diff --git a/ansible/site.yaml b/ansible/site.yaml
index f741ced..468b7a3 100644
--- a/ansible/site.yaml
+++ b/ansible/site.yaml
@@ -69,23 +69,6 @@
         content: |
           nameserver 1.1.1.1
 
-    - name: Drop configuration file
-      become: true
-      copy:
-        dest: /etc/kubernetes/kubeadm.conf
-        content: |
-          ---
-          apiVersion: kubeadm.k8s.io/v1beta2
-          kind: InitConfiguration
-          nodeRegistration:
-            kubeletExtraArgs:
-              resolv-conf: /etc/kubernetes/resolv.conf
-          ---
-          apiVersion: kubeadm.k8s.io/v1beta2
-          kind: ClusterConfiguration
-          networking:
-            podSubnet: 10.244.0.0/16
-
 - name: Bootstrap cluster
   hosts: masters[0]
   gather_facts: false
@@ -94,6 +77,12 @@
       wait_for_connection:
         timeout: 300
 
+    - name: Drop configuration file
+      become: true
+      template:
+        src: kubeadm.conf.j2
+        dest: /etc/kubernetes/kubeadm.conf
+
     - name: Initialize cluster
       become: true
       shell: |
@@ -120,14 +109,33 @@
       become: true
       delegate_to: "{{ groups['masters'][0] }}"
       register: kubeadm_token_create
-      shell: |
-        kubeadm token create --ttl 5m --print-join-command
+      shell: kubeadm token create --ttl 5m --print-join-command
+      when:
+        - not apiserver_stat.stat.exists
+
+    # NOTE(mnaser): There is no clean way to get the CA hash from kubeadm :(
+    #               https://github.com/kubernetes/kubeadm/issues/659
+    - name: Parse token and hash facts
+      set_fact:
+        kubeadm_apiserver: "{{ kubeadm_token_create.stdout | regex_search(regex, '\\1') | first }}"
+        kubeadm_token: "{{ kubeadm_token_create.stdout | regex_search(regex, '\\2') | first }}"
+        kubeadm_hash: "{{ kubeadm_token_create.stdout | regex_search(regex, '\\3') | first }}"
+      vars:
+        regex: 'kubeadm\s+join\s+([^\s]+)\s+--token\s+([^\s]+)\s+--discovery-token-ca-cert-hash\s+([^\s]+)'
+      when:
+        - not apiserver_stat.stat.exists
+
+    - name: Drop configuration file
+      become: true
+      template:
+        src: kubeadm.conf.j2
+        dest: /etc/kubernetes/kubeadm.conf
       when:
         - not apiserver_stat.stat.exists
 
     - name: Join cluster
       become: true
-      shell: "{{ kubeadm_token_create.stdout }}"
+      shell: kubeadm join --config /etc/kubernetes/kubeadm.conf
       when:
         - not apiserver_stat.stat.exists
 
diff --git a/ansible/templates/kubeadm.conf.j2 b/ansible/templates/kubeadm.conf.j2
new file mode 100644
index 0000000..8d88070
--- /dev/null
+++ b/ansible/templates/kubeadm.conf.j2
@@ -0,0 +1,29 @@
+---
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+networking:
+  podSubnet: 10.244.0.0/16
+---
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: InitConfiguration
+nodeRegistration:
+  kubeletExtraArgs:
+    resolv-conf: /etc/kubernetes/resolv.conf
+---
+apiVersion: kubelet.config.k8s.io/v1beta1
+kind: KubeletConfiguration
+resolvConf: /etc/kubernetes/resolv.conf
+{% if kubeadm_token is defined %}
+---
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: JoinConfiguration
+discovery:
+  bootstrapToken:
+    apiServerEndpoint: {{ kubeadm_apiserver }}
+    token: {{ kubeadm_token }}
+    caCertHashes:
+      - {{ kubeadm_hash }}
+nodeRegistration:
+  kubeletExtraArgs:
+    resolv-conf: /etc/kubernetes/resolv.conf
+{% endif %}
\ No newline at end of file