diff --git a/roles/kubernetes/prepare/defaults/main.yml b/roles/kubernetes/prepare/defaults/main.yml
new file mode 100644
index 00000000000..5d1b2cd2e7f
--- /dev/null
+++ b/roles/kubernetes/prepare/defaults/main.yml
@@ -0,0 +1,48 @@
+---
+run_gitinfos: false
+
+# This directory is where all the additional scripts go
+# that Kubernetes normally puts in /srv/kubernetes.
+# This puts them in a sane location
+kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
+
+# This directory is where all the additional config stuff goes
+# the kubernetes normally puts in /srv/kubernets.
+# This puts them in a sane location.
+# Editting this value will almost surely break something. Don't
+# change it. Things like the systemd scripts are hard coded to
+# look in here. Don't do it.
+kube_config_dir: /etc/kubernetes
+
+# Logging directory (sysvinit systems)
+kube_log_dir: "/var/log/kubernetes"
+
+# This is where you can drop yaml/json files and the kubelet will run those
+# pods on startup
+kube_manifest_dir: "{{ kube_config_dir }}/manifests"
+
+# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
+kube_apiserver_insecure_bind_address: 127.0.0.1
+
+common_required_pkgs:
+  - python-httplib2
+  - openssl
+  - curl
+  - rsync
+  - bash-completion
+  - socat
+
+# Set to true if your network does not support IPv6
+# This maybe necessary for pulling Docker images from
+# GCE docker repository
+disable_ipv6_dns: false
+
+
+# For the openstack integration kubelet will need credentials to access
+# openstack apis like nova and cinder. Per default this values will be
+# read from the environment.
+openstack_auth_url: "{{ lookup('env','OS_AUTH_URL')  }}"
+openstack_username: "{{ lookup('env','OS_USERNAME')  }}"
+openstack_password: "{{ lookup('env','OS_PASSWORD')  }}"
+openstack_region: "{{ lookup('env','OS_REGION_NAME')  }}"
+openstack_tenant_id: "{{ lookup('env','OS_TENANT_ID')  }}"
diff --git a/roles/kubernetes/prepare/tasks/main.yml b/roles/kubernetes/prepare/tasks/main.yml
new file mode 100644
index 00000000000..c43d3bd22c0
--- /dev/null
+++ b/roles/kubernetes/prepare/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- include: set_facts.yml
+
+- name: gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+      - "{{ ansible_distribution|lower }}.yml"
+      - "{{ ansible_os_family|lower }}.yml"
+      - defaults.yml
+      paths:
+      - ../vars
+      skip: true
diff --git a/roles/kubernetes/prepare/tasks/set_facts.yml b/roles/kubernetes/prepare/tasks/set_facts.yml
new file mode 100644
index 00000000000..19f08df78cc
--- /dev/null
+++ b/roles/kubernetes/prepare/tasks/set_facts.yml
@@ -0,0 +1,53 @@
+---
+- set_fact: kube_apiserver_count="{{ groups['kube-master'] | length }}"
+- set_fact: kube_apiserver_address="{{ ip | default(ansible_default_ipv4['address']) }}"
+- set_fact: kube_apiserver_access_address="{{ access_ip | default(kube_apiserver_address) }}"
+- set_fact: is_kube_master="{{ inventory_hostname in groups['kube-master'] }}"
+- set_fact: first_kube_master="{{ hostvars[groups['kube-master'][0]]['access_ip'] | default(hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address'])) }}"
+- set_fact:
+    loadbalancer_apiserver_localhost: false
+    when: loadbalancer_apiserver is defined
+- set_fact:
+    kube_apiserver_endpoint: |-
+      {% if not is_kube_master and loadbalancer_apiserver_localhost -%}
+           https://localhost:{{ kube_apiserver_port }}
+      {%- elif is_kube_master and loadbalancer_apiserver is not defined -%}
+           http://127.0.0.1:{{ kube_apiserver_insecure_port }}
+      {%- else -%}
+      {%-   if loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
+           https://{{ apiserver_loadbalancer_domain_name|default('lb-apiserver.kubernetes.local') }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
+      {%-   else -%}
+           https://{{ first_kube_master }}:{{ kube_apiserver_port }}
+      {%-  endif -%}
+      {%- endif %}
+
+- set_fact: etcd_address="{{ ip | default(ansible_default_ipv4['address']) }}"
+- set_fact: etcd_access_address="{{ access_ip | default(etcd_address) }}"
+- set_fact: etcd_peer_url="http://{{ etcd_access_address }}:2380"
+- set_fact: etcd_client_url="http://{{ etcd_access_address }}:2379"
+- set_fact: etcd_authority="127.0.0.1:2379"
+- set_fact: etcd_endpoint="http://{{ etcd_authority }}"
+- set_fact:
+    etcd_access_addresses: |-
+      {% for item in groups['etcd'] -%}
+        http://{{ hostvars[item].etcd_access_address }}:2379{% if not loop.last %},{% endif %}
+      {%- endfor %}
+- set_fact: etcd_access_endpoint="{% if etcd_multiaccess %}{{ etcd_access_addresses }}{% else %}{{ etcd_endpoint }}{% endif %}"
+- set_fact:
+    etcd_member_name: |-
+      {% for host in groups['etcd'] %}
+      {%   if inventory_hostname == host %}{{"etcd"+loop.index|string }}{% endif %}
+      {% endfor %}
+- set_fact:
+    etcd_proxy_member_name: |-
+      {% for host in groups['k8s-cluster'] %}
+      {%   if inventory_hostname == host %}{{"etcd-proxy"+loop.index|string }}{% endif %}
+      {% endfor %}
+- set_fact:
+    is_etcd_proxy: "{{ inventory_hostname in groups['k8s-cluster'] }}"
+- set_fact:
+    is_etcd_master: "{{ inventory_hostname in groups['etcd'] }}"
+- set_fact:
+    etcd_after_v3: etcd_version | version_compare("v3.0.0", ">=")
+- set_fact:
+    etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
diff --git a/roles/kubernetes/prepare/vars/centos.yml b/roles/kubernetes/prepare/vars/centos.yml
new file mode 100644
index 00000000000..c1be4b9b353
--- /dev/null
+++ b/roles/kubernetes/prepare/vars/centos.yml
@@ -0,0 +1,3 @@
+required_pkgs:
+  - libselinux-python
+  - device-mapper-libs
diff --git a/roles/kubernetes/prepare/vars/debian.yml b/roles/kubernetes/prepare/vars/debian.yml
new file mode 100644
index 00000000000..596d2ac8bc2
--- /dev/null
+++ b/roles/kubernetes/prepare/vars/debian.yml
@@ -0,0 +1,5 @@
+required_pkgs:
+  - python-apt
+  - aufs-tools
+  - apt-transport-https
+  - software-properties-common
diff --git a/roles/kubernetes/prepare/vars/fedora.yml b/roles/kubernetes/prepare/vars/fedora.yml
new file mode 100644
index 00000000000..c1be4b9b353
--- /dev/null
+++ b/roles/kubernetes/prepare/vars/fedora.yml
@@ -0,0 +1,3 @@
+required_pkgs:
+  - libselinux-python
+  - device-mapper-libs
diff --git a/roles/kubernetes/prepare/vars/redhat.yml b/roles/kubernetes/prepare/vars/redhat.yml
new file mode 100644
index 00000000000..c1be4b9b353
--- /dev/null
+++ b/roles/kubernetes/prepare/vars/redhat.yml
@@ -0,0 +1,3 @@
+required_pkgs:
+  - libselinux-python
+  - device-mapper-libs
diff --git a/roles/kubernetes/prepare_secrets/defaults/main.yml b/roles/kubernetes/prepare_secrets/defaults/main.yml
new file mode 100644
index 00000000000..a5b88d7ac58
--- /dev/null
+++ b/roles/kubernetes/prepare_secrets/defaults/main.yml
@@ -0,0 +1,8 @@
+# This is where all the cert scripts and certs will be located
+kube_cert_dir: "{{ kube_config_dir }}/ssl"
+
+# This is where all of the bearer tokens will be stored
+kube_token_dir: "{{ kube_config_dir }}/tokens"
+
+# This is where to save basic auth file
+kube_users_dir: "{{ kube_config_dir }}/users"
diff --git a/roles/kubernetes/prepare_secrets/tasks/check-certs.yml b/roles/kubernetes/prepare_secrets/tasks/check-certs.yml
new file mode 100644
index 00000000000..97c6f722660
--- /dev/null
+++ b/roles/kubernetes/prepare_secrets/tasks/check-certs.yml
@@ -0,0 +1,36 @@
+---
+- name: "Check_certs | check if the certs have already been generated on first master"
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  register: kubecert_master
+  run_once: true
+
+- name: "Check_certs | Set default value for 'sync_certs' and 'gen_certs' to false"
+  set_fact:
+    sync_certs: false
+    gen_certs: false
+
+- name: "Check_certs | Set 'sync_certs' and 'gen_certs' to true"
+  set_fact:
+    gen_certs: true
+  when: not kubecert_master.stat.exists
+  run_once: true
+
+- name: "Check certs | check if a cert already exists"
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: kubecert
+
+- name: "Check_certs | Set 'sync_certs' to true"
+  set_fact:
+    sync_certs: true
+  when: >-
+      {%- set certs = {'sync': False} -%}
+      {%- for server in play_hosts
+         if (not hostvars[server].kubecert.stat.exists|default(False)) or
+         (hostvars[server].kubecert.stat.checksum|default('') != kubecert_master.stat.checksum|default('')) -%}
+         {%- set _ = certs.update({'sync': True}) -%}
+      {%- endfor -%}
+      {{ certs.sync }}
+  run_once: true
diff --git a/roles/kubernetes/prepare_secrets/tasks/check-tokens.yml b/roles/kubernetes/prepare_secrets/tasks/check-tokens.yml
new file mode 100644
index 00000000000..1ecaa70060b
--- /dev/null
+++ b/roles/kubernetes/prepare_secrets/tasks/check-tokens.yml
@@ -0,0 +1,36 @@
+---
+- name: "Check_tokens | check if the tokens have already been generated on first master"
+  stat:
+    path: "{{ kube_token_dir }}/known_tokens.csv"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  register: known_tokens_master
+  run_once: true
+
+- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
+  set_fact:
+    sync_tokens: false
+    gen_tokens: false
+
+- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
+  set_fact:
+    gen_tokens: true
+  when: not known_tokens_master.stat.exists
+  run_once: true
+
+- name: "Check tokens | check if a cert already exists"
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: known_tokens
+
+- name: "Check_tokens | Set 'sync_tokens' to true"
+  set_fact:
+    sync_tokens: true
+  when: >-
+      {%- set tokens = {'sync': False} -%}
+      {%- for server in groups['kube-master']
+         if (not hostvars[server].known_tokens.stat.exists) or
+         (hostvars[server].known_tokens.stat.checksum != known_tokens_master.stat.checksum|default('')) -%}
+         {%- set _ = tokens.update({'sync': True}) -%}
+      {%- endfor -%}
+      {{ tokens.sync }}
+  run_once: true
diff --git a/roles/kubernetes/prepare_secrets/tasks/main.yml b/roles/kubernetes/prepare_secrets/tasks/main.yml
new file mode 100644
index 00000000000..12b8c95da2a
--- /dev/null
+++ b/roles/kubernetes/prepare_secrets/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+- include: check-certs.yml
+- include: check-tokens.yml
diff --git a/scale-cluster.yml b/scale-cluster.yml
new file mode 100644
index 00000000000..af6992cb54c
--- /dev/null
+++ b/scale-cluster.yml
@@ -0,0 +1,27 @@
+---
+- hosts: kube-node
+  gather_facts: false
+  roles:
+    - bootstrap-os
+  tags:
+    - bootstrap-os
+
+- hosts: all
+  gather_facts: true
+
+- hosts: etcd
+  roles:
+    - { role: kubernetes/prepare, tags: prepare }
+
+- hosts: kube-master
+  roles:
+    - { role: kubernetes/prepare, tags: prepare }
+    - { role: kubernetes/prepare_secrets, tags: prepare }
+
+- hosts: kube-node
+  roles:
+    - { role: kubernetes/preinstall, tags: preinstall }
+    - { role: etcd, tags: etcd }
+    - { role: kubernetes/node, tags: node }
+    - { role: network_plugin, tags: network }
+    - { role: dnsmasq, tags: dnsmasq }