diff --git a/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh b/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh
index 2c632fef79..bb37dc0442 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh
@@ -2,7 +2,32 @@
 
 . /etc/sysconfig/heat-params
 
-set -ux
+set -uxe
+
+# Create a keypair for the heat-container-agent to
+# access the node over ssh. It is useful to operate
+# in host mount namespace and apply configuration.
+mkdir -p /srv/magnum/.ssh
+chmod 700 /srv/magnum/.ssh
+ssh-keygen -t rsa -N '' -f /srv/magnum/.ssh/heat_agent_rsa
+chmod 400 /srv/magnum/.ssh/heat_agent_rsa
+chmod 400 /srv/magnum/.ssh/heat_agent_rsa.pub
+# Add the public to the host authorized_keys file.
+cat /srv/magnum/.ssh/heat_agent_rsa.pub > /root/.ssh/authorized_keys
+# Add localost to know_hosts
+ssh-keyscan 127.0.0.1 > /srv/magnum/.ssh/known_hosts
+# ssh configguration file, to be specified with ssh -F
+cat > /srv/magnum/.ssh/config <<EOF
+Host localhost
+     HostName 127.0.0.1
+     User root
+     IdentityFile /srv/magnum/.ssh/heat_agent_rsa
+     UserKnownHostsFile /srv/magnum/.ssh/known_hosts
+EOF
+
+sed -i '/^PermitRootLogin/ s/ .*/ without-password/' /etc/ssh/sshd_config
+systemctl restart sshd
+
 
 _prefix=${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}
 atomic install \
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
index 163a8d9b3d..f62db5f55d 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
@@ -282,6 +282,12 @@ parameters:
 
 resources:
 
+  start_container_agent:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: ../../common/templates/kubernetes/fragments/start-container-agent.sh}
+
   minion_wait_handle:
     type: OS::Heat::WaitConditionHandle
 
@@ -454,6 +460,7 @@ resources:
         - config: {get_resource: install_openstack_ca}
         - config: {get_resource: disable_selinux}
         - config: {get_resource: write_heat_params}
+        - config: {get_resource: start_container_agent}
         - config: {get_resource: write_kube_os_config}
         - config: {get_resource: make_cert}
         - config: {get_resource: configure_docker_storage}
diff --git a/releasenotes/notes/heat-container-agent-tag-fe7cec6b890329af.yaml b/releasenotes/notes/heat-container-agent-tag-fe7cec6b890329af.yaml
new file mode 100644
index 0000000000..ca79090132
--- /dev/null
+++ b/releasenotes/notes/heat-container-agent-tag-fe7cec6b890329af.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add heat container agent into Kubernetes cluster worker nodes to support
+    cluster rolling upgrade.