diff --git a/cmd/placeholder-name/app/app.go b/cmd/placeholder-name/app/app.go
index 82a420c9..7b9d726e 100644
--- a/cmd/placeholder-name/app/app.go
+++ b/cmd/placeholder-name/app/app.go
@@ -14,6 +14,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"time"
 
@@ -49,8 +50,10 @@ type App struct {
 	cmd *cobra.Command
 
 	// CLI flags
-	configPath      string
-	downwardAPIPath string
+	configPath                 string
+	downwardAPIPath            string
+	clusterSigningCertFilePath string
+	clusterSigningKeyFilePath  string
 
 	recommendedOptions *genericoptions.RecommendedOptions
 }
@@ -76,6 +79,18 @@ func New(ctx context.Context, args []string, stdout, stderr io.Writer) *App {
 credential from somewhere to an internal credential to be used for
 authenticating to the Kubernetes API.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			clusterSigningCertificatePEM, err := ioutil.ReadFile(a.clusterSigningCertFilePath)
+			if err != nil {
+				return fmt.Errorf("could not read cluster signing certificate: %w", err)
+			}
+			clusterSigningPrivateKeyPEM, err := ioutil.ReadFile(a.clusterSigningKeyFilePath)
+			if err != nil {
+				return fmt.Errorf("could not read cluster signing private key: %w", err)
+			}
+			// TODO: use these value for something useful
+			_ = clusterSigningCertificatePEM
+			_ = clusterSigningPrivateKeyPEM
+
 			// Load the Kubernetes client configuration (kubeconfig),
 			kubeConfig, err := restclient.InClusterConfig()
 			if err != nil {
@@ -121,6 +136,20 @@ authenticating to the Kubernetes API.`,
 		"path to Downward API volume mount",
 	)
 
+	cmd.Flags().StringVar(
+		&a.clusterSigningCertFilePath,
+		"cluster-signing-cert-file",
+		"",
+		"path to cluster signing certificate",
+	)
+
+	cmd.Flags().StringVar(
+		&a.clusterSigningKeyFilePath,
+		"cluster-signing-key-file",
+		"",
+		"path to cluster signing private key",
+	)
+
 	a.cmd = cmd
 
 	return a
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index 764ec5f8..9cfb474b 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -47,6 +47,8 @@ spec:
     metadata:
       labels:
         app: #@ data.values.app_name
+    annotations:
+      scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
       serviceAccountName: #@ data.values.app_name + "-service-account"
       containers:
@@ -62,11 +64,15 @@ spec:
           args:
             - --config=/etc/config/placeholder-name.yaml
             - --downward-api-path=/etc/podinfo
+            - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
+            - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
           volumeMounts:
             - name: config-volume
               mountPath: /etc/config
             - name: podinfo
               mountPath: /etc/podinfo
+            - name: k8s-certs
+              mountPath: /etc/kubernetes/pki
       volumes:
         - name: config-volume
           configMap:
@@ -80,3 +86,15 @@ spec:
               - path: "namespace"
                 fieldRef:
                   fieldPath: metadata.namespace
+        - name: k8s-certs
+          hostPath:
+            path: /etc/kubernetes/pki
+            type: DirectoryOrCreate
+      priorityClassName: system-cluster-critical
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master