" | tee -a /etc/hosts
+            done
+        SHELL
+        cluster.args = ["#{k8s['ip_part']}"]
+    end
+
+    subconfig.vm.provider "virtualbox" do |vb|
+        vb.memory = k8s['resources']['node']['memory']
+        vb.cpus = k8s['resources']['node']['cpus']
+        vb.name = "#{k8s['cluster']['node']}-#{i}"
+        vb.gui = false
+    end
+
+    subconfig.vm.provision "vm-setup", type: "shell" do |vms|
+        vms.path = "script/bootstrap.sh"
+        vms.args   = ["#{k8s['user']}"]
+    end
+
+    subconfig.vm.provision "kube-setup", type: "shell" do |ks|
+        ks.path = "script/bootstrap_node.sh"
+    end
+
+    subconfig.vm.provision "Reboot to load all config", type:"shell", inline: "shutdown -r now"
+end
\ No newline at end of file
diff --git a/kubernetes/ha/lib/trigger.rb b/kubernetes/ha/lib/trigger.rb
new file mode 100644
index 0000000..136bc0d
--- /dev/null
+++ b/kubernetes/ha/lib/trigger.rb
@@ -0,0 +1,60 @@
+config.trigger.after :up do |trigger|
+    trigger.only_on = "#{k8s['cluster']['node']}-#{k8s['resources']['node']['count']}"
+    trigger.info = msg
+
+    trigger.ruby do |env,machine|
+        lbpub, stdeerr, status = Open3.capture3("vagrant ssh --no-tty -c 'cat /home/" + k8s['user'] + "/.ssh/id_rsa.pub' " + k8s['cluster']['ha'])
+
+        1.step(k8s['resources']['master']['count']) do |m|
+            mpub, stdeerr, status = Open3.capture3("vagrant ssh --no-tty -c 'cat /home/" + k8s['user'] + "/.ssh/id_rsa.pub' " + k8s['cluster']['master'] + "-#{m}")
+            system("vagrant ssh --no-tty -c 'echo \"#{lbpub}\" >> /home/" + k8s['user'] + "/.ssh/authorized_keys' " + k8s['cluster']['master'] + "-#{m}")
+            system("vagrant ssh --no-tty -c 'echo \"#{mpub}\" >> /home/" + k8s['user'] + "/.ssh/authorized_keys' " + k8s['cluster']['ha'])
+
+            1.step(k8s['resources']['master']['count']) do |n|
+                next if m == n
+                system("vagrant ssh --no-tty -c 'echo \"#{mpub}\" >> /home/" + k8s['user'] + "/.ssh/authorized_keys' " + k8s['cluster']['master'] + "-#{n}")
+            end
+
+            1.step(k8s['resources']['node']['count']) do |e|
+                system("vagrant ssh --no-tty -c 'echo \"#{mpub}\" >> /home/" + k8s['user'] + "/.ssh/authorized_keys' " + k8s['cluster']['node'] + "-#{e}")
+            end
+
+            # Push all required configs/certificates to master node
+            system("vagrant ssh --no-tty -c 'scp -o StrictHostKeyChecking=no /opt/certificates/{encryption-config.yaml,kube-controller-manager.kubeconfig,kube-scheduler.kubeconfig,admin.kubeconfig,ca.pem,ca-key.pem,kubernetes-key.pem,kubernetes.pem,service-account-key.pem,service-account.pem} " + k8s['cluster']['master'] + "-#{m}" + ":~/certificates/' " + k8s['cluster']['ha'])
+            # Start etcd on all controller
+            system("vagrant ssh --no-tty -c 'sudo cp /home/vagrant/certificates/{ca.pem,kubernetes-key.pem,kubernetes.pem} /etc/etcd/; sudo cp /home/vagrant/certificates/{ca.pem,ca-key.pem,kubernetes-key.pem,kubernetes.pem,service-account-key.pem,service-account.pem,encryption-config.yaml} /var/lib/kubernetes/; sudo cp /home/vagrant/certificates/{kube-controller-manager.kubeconfig,kube-scheduler.kubeconfig} /var/lib/kubernetes/; sudo systemctl enable --now etcd; sudo systemctl enable --now kube-apiserver; sudo systemctl enable --now kube-controller-manager; sudo systemctl enable --now kube-scheduler; sudo systemctl enable --now nginx; mkdir -p /home/" + k8s['user'] + "/.kube; cp -i /home/" + k8s['user'] + "/certificates/admin.kubeconfig /home/" + k8s['user'] + "/.kube/config' " + k8s['cluster']['master'] + "-#{m}")
+        end
+
+        1.step(k8s['resources']['node']['count']) do |m|
+            wpub, stdeerr, status = Open3.capture3("vagrant ssh --no-tty -c 'cat /home/" + k8s['user'] + "/.ssh/id_rsa.pub' " + k8s['cluster']['node'] + "-#{m}")
+            system("vagrant ssh --no-tty -c 'echo \"#{lbpub}\" >> /home/" + k8s['user'] + "/.ssh/authorized_keys' " + k8s['cluster']['node'] + "-#{m}")
+            system("vagrant ssh --no-tty -c 'echo \"#{wpub}\" >> /home/" + k8s['user'] + "/.ssh/authorized_keys' " + k8s['cluster']['ha'])
+
+            1.step(k8s['resources']['node']['count']) do |n|
+                next if m == n
+                system("vagrant ssh --no-tty -c 'echo \"#{wpub}\" >> /home/" + k8s['user'] + "/.ssh/authorized_keys' " + k8s['cluster']['node'] + "-#{n}")
+            end
+
+            1.step(k8s['resources']['master']['count']) do |e|
+                system("vagrant ssh --no-tty -c 'echo \"#{wpub}\" >> /home/" + k8s['user'] + "/.ssh/authorized_keys' " + k8s['cluster']['master'] + "-#{e}")
+            end
+
+            # Push all required configs/certificates to worker node
+            system("vagrant ssh --no-tty -c 'scp -o StrictHostKeyChecking=no /opt/certificates/{" + k8s['cluster']['node'] + "-#{m}.kubeconfig" + ",kube-proxy.kubeconfig,ca.pem,admin.kubeconfig," + k8s['cluster']['node'] + "-#{m}.pem," + k8s['cluster']['node'] + "-#{m}-key.pem} " + k8s['cluster']['node'] + "-#{m}" + ":~/certificates/' " + k8s['cluster']['ha'])
+            # Bootstrapping the Kubernetes Worker Nodes
+            system("vagrant ssh --no-tty -c 'sudo cp /home/vagrant/certificates/{" + k8s['cluster']['node'] + "-#{m}-key.pem," + k8s['cluster']['node'] + "-#{m}.pem} /var/lib/kubelet/; sudo cp /home/vagrant/certificates/" + k8s['cluster']['node'] + "-#{m}.kubeconfig /var/lib/kubelet/kubeconfig; sudo cp /home/vagrant/certificates/ca.pem /var/lib/kubernetes/; sudo cp /home/vagrant/certificates/kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig; sudo systemctl enable --now kubelet; sudo systemctl enable --now kube-proxy; sudo systemctl enable --now containerd; mkdir -p /home/" + k8s['user'] + "/.kube; cp -i /home/" + k8s['user'] + "/certificates/admin.kubeconfig /home/" + k8s['user'] + "/.kube/config' " + k8s['cluster']['node'] + "-#{m}")
+        end
+
+        system("vagrant ssh --no-tty -c 'kubectl apply --kubeconfig /home/vagrant/certificates/admin.kubeconfig -f /home/vagrant/certificates/cluster_role.yaml; kubectl apply --kubeconfig /home/vagrant/certificates/admin.kubeconfig -f /home/vagrant/certificates/cluster_role_binding.yaml' " + k8s['cluster']['master'] + "-1")
+        
+        # Configuring kubectl for Remote Access
+        system("mkdir -p ${HOME}/.kube")
+        system("vagrant ssh --no-tty -c 'cat /opt/certificates/ca.pem' " + k8s['cluster']['ha'] + " > ${HOME}/.kube/ca.pem")
+        system("vagrant ssh --no-tty -c 'cat /opt/certificates/admin.pem' " + k8s['cluster']['ha'] + " > ${HOME}/.kube/admin.pem")
+        system("vagrant ssh --no-tty -c 'cat /opt/certificates/admin-key.pem' " + k8s['cluster']['ha'] + " > ${HOME}/.kube/admin-key.pem")
+        system("kubectl config set-cluster kubernetes-the-hard-way --certificate-authority=${HOME}/.kube/ca.pem --embed-certs=true --server=https://#{k8s['ip_part']}.#{k8s['resources']['ha']['ip_prefix']}:6443 && kubectl config set-credentials admin --client-certificate=${HOME}/.kube/admin.pem --client-key=${HOME}/.kube/admin-key.pem && kubectl config set-context kubernetes-the-hard-way --cluster=kubernetes-the-hard-way --user=admin && kubectl config use-context kubernetes-the-hard-way")
+
+        # Deploying the DNS Cluster Add-on
+        system("kubectl apply -f https://storage.googleapis.com/kubernetes-the-hard-way/coredns-1.8.yaml")
+    end
+end
diff --git a/kubernetes/ha/script/bootstrap.sh b/kubernetes/ha/script/bootstrap.sh
new file mode 100644
index 0000000..605cb70
--- /dev/null
+++ b/kubernetes/ha/script/bootstrap.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+cat <<EOF | tee /etc/modules-load.d/k8s.conf
+br_netfilter
+EOF
+
+cat <<EOF > /etc/sysctl.d/k8s.conf
+net.bridge.bridge-nf-call-ip6tables = 1
+net.bridge.bridge-nf-call-iptables = 1
+net.ipv4.ip_forward = 1
+EOF
+sysctl --system
+
+# Disable all memory swaps to increase performance.
+sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
+swapoff -a
+
+# disable man-db installation
+{
+apt-get remove man-db --purge -y
+sudo rm -rf /usr/share/locale/
+sudo rm -rf /usr/share/man/
+sudo rm -rf /usr/share/doc/
+
+cat > /etc/dpkg/dpkg.cfg.d/01_nodoc <<EOF
+# Delete locales
+path-exclude=/usr/share/locale/*
+
+# Delete man pages
+path-exclude=/usr/share/man/*
+
+# Delete docs
+path-exclude=/usr/share/doc/*
+path-include=/usr/share/doc/*/copyright
+EOF
+}
+
+apt-get update
+apt-get install -y apt-transport-https ca-certificates curl wget zip unzip vim git gnupg lsb-release software-properties-common telnet
+curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
+
+# Enable transparent masquerading and facilitate Virtual Extensible LAN (VxLAN) traffic for communication between Kubernetes pods across the cluster.
+modprobe overlay
+modprobe br_netfilter
+
+echo "ssh-keygen -q -t rsa -N '' -f ~/.ssh/id_rsa <<<y" | su - ${1}
+sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf
+sed -i '/net.ipv6.conf.all.forwarding/s/^#//g' /etc/sysctl.conf
+sed -i "s/DEFAULT_FORWARD_POLICY=\"DROP\"/DEFAULT_FORWARD_POLICY=\"ACCEPT\"/g" /etc/default/ufw
+sed -i '/net\/ipv4\/ip_forward/s/^#//g' /etc/ufw/sysctl.conf
+sed -i '/net\/ipv4\/conf\/all\/forwarding/s/^#//g' /etc/ufw/sysctl.conf
+sed -i '/net\/ipv6\/conf\/default\/forwarding/s/^#//g' /etc/ufw/sysctl.conf
+mkdir -p /home/vagrant/certificates && chown vagrant:vagrant -R $_
+
+ufw enable <<<y
+ufw allow 22
+
+# The SSH connection was unexpectedly closed by the remote end
+echo -e "ClientAliveInterval 600\nTCPKeepAlive yes\nClientAliveCountMax 10" >> /etc/ssh/sshd_config
diff --git a/kubernetes/ha/script/bootstrap_ha.sh b/kubernetes/ha/script/bootstrap_ha.sh
new file mode 100644
index 0000000..55ce2f6
--- /dev/null
+++ b/kubernetes/ha/script/bootstrap_ha.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+# disable man-db installation
+{
+apt-get remove man-db --purge -y
+sudo rm -rf /usr/share/locale/
+sudo rm -rf /usr/share/man/
+sudo rm -rf /usr/share/doc/
+
+cat > /etc/dpkg/dpkg.cfg.d/01_nodoc <<EOF
+# Delete locales
+path-exclude=/usr/share/locale/*
+
+# Delete man pages
+path-exclude=/usr/share/man/*
+
+# Delete docs
+path-exclude=/usr/share/doc/*
+path-include=/usr/share/doc/*/copyright
+EOF
+}
+
+apt-get update
+add-apt-repository ppa:vbernat/haproxy-1.8 --yes
+apt-get update
+apt-get install -qq -y haproxy curl wget zip unzip telnet
+
+sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
+swapoff -a
+
+tee -a /etc/haproxy/haproxy.cfg << END
+        frontend kubernetes
+        bind *:6443
+        option tcplog
+        mode tcp
+        default_backend kubernetes-master-nodes
+backend kubernetes-master-nodes
+        mode tcp
+        balance roundrobin
+        option tcp-check
+$(for i in $(eval echo {1..$4}); do
+	echo "        server $3-$i $2.$((10 + $i)):6443 check fall 3 rise 2"
+done)
+END
+
+modprobe overlay
+modprobe br_netfilter
+
+echo "ssh-keygen -q -t rsa -N '' -f ~/.ssh/id_rsa <<<y" | su - ${1}
+sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf
+sed -i '/net.ipv6.conf.all.forwarding/s/^#//g' /etc/sysctl.conf
+sed -i "s/DEFAULT_FORWARD_POLICY=\"DROP\"/DEFAULT_FORWARD_POLICY=\"ACCEPT\"/g" /etc/default/ufw
+sed -i '/net\/ipv4\/ip_forward/s/^#//g' /etc/ufw/sysctl.conf
+sed -i '/net\/ipv4\/conf\/all\/forwarding/s/^#//g' /etc/ufw/sysctl.conf
+sed -i '/net\/ipv6\/conf\/default\/forwarding/s/^#//g' /etc/ufw/sysctl.conf
+
+ufw enable <<<y
+sudo ufw allow 2380/tcp
+ufw allow 443/tcp
+ufw allow 6443/tcp
+ufw allow 22
+
+# The SSH connection was unexpectedly closed by the remote end
+echo -e "ClientAliveInterval 600\nTCPKeepAlive yes\nClientAliveCountMax 10" >> /etc/ssh/sshd_config
diff --git a/kubernetes/ha/script/bootstrap_master.sh b/kubernetes/ha/script/bootstrap_master.sh
new file mode 100644
index 0000000..079cf42
--- /dev/null
+++ b/kubernetes/ha/script/bootstrap_master.sh
@@ -0,0 +1,249 @@
+#!/usr/bin/env bash
+
+apt-get update
+apt-get install -y nginx
+
+cat > kubernetes.default.svc.cluster.local <<EOF
+server {
+  listen      80;
+  server_name kubernetes.default.svc.cluster.local;
+
+  location /healthz {
+     proxy_pass                    https://127.0.0.1:6443/healthz;
+     proxy_ssl_trusted_certificate /var/lib/kubernetes/ca.pem;
+  }
+}
+EOF
+
+ufw allow 179/tcp
+ufw allow 4789/tcp
+ufw allow 5473/tcp
+ufw allow 443/tcp
+ufw allow 6443/tcp
+ufw allow 2379/tcp
+ufw allow 4149/tcp
+ufw allow 10250/tcp
+ufw allow 10255/tcp
+ufw allow 10256/tcp
+ufw allow 9099/tcp
+ufw allow 10251/tcp
+ufw allow 10252/tcp
+ufw allow 8080/tcp
+ufw allow 2379:2380/tcp
+sudo ufw allow 2380/tcp
+sudo ufw reload
+
+# Bootstrapping the etcd Cluster
+{
+    wget -q --https-only "https://github.com/etcd-io/etcd/releases/download/v3.4.10/etcd-v3.4.10-linux-amd64.tar.gz"
+    tar -xvf etcd-v3.4.10-linux-amd64.tar.gz
+    mv etcd-v3.4.10-linux-amd64/etcd* /usr/local/bin/
+
+    mkdir -p /etc/etcd /var/lib/etcd
+    chmod 700 /var/lib/etcd
+}
+
+INTERNAL_IP="${1}.$(($2 + $3))"
+ETCD_NAME="${4}-${3}"
+INSTANCE=""
+
+for i in $(eval echo {1..$5}); do
+	INSTANCE="${INSTANCE}$4-$i=https://$1.$(($2 + $i)):2380,"
+done
+
+cat <<EOF | tee /etc/systemd/system/etcd.service
+[Unit]
+Description=etcd
+Documentation=https://github.com/coreos
+
+[Service]
+Type=notify
+ExecStart=/usr/local/bin/etcd \\
+  --name ${ETCD_NAME} \\
+  --cert-file=/etc/etcd/kubernetes.pem \\
+  --key-file=/etc/etcd/kubernetes-key.pem \\
+  --peer-cert-file=/etc/etcd/kubernetes.pem \\
+  --peer-key-file=/etc/etcd/kubernetes-key.pem \\
+  --trusted-ca-file=/etc/etcd/ca.pem \\
+  --peer-trusted-ca-file=/etc/etcd/ca.pem \\
+  --peer-client-cert-auth \\
+  --client-cert-auth \\
+  --initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \\
+  --listen-peer-urls https://${INTERNAL_IP}:2380 \\
+  --listen-client-urls https://${INTERNAL_IP}:2379,https://127.0.0.1:2379 \\
+  --advertise-client-urls https://${INTERNAL_IP}:2379 \\
+  --initial-cluster-token etcd-cluster-0 \\
+  --initial-cluster ${INSTANCE} \\
+  --initial-cluster-state new \\
+  --data-dir=/var/lib/etcd
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+{
+  systemctl daemon-reload
+}
+
+# Bootstrapping the Kubernetes Control Plane
+wget -q --https-only \
+    "https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kube-apiserver" \
+    "https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kube-controller-manager" \
+    "https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kube-scheduler" \
+    "https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kubectl"
+
+{
+    mv kubernetes.default.svc.cluster.local /etc/nginx/sites-available/kubernetes.default.svc.cluster.local
+    ln -s /etc/nginx/sites-available/kubernetes.default.svc.cluster.local /etc/nginx/sites-enabled/
+
+    chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl
+    mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/
+
+    mkdir -p /etc/kubernetes/config
+    mkdir -p /var/lib/kubernetes/
+}
+
+INTERNAL_IP="${1}.$(($2 + $3))"
+INSTANCE=""
+
+for i in $(eval echo {1..$5}); do
+	INSTANCE="${INSTANCE}https://$1.$(($2 + $i)):2379,"
+done
+
+cat <<EOF | sudo tee /etc/systemd/system/kube-apiserver.service
+[Unit]
+Description=Kubernetes API Server
+Documentation=https://github.com/kubernetes/kubernetes
+
+[Service]
+ExecStart=/usr/local/bin/kube-apiserver \\
+  --advertise-address=${INTERNAL_IP} \\
+  --allow-privileged=true \\
+  --apiserver-count=3 \\
+  --audit-log-maxage=30 \\
+  --audit-log-maxbackup=3 \\
+  --audit-log-maxsize=100 \\
+  --audit-log-path=/var/log/audit.log \\
+  --authorization-mode=Node,RBAC \\
+  --bind-address=0.0.0.0 \\
+  --client-ca-file=/var/lib/kubernetes/ca.pem \\
+  --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\
+  --etcd-cafile=/var/lib/kubernetes/ca.pem \\
+  --etcd-certfile=/var/lib/kubernetes/kubernetes.pem \\
+  --etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \\
+  --etcd-servers=${INSTANCE} \\
+  --event-ttl=1h \\
+  --encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
+  --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
+  --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\
+  --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
+  --kubelet-https=true \\
+  --runtime-config='api/all=true' \\
+  --service-account-key-file=/var/lib/kubernetes/service-account.pem \\
+  --service-cluster-ip-range=10.32.0.0/24 \\
+  --service-node-port-range=30000-32767 \\
+  --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \\
+  --tls-private-key-file=/var/lib/kubernetes/kubernetes-key.pem \\
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF | sudo tee /etc/systemd/system/kube-controller-manager.service
+[Unit]
+Description=Kubernetes Controller Manager
+Documentation=https://github.com/kubernetes/kubernetes
+
+[Service]
+ExecStart=/usr/local/bin/kube-controller-manager \\
+  --bind-address=0.0.0.0 \\
+  --cluster-cidr=10.200.0.0/16 \\
+  --cluster-name=kubernetes \\
+  --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
+  --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
+  --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
+  --leader-elect=true \\
+  --root-ca-file=/var/lib/kubernetes/ca.pem \\
+  --service-account-private-key-file=/var/lib/kubernetes/service-account-key.pem \\
+  --service-cluster-ip-range=10.32.0.0/24 \\
+  --use-service-account-credentials=true \\
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF | sudo tee /etc/kubernetes/config/kube-scheduler.yaml
+apiVersion: kubescheduler.config.k8s.io/v1alpha1
+kind: KubeSchedulerConfiguration
+clientConnection:
+  kubeconfig: "/var/lib/kubernetes/kube-scheduler.kubeconfig"
+leaderElection:
+  leaderElect: true
+EOF
+
+cat <<EOF | sudo tee /etc/systemd/system/kube-scheduler.service
+[Unit]
+Description=Kubernetes Scheduler
+Documentation=https://github.com/kubernetes/kubernetes
+
+[Service]
+ExecStart=/usr/local/bin/kube-scheduler \\
+  --config=/etc/kubernetes/config/kube-scheduler.yaml \\
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+{
+    systemctl daemon-reload
+}
+
+# RBAC for Kubelet Authorization
+cat <<EOF | tee /home/vagrant/certificates/cluster_role.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:kube-apiserver-to-kubelet
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/proxy
+      - nodes/stats
+      - nodes/log
+      - nodes/spec
+      - nodes/metrics
+    verbs:
+      - "*"
+EOF
+
+cat <<EOF | tee /home/vagrant/certificates/cluster_role_binding.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: system:kube-apiserver
+  namespace: ""
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-apiserver-to-kubelet
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: kubernetes
+EOF
\ No newline at end of file
diff --git a/kubernetes/ha/script/bootstrap_node.sh b/kubernetes/ha/script/bootstrap_node.sh
new file mode 100644
index 0000000..ff3ca1e
--- /dev/null
+++ b/kubernetes/ha/script/bootstrap_node.sh
@@ -0,0 +1,175 @@
+#!/usr/bin/env bash
+
+ufw allow 10250/tcp
+ufw allow 10251/tcp
+ufw allow 10255/tcp
+ufw allow 30000:32767/tcp
+ufw reload
+
+{
+    apt-get update
+    apt-get -y install socat conntrack ipset
+}
+
+wget -q --https-only \
+    https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.18.0/crictl-v1.18.0-linux-amd64.tar.gz \
+    https://github.com/opencontainers/runc/releases/download/v1.0.0-rc91/runc.amd64 \
+    https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz \
+    https://github.com/containerd/containerd/releases/download/v1.3.6/containerd-1.3.6-linux-amd64.tar.gz \
+    https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kubectl \
+    https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kube-proxy \
+    https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kubelet
+
+mkdir -p \
+    /etc/cni/net.d \
+    /opt/cni/bin \
+    /var/lib/kubelet \
+    /var/lib/kube-proxy \
+    /var/lib/kubernetes \
+    /var/run/kubernetes
+
+{
+    mkdir containerd
+    tar -xvf crictl-v1.18.0-linux-amd64.tar.gz
+    tar -xvf containerd-1.3.6-linux-amd64.tar.gz -C containerd
+    tar -xvf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin/
+    mv runc.amd64 runc
+    chmod +x crictl kubectl kube-proxy kubelet runc 
+    mv crictl kubectl kube-proxy kubelet runc /usr/local/bin/
+    mv containerd/bin/* /bin/
+}
+
+# Configure CNI Networking
+POD_CIDR="10.200.0.0/16"
+
+cat <<EOF | tee /etc/cni/net.d/10-bridge.conf
+{
+    "cniVersion": "0.3.1",
+    "name": "bridge",
+    "type": "bridge",
+    "bridge": "cnio0",
+    "isGateway": true,
+    "ipMasq": true,
+    "ipam": {
+        "type": "host-local",
+        "ranges": [
+          [{"subnet": "${POD_CIDR}"}]
+        ],
+        "routes": [{"dst": "0.0.0.0/0"}]
+    }
+}
+EOF
+
+cat <<EOF | tee /etc/cni/net.d/99-loopback.conf
+{
+    "cniVersion": "0.3.1",
+    "name": "lo",
+    "type": "loopback"
+}
+EOF
+
+mkdir -p /etc/containerd/
+
+cat << EOF | tee /etc/containerd/config.toml
+[plugins]
+  [plugins.cri.containerd]
+    snapshotter = "overlayfs"
+    [plugins.cri.containerd.default_runtime]
+      runtime_type = "io.containerd.runtime.v1.linux"
+      runtime_engine = "/usr/local/bin/runc"
+      runtime_root = ""
+EOF
+
+cat <<EOF | tee /etc/systemd/system/containerd.service
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target
+
+[Service]
+ExecStartPre=/sbin/modprobe overlay
+ExecStart=/bin/containerd
+Restart=always
+RestartSec=5
+Delegate=yes
+KillMode=process
+OOMScoreAdjust=-999
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF | sudo tee /var/lib/kubelet/kubelet-config.yaml
+kind: KubeletConfiguration
+apiVersion: kubelet.config.k8s.io/v1beta1
+authentication:
+  anonymous:
+    enabled: false
+  webhook:
+    enabled: true
+  x509:
+    clientCAFile: "/var/lib/kubernetes/ca.pem"
+authorization:
+  mode: Webhook
+clusterDomain: "cluster.local"
+clusterDNS:
+  - "10.32.0.10"
+podCIDR: "${POD_CIDR}"
+resolvConf: "/run/systemd/resolve/resolv.conf"
+runtimeRequestTimeout: "15m"
+tlsCertFile: "/var/lib/kubelet/${HOSTNAME}.pem"
+tlsPrivateKeyFile: "/var/lib/kubelet/${HOSTNAME}-key.pem"
+EOF
+
+cat <<EOF | tee /etc/systemd/system/kubelet.service
+[Unit]
+Description=Kubernetes Kubelet
+Documentation=https://github.com/kubernetes/kubernetes
+After=containerd.service
+Requires=containerd.service
+
+[Service]
+ExecStart=/usr/local/bin/kubelet \\
+  --config=/var/lib/kubelet/kubelet-config.yaml \\
+  --container-runtime=remote \\
+  --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \\
+  --image-pull-progress-deadline=2m \\
+  --kubeconfig=/var/lib/kubelet/kubeconfig \\
+  --network-plugin=cni \\
+  --register-node=true \\
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF | tee /var/lib/kube-proxy/kube-proxy-config.yaml
+kind: KubeProxyConfiguration
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+clientConnection:
+  kubeconfig: "/var/lib/kube-proxy/kubeconfig"
+mode: "iptables"
+clusterCIDR: "10.200.0.0/16"
+EOF
+
+cat <<EOF | tee /etc/systemd/system/kube-proxy.service
+[Unit]
+Description=Kubernetes Kube Proxy
+Documentation=https://github.com/kubernetes/kubernetes
+
+[Service]
+ExecStart=/usr/local/bin/kube-proxy \\
+  --config=/var/lib/kube-proxy/kube-proxy-config.yaml
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
diff --git a/kubernetes/ha/script/kube_config.sh b/kubernetes/ha/script/kube_config.sh
new file mode 100644
index 0000000..ba76689
--- /dev/null
+++ b/kubernetes/ha/script/kube_config.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+cd /opt/certificates
+lb_ip="$1.$4"
+
+# The kubelet Kubernetes Configuration File
+for i in $(eval echo {1..$8}); do
+    instance="$6-$i"
+    
+    kubectl config set-cluster kubernetes-the-hard-way --certificate-authority=ca.pem --embed-certs=true --server=https://${lb_ip}:6443 --kubeconfig=${instance}.kubeconfig
+    kubectl config set-credentials system:node:${instance} --client-certificate=${instance}.pem --client-key=${instance}-key.pem --embed-certs=true --kubeconfig=${instance}.kubeconfig
+    kubectl config set-context default --cluster=kubernetes-the-hard-way --user=system:node:${instance} --kubeconfig=${instance}.kubeconfig
+    kubectl config use-context default --kubeconfig=${instance}.kubeconfig
+done
+
+# The kube-proxy Kubernetes Configuration File
+{
+    kubectl config set-cluster kubernetes-the-hard-way --certificate-authority=ca.pem --embed-certs=true --server=https://${lb_ip}:6443 --kubeconfig=kube-proxy.kubeconfig
+    kubectl config set-credentials system:kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig
+    kubectl config set-context default --cluster=kubernetes-the-hard-way --user=system:kube-proxy --kubeconfig=kube-proxy.kubeconfig
+    kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
+}
+
+# The kube-controller-manager Kubernetes Configuration File
+{
+    kubectl config set-cluster kubernetes-the-hard-way --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-controller-manager.kubeconfig
+    kubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig
+    kubectl config set-context default --cluster=kubernetes-the-hard-way --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig
+    kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
+}
+
+# The kube-scheduler Kubernetes Configuration File
+{
+    kubectl config set-cluster kubernetes-the-hard-way --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-scheduler.kubeconfig
+    kubectl config set-credentials system:kube-scheduler --client-certificate=kube-scheduler.pem --client-key=kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig
+    kubectl config set-context default --cluster=kubernetes-the-hard-way --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
+    kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
+}
+
+# The admin Kubernetes Configuration File
+{
+    kubectl config set-cluster kubernetes-the-hard-way --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=admin.kubeconfig
+    kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=admin.kubeconfig
+    kubectl config set-context default --cluster=kubernetes-the-hard-way --user=admin --kubeconfig=admin.kubeconfig
+    kubectl config use-context default --kubeconfig=admin.kubeconfig
+}
+
+# The Encryption Config File
+{
+ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
+
+cat > encryption-config.yaml <<EOF
+kind: EncryptionConfig
+apiVersion: v1
+resources:
+  - resources:
+      - secrets
+    providers:
+      - aescbc:
+          keys:
+            - name: key1
+              secret: ${ENCRYPTION_KEY}
+      - identity: {}
+EOF
+}
+
+chown vagrant -R /opt/certificates
diff --git a/kubernetes/ha/script/provisioning.sh b/kubernetes/ha/script/provisioning.sh
new file mode 100644
index 0000000..61b5ab3
--- /dev/null
+++ b/kubernetes/ha/script/provisioning.sh
@@ -0,0 +1,279 @@
+#!/usr/bin/env bash
+
+wget -q --https-only https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssl https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssljson
+chmod +x cfssl cfssljson
+mv cfssl cfssljson /usr/local/bin/
+
+wget -q --https-only https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kubectl
+chmod +x kubectl
+mv kubectl /usr/local/bin/
+
+mkdir -p /opt/certificates && chown vagrant -R $_ && cd $_ 
+
+# Certificate Authority
+{
+cat > ca-config.json <<EOF
+{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "kubernetes": {
+        "usages": ["signing", "key encipherment", "server auth", "client auth"],
+        "expiry": "8760h"
+      }
+    }
+  }
+}
+EOF
+
+cat > ca-csr.json <<EOF
+{
+  "CN": "Kubernetes",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "CA",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+}
+
+# Client and Server Certificates
+{
+cat > admin-csr.json <<EOF
+{
+  "CN": "admin",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:masters",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  admin-csr.json | cfssljson -bare admin
+}
+
+# The Kubelet Client Certificates
+for i in $(eval echo {1..$8}); do
+instance="$6-$i"
+instance_ip="$1.$(($3+$i))"
+
+cat > ${instance}-csr.json <<EOF
+{
+  "CN": "system:node:${instance}",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:nodes",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -hostname=${instance},${instance_ip} \
+  -profile=kubernetes \
+  ${instance}-csr.json | cfssljson -bare ${instance}
+done
+
+# The Controller Manager Client Certificate
+{
+
+cat > kube-controller-manager-csr.json <<EOF
+{
+  "CN": "system:kube-controller-manager",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:kube-controller-manager",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
+
+}
+
+# The Kube Proxy Client Certificate
+{
+
+cat > kube-proxy-csr.json <<EOF
+{
+  "CN": "system:kube-proxy",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:node-proxier",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  kube-proxy-csr.json | cfssljson -bare kube-proxy
+
+}
+
+# The Scheduler Client Certificate
+{
+
+cat > kube-scheduler-csr.json <<EOF
+{
+  "CN": "system:kube-scheduler",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:kube-scheduler",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  kube-scheduler-csr.json | cfssljson -bare kube-scheduler
+
+}
+
+# The Kubernetes API Server Certificate
+{
+
+instance="10.32.0.1,${1}.${4},127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local"
+ips=""
+
+for i in $(eval echo {1..$7}); do
+	ips="${ips}$1.$(($2 + $i)),"
+done
+instance="${ips}${instance}"
+
+cat > kubernetes-csr.json <<EOF
+{
+  "CN": "kubernetes",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -hostname=${instance} \
+  -profile=kubernetes \
+  kubernetes-csr.json | cfssljson -bare kubernetes
+
+}
+
+# The Service Account Key Pair
+{
+
+cat > service-account-csr.json <<EOF
+{
+  "CN": "service-accounts",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  service-account-csr.json | cfssljson -bare service-account
+
+}
+
+chown vagrant -R /opt/certificates