diff --git a/services/cm.go b/services/cm.go
index 0d8356730dfe4f7482d926ebca7466cadc3a7c17..8b58e5c38488f243554f2a8deb1eab1f4d60d8e3 100644
--- a/services/cm.go
+++ b/services/cm.go
@@ -11,6 +11,7 @@ import (
 	"k8s.io/apiserver/pkg/quota/v1/generic"
 	"k8s.io/client-go/util/flowcontrol"
 	"k8s.io/kubernetes/pkg/controller"
+	"k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher"
 	"k8s.io/kubernetes/pkg/controller/daemon"
 	"k8s.io/kubernetes/pkg/controller/deployment"
 	"k8s.io/kubernetes/pkg/controller/endpoint"
@@ -114,6 +115,18 @@ var kubeControllerManager = &Unit{
 		go gc.Run(ctx, 1)
 		go gc.Sync(clients.Client.DiscoveryClient, 30*time.Second, ctx.Done())
 
+		// Certificate publisher
+		certPublisher, err := rootcacertpublisher.NewPublisher(
+			clients.Informer.Core().V1().ConfigMaps(),
+			clients.Informer.Core().V1().Namespaces(),
+			clients.Client,
+			clients.KubeConfig.CAData,
+		)
+		if err != nil {
+			return fmt.Errorf("could not initilialize root cert publisher: %w", err)
+		}
+		certPublisher.Run(ctx, 1)
+
 		//////////////////
 		/// Workloads
 		//////////////////