diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml
index d3c27ac35bda628cc8122a61d90cecc8dd4bd83c..ea69a5b2c1d7c3257f1dd43f2cf0b6a9efd3326b 100644
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -113,3 +113,10 @@ no_proxy_exclude_workers: false
 
 # sysctl_file_path to add sysctl conf to
 # sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
+
+## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+kube_webhook_token_auth: false
+kube_webhook_token_auth_url_skip_tls_verify: false
+# kube_webhook_token_auth_url: https://...
+## base64-encoded string of the webhook's CA certificate
+# kube_webhook_token_auth_ca_data: "LS0t..."
diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 227a53b094b3af9ab18a495ef68973e904af0830..51984933b794e918cc495fb3c96f21a1de194d9b 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -111,13 +111,17 @@ kube_api_runtime_config: []
 ## Enable/Disable Kube API Server Authentication Methods
 kube_token_auth: false
 kube_oidc_auth: false
+
+## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
 kube_webhook_token_auth: false
 kube_webhook_token_auth_url_skip_tls_verify: false
-## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
 # kube_webhook_token_auth_url: https://...
-kube_webhook_authorization: false
+## base64-encoded string of the webhook's CA certificate
+# kube_webhook_token_auth_ca_data: "LS0t..."
+
 ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
 # kube_webhook_authorization_url: https://...
+kube_webhook_authorization: false
 kube_webhook_authorization_url_skip_tls_verify: false
 
 
diff --git a/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 b/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2
index 4d0c1eccbc55bff8a78cff70407bd6d6bb0609ae..f152d11beb4a6191cf4f3c69a832f37e0bd4ca2e 100644
--- a/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2
@@ -4,6 +4,9 @@ clusters:
   cluster:
     server: {{ kube_webhook_token_auth_url }}
     insecure-skip-tls-verify: {{ kube_webhook_token_auth_url_skip_tls_verify }}
+{% if kube_webhook_token_auth_ca_data is defined %}
+    certificate-authority-data: {{ kube_webhook_token_auth_ca_data }}
+{% endif %}
 
 # users refers to the API server's webhook configuration.
 users: